On Fri, Oct 10, 2008 at 04:59:47PM -0500, Will Fiveash wrote:
> On Tue, Oct 07, 2008 at 03:50:29PM -0500, Will Fiveash wrote:
> > On Tue, Oct 07, 2008 at 05:44:53PM +0200, Mark Phalan wrote:
> > > I've just uploaded a webrev with what is hopefully the final bits
> > > for the PKINIT 1.6.3 resync.
> > > This webrev includes all my changes to pkinit, code review comments
> > > and some other misc fixes.
> > >
> > > See the webrev here: http://cr.opensolaris.org/~mbp/pkinit-updates/
> > >
> > > The following need review:
> > >
> > > /usr/lib/krb5/plugins/preauth/*
> >
> > I'll look at the /usr/lib/krb5/plugins/preauth/* files.
>
> Those look okay to me.
Actually, one minor issue:
In pkinit_crypto_openssl.c:client_create_dh():
DH_check(cryptoctx->dh, &dh_err);
/* Solaris Kerberos */
#ifdef DEBUG
if (dh_err != 0) {
pkiDebug("Warning: dh_check failed with %d\n", dh_err);
if (dh_err & DH_CHECK_P_NOT_PRIME)
pkiDebug("p value is not prime\n");
if (dh_err & DH_CHECK_P_NOT_SAFE_PRIME)
pkiDebug("p value is not a safe prime\n");
if (dh_err & DH_UNABLE_TO_CHECK_GENERATOR)
pkiDebug("unable to check the generator value\n");
if (dh_err & DH_NOT_SUITABLE_GENERATOR)
pkiDebug("the g value is not a generator\n");
}
#endif
- Why isn't DH_check inside the #ifdef DEBUG section?
--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
