[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [patch] miscellaneous mechglue stuff



On Mon, 1 May 2006 10:04:52 +1000
Luke Howard <lukeh@PADL.COM> wrote:

> 
> >The change to *accept* MD5 should still be applied of course.
> 
> Would it not be better to switch the test around so that CKSUMTYPE_GSSAPI
> is tested instead?

Sure, either way the result is the same. Or, better, throw an error if
cksumtype doesn't match any of the supported types. If MS accepts MD5 it
probably accepts others so there might be a precedent to add others here.

    switch (authenticator->cksum->cksumtype) {
        case CKSUMTYPE_RSA_MD5:
            ret = krb5_verify_checksum(gssapi_krb5_context,
                NULL, 0, NULL, 0, authenticator->cksum);
            break;  
        case CKSUMTYPE_GSSAPI:
            ret = gssapi_krb5_verify_8003_checksum(minor_status,
                           input_chan_bindings,
                           authenticator->cksum,
                           &flags, 
                           &fwd_data);
            break;  
        default:
            ret = GSS_S_FAILURE;
            *minor_status = 0;
            krb5_set_error_string(gssapi_krb5_context, "cksumtype not supported");
            gssapi_krb5_set_error_string();
            ret = -1;
    }

Mike