From: Luke Howard <lukeh@padl.com>
Date: Tue, 25 Aug 2009 17:37:11 +0000 (+0000)
Subject: indicate how we might ignore PAC verification failures
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fb0b01e73e74f253892c40cf53b1cf523f766b1d;p=thirdparty%2Fkrb5.git

indicate how we might ignore PAC verification failures

git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/authdata@22600 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index b6c15dd261..2c9962cb1e 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -964,7 +964,18 @@ mspac_request_verify(krb5_context context,
 			   key,
 			   NULL);
 
+#if 0
+    /*
+     * Now, we could return 0 and just set pac->verified to FALSE.
+     * Thoughts?
+     */
+    if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
+        assert(pacctx->pac->verified == FALSE);
+        code = 0;
+    }
+#else
     if (pacctx->pac->verified == TRUE || code != 0);
+#endif
 
     return code;
 }