From c8c4c730ace4d466281a1a1982cfc2f8a515a8c6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Thu, 4 Jan 2007 11:23:34 +0000
Subject: [PATCH] (krb5_rd_req_ctx): If there is a PAC, verify its server
 signature.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@19679 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/krb5/rd_req.c | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/lib/krb5/rd_req.c b/lib/krb5/rd_req.c
index 67e05cd11..7033ac495 100644
--- a/lib/krb5/rd_req.c
+++ b/lib/krb5/rd_req.c
@@ -822,6 +822,36 @@ krb5_rd_req_ctx(krb5_context context,
 			     &o->ap_req_options,
 			     &o->ticket);
 
+    if (ret)
+	goto out;
+
+    /* If there is a PAC, verify its server signature */
+    {
+	krb5_pac pac;
+	krb5_data data;
+
+	ret = krb5_ticket_get_authorization_data_type(context,
+						      o->ticket,
+						      KRB5_AUTHDATA_WIN2K_PAC,
+						      &data);
+	if (ret == 0) {
+	    ret = krb5_pac_parse(context, data.data, data.length, &pac);
+	    krb5_data_free(&data);
+	    if (ret)
+		goto out;
+	
+	    ret = krb5_pac_verify(context,
+				  pac, 
+				  o->ticket->ticket.authtime,
+				  o->ticket->client, 
+				  &o->ticket->ticket.key, 
+				  NULL);
+	    krb5_pac_free(context, pac);
+	    if (ret)
+		goto out;
+	}
+	ret = 0;
+    }
 out:
     if (ret || outctx == NULL) {
 	krb5_rd_req_out_ctx_free(context, o);