From: Greg Hudson Date: Wed, 7 Dec 2011 19:38:32 +0000 (+0000) Subject: Allow null server key to krb5_pac_verify X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=1e34efd28bd6c7eae84b19f71c87b2ea58939c1a;p=krb5.git Allow null server key to krb5_pac_verify When the KDC verifies a PAC, it doesn't really need to check the server signature, since it can't trust that anyway. Allow the caller to pass only a TGT key. ticket: 7048 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25532 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index f3d0225a0..83c2dc721 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -7506,13 +7506,13 @@ krb5_pac_parse(krb5_context context, const void *ptr, size_t len, * @param [in] pac PAC handle * @param [in] authtime Expected timestamp * @param [in] principal Expected principal name (or NULL) - * @param [in] server Key to validate server checksum + * @param [in] server Key to validate server checksum (or NULL) * @param [in] privsvr Key to validate KDC checksum (or NULL) * * This function validates @a pac against the supplied @a server, @a privsvr, * @a principal and @a authtime. If @a principal is NULL, the principal and - * authtime are not verified. If @a privsvr is NULL, the KDC checksum is not - * verified. + * authtime are not verified. If @a server or @a privsvr is NULL, the + * corresponding checksum is not verified. * * If successful, @a pac is marked as verified. * diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c index f173b042e..23aa9305b 100644 --- a/src/lib/krb5/krb/pac.c +++ b/src/lib/krb5/krb/pac.c @@ -637,9 +637,11 @@ krb5_pac_verify(krb5_context context, if (server == NULL) return EINVAL; - ret = k5_pac_verify_server_checksum(context, pac, server); - if (ret != 0) - return ret; + if (server != NULL) { + ret = k5_pac_verify_server_checksum(context, pac, server); + if (ret != 0) + return ret; + } if (privsvr != NULL) { ret = k5_pac_verify_kdc_checksum(context, pac, privsvr);