On 11/27/2014 02:34 AM, Peter Mogensen wrote: > I was looking at libkrb5 for the public API mirroring "in_data" in > krb5_mk_req() > http://web.mit.edu/kerberos/krb5-current/doc/appdev/refs/api/krb5_mk_req.html
I have noticed myself the asymmetry between mk_req taking application data to checksum and rd_req not taking any to verify. > It looks like you're supposed to get the Authenticator and then the > checksum from the Authenticator manually and compare it against a > checksum you manually build. That's probably the best you can do for now. > But many of the needed call are either listed as deprecated or not to be > called directly and the comp_cksum() call that the KDC uses for TGS-REQs > aren't even public. What is listed as deprecated? I wouldn't worry too much about the "should not be called directly" designation; those are still public and stable APIs. comp_cksum doesn't do a lot; it shouldn't be difficult to do the same things yourself. (The call to krb5_c_valid_cksumtype is probably redundant with the other two checks.) > Have I missed some part of the API or are there really no easy way to > verify the cksum created by mk_req() in_data ? Most applications are written to the GSSAPI, which uses the authenticator checksum for its own purposes. So this may not be a glaring need. Be aware that integrity-protecting application data using the authenticator checksum increases a protocol's dependency on the replay cache, which is inherently imperfect. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
