From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 29 Jan 2025 05:22:57 +0000 (-0500)
Subject: Allow only one salt type per enctype in key data
X-Git-Tag: krb5-1.22-beta1~28
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=367ccd2fcf8b4adb82bfc7ef9b5f04ff94f80326;p=thirdparty%2Fkrb5.git

Allow only one salt type per enctype in key data

In the default libkdb5 password change method, omit requested key/salt
combinations that duplicate an earlier encryption type, even if they
have a different salt type.  Any use cases for multiple salts for the
same enctype disappeared with single-DES support.  (We already have
this behavior for chrand requests.)

ticket: 9160 (new)
---

diff --git a/src/lib/kdb/kdb_cpw.c b/src/lib/kdb/kdb_cpw.c
index c33c7cf8d0..8b012e19ef 100644
--- a/src/lib/kdb/kdb_cpw.c
+++ b/src/lib/kdb/kdb_cpw.c
@@ -264,8 +264,7 @@ add_key_pwd(krb5_context context, krb5_keyblock *master_key,
                                                  &similar)))
                 return(retval);
 
-            if (similar &&
-                (ks_tuple[j].ks_salttype == ks_tuple[i].ks_salttype))
+            if (similar)
                 break;
         }