[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

fun with gss_verify_mic

To: heimdal-discuss@sics.se
Subject: fun with gss_verify_mic
From: Derrick J Brashear <shadow@dementia.org>
Date: Sat, 07 Apr 2001 23:11:43 -0400
Sender: owner-heimdal-discuss@sics.se

So, gss_verify_mic cares about remote subkeys, so it knows how to verify.
This is a problem if I'm the client and I want to call gss_verify_mic.
The remote subkey gets set in rd_req, which is called from 
accept_sec_context.
Of course the client doesn't accept a sec context. Same code works with
MIT krb5+gssapi. They use the sign and seal algo info from the token header
to make these decisions.

I need to read more on the issue before I can figure out how to correctly
fix things. The "cheap" fix (which is wrong but probably works in most 
cases) is:
*** verify_mic.c.orig   Sat Apr  7 23:09:48 2001
--- verify_mic.c        Sat Apr  7 23:10:23 2001
***************
*** 244,252 ****
      OM_uint32 ret;
      krb5_keytype keytype;

!     ret = krb5_auth_con_getremotesubkey (gssapi_krb5_context,
!                                        context_handle->auth_context,
!                                        &key);
      if (ret) {
        *minor_status = ret;
        return GSS_S_FAILURE;
--- 244,250 ----
      OM_uint32 ret;
      krb5_keytype keytype;

!     ret = gss_krb5_getsomekey(context_handle->auth_context, &key);
      if (ret) {
        *minor_status = ret;
        return GSS_S_FAILURE;

Follow-Ups:
- Re: fun with gss_verify_mic
  - From: Derrick J Brashear <shadow@dementia.org>

Prev by Date: Heimdal and Solaris8 pam_krb5
Next by Date: Re: fun with gss_verify_mic
Prev by thread: Heimdal and Solaris8 pam_krb5
Next by thread: Re: fun with gss_verify_mic
Index(es):
- Date
- Thread