[krbdev.mit.edu #5840] Prevent kadm5_decrypt_key() from coercing the keytype if the requested ktype == -1
Jeffrey Altman via RT
rt-comment at krbdev.mit.edu
Fri Nov 9 15:48:19 EST 2007
Tom Yu via RT wrote:
>>>>>> "jaltman" == Jeffrey Altman via RT <rt-comment at krbdev.mit.edu> writes:
>
> jaltman> + if (ktype == -1)
> jaltman> + keyblock->enctype = ktype;
>
> Isn't this backwards if you want -1 to mean the enctype doesn't get
> coerced?
>
You are correct. I manually copied the patch backward. The problem
with manually pulling patches by eyeballing them from other systems.
Corrected patch:
Index: svr_principal.c
===================================================================
--- svr_principal.c (revision 20163)
+++ svr_principal.c (working copy)
@@ -2156,7 +2156,8 @@
* inexact match on the enctype; this behavior will go away when
* the key storage architecture gets redesigned for 1.3.
*/
- keyblock->enctype = ktype;
+ if (ktype != -1)
+ keyblock->enctype = ktype;
if (kvnop)
*kvnop = key_data->key_data_kvno;
More information about the krb5-bugs
mailing list