[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: fun with gss_verify_mic





--On Saturday, April 07, 2001 11:11:43 PM -0400 Derrick J Brashear 
<shadow@dementia.org> wrote:

> So, gss_verify_mic cares about remote subkeys, so it knows how to verify.
> This is a problem if I'm the client and I want to call gss_verify_mic.
> The remote subkey gets set in rd_req, which is called from
> accept_sec_context. Of course the client doesn't accept a sec context.
> Same code works with MIT krb5+gssapi. They use the sign and seal algo
> info from the token header to make these decisions.
>
> I need to read more on the issue before I can figure out how to correctly
> fix things. The "cheap" fix (which is wrong but probably works in most
> cases) is:

Oops, it should read:

*** verify_mic.c.orig   Sat Apr  7 23:09:48 2001
--- verify_mic.c        Sat Apr  7 23:10:23 2001
***************
*** 244,252 ****
      OM_uint32 ret;
      krb5_keytype keytype;

!     ret = krb5_auth_con_getremotesubkey (gssapi_krb5_context,
!                                        context_handle->auth_context,
!                                        &key);
      if (ret) {
        *minor_status = ret;
        return GSS_S_FAILURE;
--- 244,250 ----
      OM_uint32 ret;
      krb5_keytype keytype;

!     ret = gss_krb5_getsomekey(context_handle, &key);
      if (ret) {
        *minor_status = ret;
        return GSS_S_FAILURE;