krb5/patches/krb5-trunk-7048.patch

   1 commit 1c2f5144de0f15f7d9c8659a71adc10c2755b57e
   2 Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
   3 Date:   Wed Dec 7 19:38:32 2011 +0000
   4
   5     ticket: 7048
   6     subject: Allow null server key to krb5_pac_verify
   7
   8     When the KDC verifies a PAC, it doesn't really need to check the
   9     server signature, since it can't trust that anyway.  Allow the caller
  10     to pass only a TGT key.
  11
  12     git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25532 dc483132-0cff-0310-8789-dd5450dbe970
  13
  14 diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
  15 index f3d0225..83c2dc7 100644
  16 --- a/src/include/krb5/krb5.hin
  17 +++ b/src/include/krb5/krb5.hin
  18 @@ -7506,13 +7506,13 @@ krb5_pac_parse(krb5_context context, const void *ptr, size_t len,
  19   * @param [in] pac              PAC handle
  20   * @param [in] authtime         Expected timestamp
  21   * @param [in] principal        Expected principal name (or NULL)
  22 - * @param [in] server           Key to validate server checksum
  23 + * @param [in] server           Key to validate server checksum (or NULL)
  24   * @param [in] privsvr          Key to validate KDC checksum (or NULL)
  25   *
  26   * This function validates @a pac against the supplied @a server, @a privsvr,
  27   * @a principal and @a authtime.  If @a principal is NULL, the principal and
  28 - * authtime are not verified.  If @a privsvr is NULL, the KDC checksum is not
  29 - * verified.
  30 + * authtime are not verified.  If @a server or @a privsvr is NULL, the
  31 + * corresponding checksum is not verified.
  32   *
  33   * If successful, @a pac is marked as verified.
  34   *
  35 diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
  36 index f173b04..23aa930 100644
  37 --- a/src/lib/krb5/krb/pac.c
  38 +++ b/src/lib/krb5/krb/pac.c
  39 @@ -637,9 +637,11 @@ krb5_pac_verify(krb5_context context,
  40      if (server == NULL)
  41          return EINVAL;
  42
  43 -    ret = k5_pac_verify_server_checksum(context, pac, server);
  44 -    if (ret != 0)
  45 -        return ret;
  46 +    if (server != NULL) {
  47 +        ret = k5_pac_verify_server_checksum(context, pac, server);
  48 +        if (ret != 0)
  49 +            return ret;
  50 +    }
  51
  52      if (privsvr != NULL) {
  53          ret = k5_pac_verify_kdc_checksum(context, pac, privsvr);
  54
  55 commit e31486a84380647e49ba6199a3e10ac739fa1a45
  56 Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
  57 Date:   Thu Dec 8 04:21:23 2011 +0000
  58
  59     ticket: 7048
  60
  61     Actually allow null server key in krb5_pac_verify
  62
  63     git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25534 dc483132-0cff-0310-8789-dd5450dbe970
  64
  65 diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
  66 index 23aa930..3262d21 100644
  67 --- a/src/lib/krb5/krb/pac.c
  68 +++ b/src/lib/krb5/krb/pac.c
  69 @@ -634,9 +634,6 @@ krb5_pac_verify(krb5_context context,
  70  {
  71      krb5_error_code ret;
  72
  73 -    if (server == NULL)
  74 -        return EINVAL;
  75 -
  76      if (server != NULL) {
  77          ret = k5_pac_verify_server_checksum(context, pac, server);
  78          if (ret != 0)