[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: fun with gss_verify_mic
--On Saturday, April 07, 2001 11:11:43 PM -0400 Derrick J Brashear
<shadow@dementia.org> wrote:
> So, gss_verify_mic cares about remote subkeys, so it knows how to verify.
> This is a problem if I'm the client and I want to call gss_verify_mic.
> The remote subkey gets set in rd_req, which is called from
> accept_sec_context. Of course the client doesn't accept a sec context.
> Same code works with MIT krb5+gssapi. They use the sign and seal algo
> info from the token header to make these decisions.
>
> I need to read more on the issue before I can figure out how to correctly
> fix things. The "cheap" fix (which is wrong but probably works in most
> cases) is:
Oops, it should read:
*** verify_mic.c.orig Sat Apr 7 23:09:48 2001
--- verify_mic.c Sat Apr 7 23:10:23 2001
***************
*** 244,252 ****
OM_uint32 ret;
krb5_keytype keytype;
! ret = krb5_auth_con_getremotesubkey (gssapi_krb5_context,
! context_handle->auth_context,
! &key);
if (ret) {
*minor_status = ret;
return GSS_S_FAILURE;
--- 244,250 ----
OM_uint32 ret;
krb5_keytype keytype;
! ret = gss_krb5_getsomekey(context_handle, &key);
if (ret) {
*minor_status = ret;
return GSS_S_FAILURE;