On Fri, 2008-10-10 at 17:07 -0500, Will Fiveash wrote: > On Fri, Oct 10, 2008 at 04:59:47PM -0500, Will Fiveash wrote: > > On Tue, Oct 07, 2008 at 03:50:29PM -0500, Will Fiveash wrote: > > > On Tue, Oct 07, 2008 at 05:44:53PM +0200, Mark Phalan wrote: > > > > I've just uploaded a webrev with what is hopefully the final bits > > > > for the PKINIT 1.6.3 resync. > > > > This webrev includes all my changes to pkinit, code review comments > > > > and some other misc fixes. > > > > > > > > See the webrev here: http://cr.opensolaris.org/~mbp/pkinit-updates/ > > > > > > > > The following need review: > > > > > > > > /usr/lib/krb5/plugins/preauth/* > > > > > > I'll look at the /usr/lib/krb5/plugins/preauth/* files. > > > > Those look okay to me. > > Actually, one minor issue: > In pkinit_crypto_openssl.c:client_create_dh(): > > DH_check(cryptoctx->dh, &dh_err); > /* Solaris Kerberos */ > #ifdef DEBUG > if (dh_err != 0) { > pkiDebug("Warning: dh_check failed with %d\n", dh_err); > if (dh_err & DH_CHECK_P_NOT_PRIME) > pkiDebug("p value is not prime\n"); > if (dh_err & DH_CHECK_P_NOT_SAFE_PRIME) > pkiDebug("p value is not a safe prime\n"); > if (dh_err & DH_UNABLE_TO_CHECK_GENERATOR) > pkiDebug("unable to check the generator value\n"); > if (dh_err & DH_NOT_SUITABLE_GENERATOR) > pkiDebug("the g value is not a generator\n"); > } > #endif > > - Why isn't DH_check inside the #ifdef DEBUG section?
It should have been. Fixed. -M
