[people/ms/ipfire-3.x.git] / krb5 / patches / krb5-trunk-7048.patch

commit 1c2f5144de0f15f7d9c8659a71adc10c2755b57e
Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
Date:   Wed Dec 7 19:38:32 2011 +0000

    ticket: 7048
    subject: Allow null server key to krb5_pac_verify
    
    When the KDC verifies a PAC, it doesn't really need to check the
    server signature, since it can't trust that anyway.  Allow the caller
    to pass only a TGT key.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25532 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index f3d0225..83c2dc7 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -7506,13 +7506,13 @@ krb5_pac_parse(krb5_context context, const void *ptr, size_t len,
  * @param [in] pac              PAC handle
  * @param [in] authtime         Expected timestamp
  * @param [in] principal        Expected principal name (or NULL)
- * @param [in] server           Key to validate server checksum
+ * @param [in] server           Key to validate server checksum (or NULL)
  * @param [in] privsvr          Key to validate KDC checksum (or NULL)
  *
  * This function validates @a pac against the supplied @a server, @a privsvr,
  * @a principal and @a authtime.  If @a principal is NULL, the principal and
- * authtime are not verified.  If @a privsvr is NULL, the KDC checksum is not
- * verified.
+ * authtime are not verified.  If @a server or @a privsvr is NULL, the
+ * corresponding checksum is not verified.
  *
  * If successful, @a pac is marked as verified.
  *
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index f173b04..23aa930 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -637,9 +637,11 @@ krb5_pac_verify(krb5_context context,
     if (server == NULL)
         return EINVAL;
 
-    ret = k5_pac_verify_server_checksum(context, pac, server);
-    if (ret != 0)
-        return ret;
+    if (server != NULL) {
+        ret = k5_pac_verify_server_checksum(context, pac, server);
+        if (ret != 0)
+            return ret;
+    }
 
     if (privsvr != NULL) {
         ret = k5_pac_verify_kdc_checksum(context, pac, privsvr);

commit e31486a84380647e49ba6199a3e10ac739fa1a45
Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
Date:   Thu Dec 8 04:21:23 2011 +0000

    ticket: 7048
    
    Actually allow null server key in krb5_pac_verify
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25534 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 23aa930..3262d21 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -634,9 +634,6 @@ krb5_pac_verify(krb5_context context,
 {
     krb5_error_code ret;
 
-    if (server == NULL)
-        return EINVAL;
-
     if (server != NULL) {
         ret = k5_pac_verify_server_checksum(context, pac, server);
         if (ret != 0)
Commit	Line	Data
6cf77d05 SS	1	commit 1c2f5144de0f15f7d9c8659a71adc10c2755b57e
	2	Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
	3	Date: Wed Dec 7 19:38:32 2011 +0000
	4
	5	ticket: 7048
	6	subject: Allow null server key to krb5_pac_verify
	7
	8	When the KDC verifies a PAC, it doesn't really need to check the
	9	server signature, since it can't trust that anyway. Allow the caller
	10	to pass only a TGT key.
	11
	12	git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25532 dc483132-0cff-0310-8789-dd5450dbe970
	13
	14	diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
	15	index f3d0225..83c2dc7 100644
	16	--- a/src/include/krb5/krb5.hin
	17	+++ b/src/include/krb5/krb5.hin
	18	@@ -7506,13 +7506,13 @@ krb5_pac_parse(krb5_context context, const void *ptr, size_t len,
	19	* @param [in] pac PAC handle
	20	* @param [in] authtime Expected timestamp
	21	* @param [in] principal Expected principal name (or NULL)
	22	- * @param [in] server Key to validate server checksum
	23	+ * @param [in] server Key to validate server checksum (or NULL)
	24	* @param [in] privsvr Key to validate KDC checksum (or NULL)
	25	*
	26	* This function validates @a pac against the supplied @a server, @a privsvr,
	27	* @a principal and @a authtime. If @a principal is NULL, the principal and
	28	- * authtime are not verified. If @a privsvr is NULL, the KDC checksum is not
	29	- * verified.
	30	+ * authtime are not verified. If @a server or @a privsvr is NULL, the
	31	+ * corresponding checksum is not verified.
	32	*
	33	* If successful, @a pac is marked as verified.
	34	*
	35	diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
	36	index f173b04..23aa930 100644
	37	--- a/src/lib/krb5/krb/pac.c
	38	+++ b/src/lib/krb5/krb/pac.c
	39	@@ -637,9 +637,11 @@ krb5_pac_verify(krb5_context context,
	40	if (server == NULL)
	41	return EINVAL;
	42
	43	- ret = k5_pac_verify_server_checksum(context, pac, server);
	44	- if (ret != 0)
	45	- return ret;
	46	+ if (server != NULL) {
	47	+ ret = k5_pac_verify_server_checksum(context, pac, server);
	48	+ if (ret != 0)
	49	+ return ret;
	50	+ }
	51
	52	if (privsvr != NULL) {
	53	ret = k5_pac_verify_kdc_checksum(context, pac, privsvr);
	54
	55	commit e31486a84380647e49ba6199a3e10ac739fa1a45
	56	Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
	57	Date: Thu Dec 8 04:21:23 2011 +0000
	58
	59	ticket: 7048
	60
	61	Actually allow null server key in krb5_pac_verify
	62
	63	git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25534 dc483132-0cff-0310-8789-dd5450dbe970
	64
65	diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
66	index 23aa930..3262d21 100644
67	--- a/src/lib/krb5/krb/pac.c
68	+++ b/src/lib/krb5/krb/pac.c
69	@@ -634,9 +634,6 @@ krb5_pac_verify(krb5_context context,
70	{
71	krb5_error_code ret;
72
73	- if (server == NULL)
74	- return EINVAL;
75	-
76	if (server != NULL) {
77	ret = k5_pac_verify_server_checksum(context, pac, server);
78	if (ret != 0)