[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: fun with gss_verify_mic

To: heimdal-discuss@sics.se
Subject: Re: fun with gss_verify_mic
From: Derrick J Brashear <shadow@dementia.org>
Date: Sun, 08 Apr 2001 00:00:38 -0400
In-Reply-To: <25890000.986699503@skittlebrau.trafford.dementia.org>
Sender: owner-heimdal-discuss@sics.se



--On Saturday, April 07, 2001 11:11:43 PM -0400 Derrick J Brashear 
<shadow@dementia.org> wrote:

> So, gss_verify_mic cares about remote subkeys, so it knows how to verify.
> This is a problem if I'm the client and I want to call gss_verify_mic.
> The remote subkey gets set in rd_req, which is called from
> accept_sec_context. Of course the client doesn't accept a sec context.
> Same code works with MIT krb5+gssapi. They use the sign and seal algo
> info from the token header to make these decisions.
>
> I need to read more on the issue before I can figure out how to correctly
> fix things. The "cheap" fix (which is wrong but probably works in most
> cases) is:

Oops, it should read:

*** verify_mic.c.orig   Sat Apr  7 23:09:48 2001
--- verify_mic.c        Sat Apr  7 23:10:23 2001
***************
*** 244,252 ****
      OM_uint32 ret;
      krb5_keytype keytype;

!     ret = krb5_auth_con_getremotesubkey (gssapi_krb5_context,
!                                        context_handle->auth_context,
!                                        &key);
      if (ret) {
        *minor_status = ret;
        return GSS_S_FAILURE;
--- 244,250 ----
      OM_uint32 ret;
      krb5_keytype keytype;

!     ret = gss_krb5_getsomekey(context_handle, &key);
      if (ret) {
        *minor_status = ret;
        return GSS_S_FAILURE;

References:
- fun with gss_verify_mic
  - From: Derrick J Brashear <shadow@dementia.org>

Prev by Date: fun with gss_verify_mic
Next by Date: telnetd limitations/bus/features
Prev by thread: fun with gss_verify_mic
Next by thread: telnetd limitations/bus/features
Index(es):
- Date
- Thread