diff --git a/Fix-kadmin-addprinc-randkey-kvno.patch b/Fix-kadmin-addprinc-randkey-kvno.patch new file mode 100644 index 0000000..8ddeba7 --- /dev/null +++ b/Fix-kadmin-addprinc-randkey-kvno.patch @@ -0,0 +1,45 @@ +From 2c0d9a91c34f315f860fc857dd84863d048b6105 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Sat, 16 Nov 2019 19:54:51 -0500 +Subject: [PATCH] Fix kadmin addprinc -randkey -kvno + +Commit f07bca9fc94a5cf2e3c0f58226c7973a4b86b7a9 made addprinc -randkey +use a single RPC request, but the server-side handling always creates +the random keys with kvno 1. If a kvno is specified in the RPC +request, set the kvno of the key data after creating it. Reported by +Andreas Ladanyi. + +ticket: 8848 +tags: pullup +target_version: 1.17-next +target_version: 1.16-next + +(cherry picked from commit 462e85208d57b8d4120c99e801fbd156b9ccf16f) +--- + src/lib/kadm5/srv/svr_principal.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c +index 48cac0c11..a1ecdbfc4 100644 +--- a/src/lib/kadm5/srv/svr_principal.c ++++ b/src/lib/kadm5/srv/svr_principal.c +@@ -302,7 +302,7 @@ kadm5_create_principal_3(void *server_handle, + kadm5_server_handle_t handle = server_handle; + krb5_keyblock *act_mkey; + krb5_kvno act_kvno; +- int new_n_ks_tuple = 0; ++ int new_n_ks_tuple = 0, i; + krb5_key_salt_tuple *new_ks_tuple = NULL; + + CHECK_HANDLE(server_handle); +@@ -468,6 +468,10 @@ kadm5_create_principal_3(void *server_handle, + /* Null password means create with random key (new in 1.8). */ + ret = krb5_dbe_crk(handle->context, &master_keyblock, + new_ks_tuple, new_n_ks_tuple, FALSE, kdb); ++ if (mask & KADM5_KVNO) { ++ for (i = 0; i < kdb->n_key_data; i++) ++ kdb->key_data[i].key_data_kvno = entry->kvno; ++ } + } + if (ret) + goto cleanup; diff --git a/krb5.spec b/krb5.spec index a0c1eac..90dc0fc 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.17 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 48%{?dist} +Release: 49%{?dist} # lookaside-cached sources; two downloads and a build artifact Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz @@ -128,6 +128,7 @@ Patch167: Fix-minor-errors-in-softpkcs11.patch Patch168: Update-test-suite-cert-message-digest-to-sha256.patch Patch169: Use-backported-version-of-OpenSSL-3-KDF-interface.patch Patch170: krb5-1.17post6-FIPS-with-PRNG-and-RADIUS-and-MD4.patch +Patch171: Fix-kadmin-addprinc-randkey-kvno.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -736,6 +737,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Wed Nov 20 2019 Robbie Harwood - 1.17-49 +- Fix kadmin addprinc -randkey -kvno + * Tue Nov 19 2019 Robbie Harwood - 1.17-48 - Use OpenSSL's backported KDFs - Restore MD4 in FIPS mode (for samba)