From b1b925635d7bbaa915961f9ae7e8c2535e591125 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 15 Jul 2020 16:30:20 -0400
Subject: [PATCH] Ignore bad enctypes in krb5_string_to_keysalts()

---
 ...-enctypes-in-krb5_string_to_keysalts.patch | 31 +++++++++++++++++++
 krb5.spec                                     |  6 +++-
 2 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch

diff --git a/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch b/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch
new file mode 100644
index 0000000..9b80631
--- /dev/null
+++ b/Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch
@@ -0,0 +1,31 @@
+From f9c314847c999727679a9e8ad4fb565001e47fd2 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Wed, 15 Jul 2020 15:42:20 -0400
+Subject: [PATCH] Ignore bad enctypes in krb5_string_to_keysalts()
+
+Fixes a problem where the presence of legacy/unrecognized keysalts in
+supported_enctypes would prevent the kadmin programs from starting.
+
+(cherry picked from commit 860b411d441e4a486f6714762605c42997b8946a)
+---
+ src/lib/kadm5/str_conv.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/lib/kadm5/str_conv.c b/src/lib/kadm5/str_conv.c
+index 7cf51d316..0abfa845c 100644
+--- a/src/lib/kadm5/str_conv.c
++++ b/src/lib/kadm5/str_conv.c
+@@ -340,9 +340,10 @@ krb5_string_to_keysalts(const char *string, const char *tupleseps,
+     while ((ksp = strtok_r(p, tseps, &tlasts)) != NULL) {
+         /* Pass a null pointer to subsequent calls to strtok_r(). */
+         p = NULL;
+-        ret = string_to_keysalt(ksp, ksaltseps, &etype, &stype);
+-        if (ret)
+-            goto cleanup;
++
++        /* Discard unrecognized keysalts. */
++        if (string_to_keysalt(ksp, ksaltseps, &etype, &stype))
++            continue;
+ 
+         /* Ignore duplicate keysalts if caller asks. */
+         if (!dups && krb5_keysalt_is_present(ksalts, nksalts, etype, stype))
diff --git a/krb5.spec b/krb5.spec
index 3a67ce4..013c443 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.18.2
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 10%{?dist}
+Release: 11%{?dist}
 
 # rharwood has trust path to signing key and verifies on check-in
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
@@ -68,6 +68,7 @@ Patch29: Add-client_aware_channel_bindings-option.patch
 Patch30: Pass-channel-bindings-through-SPNEGO.patch
 Patch31: Add-channel-bindings-tests.patch
 Patch32: Use-two-queues-for-concurrent-t_otp.py-daemons.patch
+Patch33: Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch
 
 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@@ -622,6 +623,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Wed Jul 15 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-11
+- Ignore bad enctypes in krb5_string_to_keysalts()
+
 * Wed Jul 08 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-10
 - Set qualify_shortname empty in default configuration
 - Resolves: #1852041