Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by krbdev.mit.edu (8.9.3) with ESMTP id JAA08433; Mon, 30 Sep 2002 09:07:40 -0400 (EDT) Received: from nwkea-mail-1.sun.com (nwkea-mail-1.sun.com [192.18.42.13]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id JAA08018; Mon, 30 Sep 2002 09:07:38 -0400 (EDT) Received: from jurassic.eng.sun.com ([129.146.17.55]) by nwkea-mail-1.sun.com (8.9.3+Sun/8.9.3) with ESMTP id GAA10546; Mon, 30 Sep 2002 06:07:37 -0700 (PDT) Received: from sun.com (vpn-129-148-154-51.East.Sun.COM [129.148.154.51]) by jurassic.eng.sun.com (8.12.6+Sun/8.12.6) with ESMTP id g8UD7ZdZ142013; Mon, 30 Sep 2002 06:07:36 -0700 (PDT) Message-Id: <3D984C97.6060307@sun.com> Date: Mon, 30 Sep 2002 09:07:35 -0400 From: Wyllys Ingersoll User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.1) Gecko/20020827 X-Accept-Language: en-us, en MIME-Version: 1.0 To: krbdev@mit.edu, krb5-bugs@mit.edu Subject: keytab file entry comparison problem Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-RT-Original-Encoding: us-ascii Content-Length: 1649 In ktf_g_enc.c, the code does a loop where it reads entries from the keytab file and compares to match up with a specified principal, kvno, and enctype. routine: krb5_ktfile_get_entry() I have a situation where my keytab file contains keys for the local host from 3 different realms. One of my realms does not have 3DES key support but the others do. When trying to find a match for the realm which does NOT support 3DES keys, this function always returns a "bad encryption type" error because keys from the *other* realms have 3DES keys. The problem is that this routine checks the enctype before it checks to see if the principals or realms match. I think this is incorrect, if the key we are searching for is in realm FOO.COM (enctype 1), and the search routine comes across an entry for BAR.COM (enctype 16), it should not even bother looking at the enctype because this key is not of interest. The fix is to compare principal's before comparing enctypes. See below (I just moved the principal compare function ahead of the enctype comparison): ktf_g_ent.c 69a70,76 > /* if the principal isn't the one requested, free new_entry > and continue to the next. */ > if (!krb5_principal_compare(context, principal, new_entry.principal)) { > krb5_kt_free_entry(context, &new_entry); > continue; > } > 72d78 < 95,102d100 < /* if the principal isn't the one requested, free new_entry < and continue to the next. */ < < if (!krb5_principal_compare(context, principal, new_entry.principal)) { < krb5_kt_free_entry(context, &new_entry); < continue; < } < -Wyllys Ingersoll Sun Microsystems, Inc