svn rev #25532: trunk/src/ include/krb5/ lib/krb5/krb/

ghudson@MIT.EDU ghudson at MIT.EDU
Wed Dec 7 14:38:32 EST 2011 

http://src.mit.edu/fisheye/changelog/krb5/?cs=25532
Commit By: ghudson
Log Message:
ticket: 7048
subject: Allow null server key to krb5_pac_verify

When the KDC verifies a PAC, it doesn't really need to check the
server signature, since it can't trust that anyway.  Allow the caller
to pass only a TGT key.


Changed Files:
U   trunk/src/include/krb5/krb5.hin
U   trunk/src/lib/krb5/krb/pac.c
Modified: trunk/src/include/krb5/krb5.hin
===================================================================
--- trunk/src/include/krb5/krb5.hin	2011-12-07 19:38:29 UTC (rev 25531)
+++ trunk/src/include/krb5/krb5.hin	2011-12-07 19:38:32 UTC (rev 25532)
@@ -7506,13 +7506,13 @@
  * @param [in] pac              PAC handle
  * @param [in] authtime         Expected timestamp
  * @param [in] principal        Expected principal name (or NULL)
- * @param [in] server           Key to validate server checksum
+ * @param [in] server           Key to validate server checksum (or NULL)
  * @param [in] privsvr          Key to validate KDC checksum (or NULL)
  *
  * This function validates @a pac against the supplied @a server, @a privsvr,
  * @a principal and @a authtime.  If @a principal is NULL, the principal and
- * authtime are not verified.  If @a privsvr is NULL, the KDC checksum is not
- * verified.
+ * authtime are not verified.  If @a server or @a privsvr is NULL, the
+ * corresponding checksum is not verified.
  *
  * If successful, @a pac is marked as verified.
  *

Modified: trunk/src/lib/krb5/krb/pac.c
===================================================================
--- trunk/src/lib/krb5/krb/pac.c	2011-12-07 19:38:29 UTC (rev 25531)
+++ trunk/src/lib/krb5/krb/pac.c	2011-12-07 19:38:32 UTC (rev 25532)
@@ -637,9 +637,11 @@
     if (server == NULL)
         return EINVAL;
 
-    ret = k5_pac_verify_server_checksum(context, pac, server);
-    if (ret != 0)
-        return ret;
+    if (server != NULL) {
+        ret = k5_pac_verify_server_checksum(context, pac, server);
+        if (ret != 0)
+            return ret;
+    }
 
     if (privsvr != NULL) {
         ret = k5_pac_verify_kdc_checksum(context, pac, privsvr);

More information about the cvs-krb5 mailing list