From 7e21610a7cdaab6263c75d9d5e0cbd39ed9389c7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Wed, 10 Jan 2007 15:22:11 +0000
Subject: [PATCH] Pass down server entry to verify_pac function. from Andrew
 Bartlett <abartlet@samba.org>

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@19797 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 kdc/krb5tgs.c | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index d2ce9a8fe..2a181bd18 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -279,10 +279,12 @@ check_KRB5SignedPath(krb5_context context,
 static krb5_error_code
 check_PAC(krb5_context context,
 	  krb5_kdc_configuration *config,
+	  const krb5_principal client_principal,
 	  hdb_entry_ex *client,
-	  const EncryptionKey *ekey,
+	  hdb_entry_ex *server,
+	  const EncryptionKey *server_key,
+	  const EncryptionKey *krbtgt_key,
 	  EncTicketPart *tkt,
-	  const EncryptionKey *sessionkey,
 	  krb5_data *rspac,
 	  int *require_signedpath)
 {
@@ -323,15 +325,15 @@ check_PAC(krb5_context context,
 		    return ret;
 
 		ret = krb5_pac_verify(context, pac, tkt->authtime, 
-				      client->entry.principal,
-				      &tkt->key,
-				      ekey);
+				      client_principal,
+				      krbtgt_key, NULL);
 		if (ret) {
 		    krb5_pac_free(context, pac);
 		    return ret;
 		}
 
-		ret = _kdc_pac_verify(context, client, pac);
+		ret = _kdc_pac_verify(context, client_principal, 
+				      client, server, &pac);
 		if (ret) {
 		    krb5_pac_free(context, pac);
 		    return ret;
@@ -339,8 +341,8 @@ check_PAC(krb5_context context,
 		*require_signedpath = 0;
 
 		ret = _krb5_pac_sign(context, pac, tkt->authtime,
-				     client->entry.principal,
-				     sessionkey, ekey, rspac);
+				     client_principal,
+				     server_key, krbtgt_key, rspac);
 
 		krb5_pac_free(context, pac);
 
@@ -1714,8 +1716,9 @@ server_lookup:
 	    goto out;
 	}
 
-	ret = check_PAC(context, config, client, &tkey->key, 
-			tgt, &sessionkey, &rspac, &require_signedpath);
+	ret = check_PAC(context, config, client_principal, 
+			client, server, ekey, &tkey->key, 
+			tgt, &rspac, &require_signedpath);
 	if (ret) {
 	    kdc_log(context, config, 0,
 		    "check_PAC check failed for %s (%s) from %s with %s",