From: Tom Yu <tlyu@mit.edu>
Date: Mon, 7 Dec 2009 15:30:37 +0000 (+0000)
Subject: handle negative enctypes better
X-Git-Tag: krb5-1.8-alpha1~81
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=741938feb12538b659a36d7e0329efe6a5550669;p=krb5.git

handle negative enctypes better

krb5_dbe_def_search_enctype and krb5int_parse_enctype_list were making
assumptions that enctype numbers are positive.  Potentially more code
makes this assumption, but these appear to be the major ones.

ticket: 6592
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23454 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c
index 81c70f36c..ea24d36fd 100644
--- a/src/lib/kdb/kdb_default.c
+++ b/src/lib/kdb/kdb_default.c
@@ -98,7 +98,7 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap)
         }
 
 
-        if (ktype > 0) {
+        if (ktype != -1) {
             if ((ret = krb5_c_enctype_compare(kcontext, (krb5_enctype) ktype,
                                               dbentp->key_data[i].key_data_type[0],
                                               &similar)))
@@ -106,7 +106,7 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap)
                 return(ret);
         }
 
-        if (((ktype <= 0) || similar) &&
+        if (((ktype == -1) || similar) &&
             ((db_stype == stype) || (stype < 0))) {
             if (kvno >= 0) {
                 if (kvno == dbentp->key_data[i].key_data_kvno) {
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
index 8667897b9..466f5b302 100644
--- a/src/lib/krb5/krb/init_ctx.c
+++ b/src/lib/krb5/krb/init_ctx.c
@@ -61,7 +61,8 @@
 #include "../krb5_libinit.h"
 #endif
 
-/* This must be the largest enctype value defined in krb5.h. */
+/* This must be the largest enctype value defined in krb5.h, plus the number of
+ * enctypes with negative numbers. */
 #define MAX_ENCTYPE ENCTYPE_ARCFOUR_HMAC_EXP
 
 /* The des-mdX entries are last for now, because it's easy to
@@ -357,7 +358,7 @@ mod_list(krb5_enctype etype, krb5_boolean add, krb5_boolean allow_weak,
 {
     unsigned int i;
 
-    assert(etype > 0 && etype <= MAX_ENCTYPE);
+    assert(etype <= MAX_ENCTYPE);
     if (!allow_weak && krb5int_c_weak_enctype(etype))
         return;
     for (i = 0; i < *count; i++) {