From 4b8056ef0872ea65404ccd362a646501ed88a3d1 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 20 Nov 2019 14:16:04 -0500
Subject: [PATCH] Fix kadmin addprinc -randkey -kvno

---
 Fix-kadmin-addprinc-randkey-kvno.patch | 45 ++++++++++++++++++++++++++
 krb5.spec                              |  6 +++-
 2 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 Fix-kadmin-addprinc-randkey-kvno.patch

diff --git a/Fix-kadmin-addprinc-randkey-kvno.patch b/Fix-kadmin-addprinc-randkey-kvno.patch
new file mode 100644
index 0000000..8ddeba7
--- /dev/null
+++ b/Fix-kadmin-addprinc-randkey-kvno.patch
@@ -0,0 +1,45 @@
+From 2c0d9a91c34f315f860fc857dd84863d048b6105 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Sat, 16 Nov 2019 19:54:51 -0500
+Subject: [PATCH] Fix kadmin addprinc -randkey -kvno
+
+Commit f07bca9fc94a5cf2e3c0f58226c7973a4b86b7a9 made addprinc -randkey
+use a single RPC request, but the server-side handling always creates
+the random keys with kvno 1.  If a kvno is specified in the RPC
+request, set the kvno of the key data after creating it.  Reported by
+Andreas Ladanyi.
+
+ticket: 8848
+tags: pullup
+target_version: 1.17-next
+target_version: 1.16-next
+
+(cherry picked from commit 462e85208d57b8d4120c99e801fbd156b9ccf16f)
+---
+ src/lib/kadm5/srv/svr_principal.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
+index 48cac0c11..a1ecdbfc4 100644
+--- a/src/lib/kadm5/srv/svr_principal.c
++++ b/src/lib/kadm5/srv/svr_principal.c
+@@ -302,7 +302,7 @@ kadm5_create_principal_3(void *server_handle,
+     kadm5_server_handle_t handle = server_handle;
+     krb5_keyblock               *act_mkey;
+     krb5_kvno                   act_kvno;
+-    int                         new_n_ks_tuple = 0;
++    int                         new_n_ks_tuple = 0, i;
+     krb5_key_salt_tuple         *new_ks_tuple = NULL;
+ 
+     CHECK_HANDLE(server_handle);
+@@ -468,6 +468,10 @@ kadm5_create_principal_3(void *server_handle,
+         /* Null password means create with random key (new in 1.8). */
+         ret = krb5_dbe_crk(handle->context, &master_keyblock,
+                            new_ks_tuple, new_n_ks_tuple, FALSE, kdb);
++        if (mask & KADM5_KVNO) {
++            for (i = 0; i < kdb->n_key_data; i++)
++                kdb->key_data[i].key_data_kvno = entry->kvno;
++        }
+     }
+     if (ret)
+         goto cleanup;
diff --git a/krb5.spec b/krb5.spec
index a0c1eac..90dc0fc 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.17
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 48%{?dist}
+Release: 49%{?dist}
 
 # lookaside-cached sources; two downloads and a build artifact
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
@@ -128,6 +128,7 @@ Patch167: Fix-minor-errors-in-softpkcs11.patch
 Patch168: Update-test-suite-cert-message-digest-to-sha256.patch
 Patch169: Use-backported-version-of-OpenSSL-3-KDF-interface.patch
 Patch170: krb5-1.17post6-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
+Patch171: Fix-kadmin-addprinc-randkey-kvno.patch
 
 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@@ -736,6 +737,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Wed Nov 20 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-49
+- Fix kadmin addprinc -randkey -kvno
+
 * Tue Nov 19 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-48
 - Use OpenSSL's backported KDFs
 - Restore MD4 in FIPS mode (for samba)