rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity
cd92a2cbb4
krb5/krb5-trunk-7048.patch
Nalin Dahyabhai f28b57af20 - pull in patch for RT#7048: allow PAC verification to only bother trying to 
verify the signature with keys that it's given (still more of #761317)
2011-12-13 10:50:02 -05:00

79 lines
2.8 KiB
Diff
Raw Blame History

commit 1c2f5144de0f15f7d9c8659a71adc10c2755b57e
Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Wed Dec 7 19:38:32 2011 +0000
ticket: 7048
subject: Allow null server key to krb5_pac_verify
When the KDC verifies a PAC, it doesn't really need to check the
server signature, since it can't trust that anyway. Allow the caller
to pass only a TGT key.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25532 dc483132-0cff-0310-8789-dd5450dbe970
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index f3d0225..83c2dc7 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -7506,13 +7506,13 @@ krb5_pac_parse(krb5_context context, const void *ptr, size_t len,
* @param [in] pac PAC handle
* @param [in] authtime Expected timestamp
* @param [in] principal Expected principal name (or NULL)
- * @param [in] server Key to validate server checksum
+ * @param [in] server Key to validate server checksum (or NULL)
* @param [in] privsvr Key to validate KDC checksum (or NULL)
*
* This function validates @a pac against the supplied @a server, @a privsvr,
* @a principal and @a authtime. If @a principal is NULL, the principal and
- * authtime are not verified. If @a privsvr is NULL, the KDC checksum is not
- * verified.
+ * authtime are not verified. If @a server or @a privsvr is NULL, the
+ * corresponding checksum is not verified.
*
* If successful, @a pac is marked as verified.
*
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index f173b04..23aa930 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -637,9 +637,11 @@ krb5_pac_verify(krb5_context context,
if (server == NULL)
return EINVAL;
- ret = k5_pac_verify_server_checksum(context, pac, server);
- if (ret != 0)
- return ret;
+ if (server != NULL) {
+ ret = k5_pac_verify_server_checksum(context, pac, server);
+ if (ret != 0)
+ return ret;
+ }
if (privsvr != NULL) {
ret = k5_pac_verify_kdc_checksum(context, pac, privsvr);
commit e31486a84380647e49ba6199a3e10ac739fa1a45
Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Thu Dec 8 04:21:23 2011 +0000
ticket: 7048
Actually allow null server key in krb5_pac_verify
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25534 dc483132-0cff-0310-8789-dd5450dbe970
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 23aa930..3262d21 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -634,9 +634,6 @@ krb5_pac_verify(krb5_context context,
{
krb5_error_code ret;
- if (server == NULL)
- return EINVAL;
-
if (server != NULL) {
ret = k5_pac_verify_server_checksum(context, pac, server);
if (ret != 0)
Reference in New Issue View Git Blame Copy Permalink