Treat LDAP KrbKey salt field as optional Per the ASN.1 definition, the KrbKey salt field is optional. Since 1.7, we have been treating it as mandatory in the encoder; since 1.11, we have been treating it as mandatory in the decoder. Mostly by luck, we have been encoding a salt type of 0 when key_data_ver is 1, but we really should not be looking at key_data_type[1] or key_data_length[1] in this situation. Treat the salt field as optional in the encoder and decoder. Although the previous commit ensures that we continue to always encode a salt (without any dangerous assumptions about krb5_key_data constructors), this change will allow us to decode key data encoded by 1.6 without salt fields. This also fixes issue #7918, by properly setting key_data_ver to 2 if a salt type but no salt value is present. It is difficult to get the decoder to actually assign 2 to key_data_ver just because the salt field is there, so take care of that in asn1_decode_sequence_of_keys. Adjust kdbtest.c to match the new behavior by setting key_data_ver to 2 in both test keys. (cherry picked from commit fb5cd8df0dbd04dac4f610e68cba5b80a3cb8d48) https://github.com/krb5/krb5/commit/cd957d3f62623168bcde3d66633f3d2fd4e775ba Author: Greg Hudson Committer: Tom Yu Commit: cd957d3f62623168bcde3d66633f3d2fd4e775ba Branch: krb5-1.12 src/lib/krb5/asn.1/ldap_key_seq.c | 19 ++++++++++++++++--- src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 6 ++++-- src/tests/kdbtest.c | 2 +- 3 files changed, 21 insertions(+), 6 deletions(-)