commit 1c2f5144de0f15f7d9c8659a71adc10c2755b57e Author: ghudson Date: Wed Dec 7 19:38:32 2011 +0000 ticket: 7048 subject: Allow null server key to krb5_pac_verify When the KDC verifies a PAC, it doesn't really need to check the server signature, since it can't trust that anyway. Allow the caller to pass only a TGT key. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25532 dc483132-0cff-0310-8789-dd5450dbe970 diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index f3d0225..83c2dc7 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -7506,13 +7506,13 @@ krb5_pac_parse(krb5_context context, const void *ptr, size_t len, * @param [in] pac PAC handle * @param [in] authtime Expected timestamp * @param [in] principal Expected principal name (or NULL) - * @param [in] server Key to validate server checksum + * @param [in] server Key to validate server checksum (or NULL) * @param [in] privsvr Key to validate KDC checksum (or NULL) * * This function validates @a pac against the supplied @a server, @a privsvr, * @a principal and @a authtime. If @a principal is NULL, the principal and - * authtime are not verified. If @a privsvr is NULL, the KDC checksum is not - * verified. + * authtime are not verified. If @a server or @a privsvr is NULL, the + * corresponding checksum is not verified. * * If successful, @a pac is marked as verified. * diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c index f173b04..23aa930 100644 --- a/src/lib/krb5/krb/pac.c +++ b/src/lib/krb5/krb/pac.c @@ -637,9 +637,11 @@ krb5_pac_verify(krb5_context context, if (server == NULL) return EINVAL; - ret = k5_pac_verify_server_checksum(context, pac, server); - if (ret != 0) - return ret; + if (server != NULL) { + ret = k5_pac_verify_server_checksum(context, pac, server); + if (ret != 0) + return ret; + } if (privsvr != NULL) { ret = k5_pac_verify_kdc_checksum(context, pac, privsvr); commit e31486a84380647e49ba6199a3e10ac739fa1a45 Author: ghudson Date: Thu Dec 8 04:21:23 2011 +0000 ticket: 7048 Actually allow null server key in krb5_pac_verify git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25534 dc483132-0cff-0310-8789-dd5450dbe970 diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c index 23aa930..3262d21 100644 --- a/src/lib/krb5/krb/pac.c +++ b/src/lib/krb5/krb/pac.c @@ -634,9 +634,6 @@ krb5_pac_verify(krb5_context context, { krb5_error_code ret; - if (server == NULL) - return EINVAL; - if (server != NULL) { ret = k5_pac_verify_server_checksum(context, pac, server); if (ret != 0)