diff -Naurp krb5-1.9.1/src/kdc/kdc_preauth.c krb5-1.9.1.oden/src/kdc/kdc_preauth.c --- krb5-1.9.1/src/kdc/kdc_preauth.c 2010-11-01 19:49:36.000000000 +0000 +++ krb5-1.9.1.oden/src/kdc/kdc_preauth.c 2012-08-01 09:43:19.000000000 +0000 @@ -1562,7 +1562,8 @@ etype_info_helper(krb5_context context, continue; } - if (request_contains_enctype(context, request, db_etype)) { + if (krb5_is_permitted_enctype(context, db_etype) && + request_contains_enctype(context, request, db_etype)) { retval = _make_etype_info_entry(context, client->princ, client_key, db_etype, &entry[i], etype_info2); diff -Naurp krb5-1.9.1/src/kdc/kdc_util.c krb5-1.9.1.oden/src/kdc/kdc_util.c --- krb5-1.9.1/src/kdc/kdc_util.c 2010-12-01 21:37:25.000000000 +0000 +++ krb5-1.9.1.oden/src/kdc/kdc_util.c 2012-08-01 09:43:19.000000000 +0000 @@ -2465,6 +2465,7 @@ kdc_handle_protected_negotiation(krb5_da return 0; pa.magic = KV5M_PA_DATA; pa.pa_type = KRB5_ENCPADATA_REQ_ENC_PA_REP; + memset(&checksum, 0, sizeof(checksum)); retval = krb5_c_make_checksum(kdc_context,0, reply_key, KRB5_KEYUSAGE_AS_REQ, req_pkt, &checksum); if (retval != 0) diff -Naurp krb5-1.9.1/src/lib/kdb/kdb_default.c krb5-1.9.1.oden/src/lib/kdb/kdb_default.c --- krb5-1.9.1/src/lib/kdb/kdb_default.c 2010-09-28 19:09:11.000000000 +0000 +++ krb5-1.9.1.oden/src/lib/kdb/kdb_default.c 2012-08-01 09:43:19.000000000 +0000 @@ -64,6 +64,9 @@ krb5_dbe_def_search_enctype(kcontext, db krb5_boolean saw_non_permitted = FALSE; ret = 0; + if (ktype != -1 && !krb5_is_permitted_enctype(kcontext, ktype)) + return KRB5_KDB_NO_PERMITTED_KEY; + if (kvno == -1 && stype == -1 && ktype == -1) kvno = 0;