From 45d13ca8a1ef7d9ce900b59ba752ebe38c3d5f07 Mon Sep 17 00:00:00 2001 From: Ken Raeburn Date: Tue, 10 Apr 2001 07:57:03 +0000 Subject: [PATCH] stuff to still address git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13168 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/des425/ISSUES | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 src/lib/des425/ISSUES diff --git a/src/lib/des425/ISSUES b/src/lib/des425/ISSUES new file mode 100644 index 000000000..ec5ce0087 --- /dev/null +++ b/src/lib/des425/ISSUES @@ -0,0 +1,28 @@ +-*- text -*- + +* unix_time.c also exists in ../krb4, and they're different; both + should probably call into the krb5 support anyways to avoid + duplicating code. + +* namespace intrusions + +* Check include/kerberosIV/des.h and see if all the prototyped + functions really are necessary to retain; if not, delete some of + these source files. + +* Much of this code requires that DES_INT32 be *exactly* 32 bits, and + 4 bytes. + +* Array types are used in function call signatures, which is unclean. + It makes trying to add "const" qualifications in the right places + really, um, interesting. But we're probably stuck with them. + +* quad_cksum is totally broken. I have no idea whether the author + actually believed it implemented the documented algorithm, but I'm + certain it doesn't. The only question is, is it still reasonably + secure, when the plaintext and checksum are visible to an attacker + as in the mk_safe message? + +* des_read_password and des_read_pw_string are not thread-safe. Also, + they should be calling into the k5crypto library instead of + duplicating functionality. -- 2.26.2