stuff to still address

author Ken Raeburn <raeburn@mit.edu>

Tue, 10 Apr 2001 07:57:03 +0000 (07:57 +0000)

committer Ken Raeburn <raeburn@mit.edu>

Tue, 10 Apr 2001 07:57:03 +0000 (07:57 +0000)
author Ken Raeburn <raeburn@mit.edu>
Tue, 10 Apr 2001 07:57:03 +0000 (07:57 +0000)
committer Ken Raeburn <raeburn@mit.edu>
Tue, 10 Apr 2001 07:57:03 +0000 (07:57 +0000)
diff --git a/src/lib/des425/ISSUES b/src/lib/des425/ISSUES

new file mode 100644 (file)

index 0000000..ec5ce00
--- /dev/null
+++ b/src/lib/des425/ISSUES
@@ -0,0 +1,28 @@
+-*- text -*-
+
+* unix_time.c also exists in ../krb4, and they're different; both
+  should probably call into the krb5 support anyways to avoid
+  duplicating code.
+
+* namespace intrusions
+
+* Check include/kerberosIV/des.h and see if all the prototyped
+  functions really are necessary to retain; if not, delete some of
+  these source files.
+
+* Much of this code requires that DES_INT32 be *exactly* 32 bits, and
+  4 bytes.
+
+* Array types are used in function call signatures, which is unclean.
+  It makes trying to add "const" qualifications in the right places
+  really, um, interesting.  But we're probably stuck with them.
+
+* quad_cksum is totally broken.  I have no idea whether the author
+  actually believed it implemented the documented algorithm, but I'm
+  certain it doesn't.  The only question is, is it still reasonably
+  secure, when the plaintext and checksum are visible to an attacker
+  as in the mk_safe message?
+
+* des_read_password and des_read_pw_string are not thread-safe.  Also,
+  they should be calling into the k5crypto library instead of
+  duplicating functionality.
author	Ken Raeburn <raeburn@mit.edu>
	Tue, 10 Apr 2001 07:57:03 +0000 (07:57 +0000)
committer	Ken Raeburn <raeburn@mit.edu>
	Tue, 10 Apr 2001 07:57:03 +0000 (07:57 +0000)