Ken Raeburn via RT wrote: > On Nov 9, 2007, at 15:14, Jeffrey Altman via RT wrote: >> Please review this patch to kadm5_decrypt_key(). This patch prevents >> the returned keyblock's enctype from being coerced to the requested >> 'ktype' if the requested 'ktype' == -1. A ktype of -1 is to be >> ignored. > > Is the use of -1 here something that is already happening elsewhere, > or something you're adding? I thought we had 0 as the magic enctype > value elsewhere, maybe I'm wrong. > > Ken Please read the comment at the top of the function. -1 means that the ktype value should be ignored when searching for the correct keyblock entry.