Re: [patch] miscellaneous mechglue stuff

[Luke Howard <lukeh@PADL.COM>]

>I decided to implement this in lorikeet-heimdal, and here is what I
>actually got:

Don't forget to free the crypto context. Here's what I got (untested):

Index: accept_sec_context.c
===================================================================
RCS file: /home/project/cvs/heimdal/lib/gssapi/accept_sec_context.c,v
retrieving revision 1.104
diff -u -r1.104 accept_sec_context.c
--- accept_sec_context.c	24 Dec 2005 14:25:41 -0000	1.104
+++ accept_sec_context.c	7 May 2006 14:42:01 -0000
@@ -372,11 +372,31 @@
 	    goto failure;
 	}
 
-	ret = gssapi_krb5_verify_8003_checksum(minor_status,
-					       input_chan_bindings,
-					       authenticator->cksum,
-					       &flags,
-					       &fwd_data);
+	if (authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) {
+	    ret = gssapi_krb5_verify_8003_checksum(minor_status,
+						   input_chan_bindings,
+				 		   authenticator->cksum,
+						   &flags,
+						   &fwd_data);
+	} else {
+	    krb5_crypto crypto;
+
+	    kret = krb5_crypto_init(gssapi_krb5_context,
+				    (*context_handle)->auth_context->keyblock,
+				    0, &crypto);
+	    if (kret == 0) {
+		kret = krb5_verify_checksum(gssapi_krb5_context,
+					    crypto, KRB5_KU_AP_REQ_AUTH_CKSUM,
+					    NULL, 0, authenticator->cksum);
+		flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
+		krb5_crypto_destroy(gssapi_krb5_context, crypto);
+	    }
+	    if (kret != 0) {
+		ret = GSS_S_BAD_SIG;
+		gssapi_krb5_set_error_string ();
+	    } else
+		ret = GSS_S_COMPLETE;
+	}
 	krb5_free_authenticator(gssapi_krb5_context, &authenticator);
 	if (ret)
 	    goto failure;

-- Luke

--