From 1b55e9b1cb4f192635878b0b7242104d58a37d2b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Jun 01 2023 13:48:45 +0000
Subject: ipa-kdb: skip verification of PAC full checksum


MIT Kerberos KDC code will do verification of the PAC full checksum
buffers, we don't need to process them. This change only applies to
newer MIT Kerberos version which have this buffer type defined, hence
using #ifdef to protect the use of the define.

This should have no functional difference.

Related: https://pagure.io/freeipa/issue/9371

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>

---

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 8da7543..83b507c 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2367,7 +2367,10 @@ krb5_error_code ipadb_common_verify_pac(krb5_context context,
     for (i = 0; i < num_buffers; i++) {
         if (types[i] == KRB5_PAC_SERVER_CHECKSUM ||
             types[i] == KRB5_PAC_PRIVSVR_CHECKSUM ||
-            types[i] == KRB5_PAC_CLIENT_INFO) {
+#ifdef KRB5_PAC_FULL_CHECKSUM
+            types[i] == KRB5_PAC_FULL_CHECKSUM ||
+#endif
+	    types[i] == KRB5_PAC_CLIENT_INFO) {
             continue;
         }