From 7a89f14aa5d1cc2d6b751cd8812c16d72a543d4f Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 15 Dec 2011 12:29:01 +1100
Subject: [PATCH] Revert "make paranoia check less paranoid" - check that key
 types strictly match

This reverts commit c25af51232616061bb08eea86aae595b4f029490 because
otherwise we could attempt to check a CKSUMTYPE_HMAC_SHA1_96_AES_256 key with a
KRB5_ENCTYPE_ARCFOUR_HMAC_MD5 key.

Andrew Bartlett

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
---
 lib/krb5/crypto.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/krb5/crypto.c b/lib/krb5/crypto.c
index 4b907c86b..c91e12572 100644
--- a/lib/krb5/crypto.c
+++ b/lib/krb5/crypto.c
@@ -467,7 +467,7 @@ verify_checksum(krb5_context context,
 	    return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
 	}
 	kct = crypto->et->keyed_checksum;
-	if (kct != NULL && kct->type != ct->type) {
+	if (kct == NULL || kct->type != ct->type) {
 	    krb5_set_error_message(context, KRB5_PROG_SUMTYPE_NOSUPP,
 				   N_("Checksum type %s is keyed, but "
 				      "the key type %s passed didnt have that checksum "