diff options
| author | Greg Hudson <ghudson@mit.edu> | 2010-09-29 21:53:28 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2010-09-29 21:53:28 +0000 |
| commit | 6a8c335378fb9d458a08abf87147d63cdd51a05a (patch) | |
| tree | 42973c03c7c1ece72db2a25cf3d98ca6d710d4a2 | |
| parent | b78a5237be786bae47bc16b1200cc80bbd3943e4 (diff) | |
| download | krb5-6a8c335378fb9d458a08abf87147d63cdd51a05a.zip krb5-6a8c335378fb9d458a08abf87147d63cdd51a05a.tar.gz krb5-6a8c335378fb9d458a08abf87147d63cdd51a05a.tar.bz2 | |
Remove an NSS branch issue which has been dealt with
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/nss@24381 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | README.BRANCH | 43 |
1 files changed, 8 insertions, 35 deletions
diff --git a/README.BRANCH b/README.BRANCH index 97f002f..95fb904 100644 --- a/README.BRANCH +++ b/README.BRANCH @@ -5,43 +5,16 @@ from tags/krb5-1-8-final) by Robert Relyea. Identified issues with this branch include, in roughly decreasing order of priority: -* The copyright and license statements on new code are problematic. - -* k5_nss_init fails on Ubuntu. More generally, it makes the - assumption that the NSS library should be initialized with - "sql:/etc/pki/nssdb" on Linux platforms, which is apparently not a - universal convention, and with no DB on other platforms. - -* If k5_nss_init fails, the Yarrow code crashes out with a seg fault - during library initialization. This is because the Yarrow interface - to the SHA1 hash implementation has no error path (because there are - no failure cases in a direct implementation, assuming well-formed - input). The upshot is that HASH_Init() fails silently without - initializing the context length field, and HASH_Final() passes the - uninitialized length field as an argument to memcpy(). - -* k5_nss_gen_stream_iov sets state->length to -1 to protect against - copying of the state structure by the caller, on the assumption that - an app trying to copy the state will gracefully fail to allocate - (unsigned int)-1 bytes of memory. This is an invalid assumption; - 64-bit platforms can often allocate that much memory. A better - approach is to use a loopback pointer to detect copying, as in - lib/crypto/openssl/enc_provider/rc4.c. +* If NSS is used before a fork, the child cannot make use of NSS + without performing a successful shutdown, which can't happen if + there are any outstanding NSS objects. This is an ongoing area of + discussion. -* There are several ifdefs which are not documented or supported in - configure: +* Cached handles in krb5_key objects must be wrapped in a structure + which remembers the current pid, so that they won't be used after a + fork. - - NSS_LOOKUP_STRING in hmac.c: This code appears to be - non-functional. - - - USE_OPAQUE_KEYS in enc_gen.c (defined by default) - - - FAKE_FIPS in enc_gen.c - - - DO_FAST_XOR in enc_gen.c (defined by default); the affected code - should probably be factored out with xorblock() from various - places in the built-in back end, into an inline function in a - utility header file somewhere. +* The copyright and license statements on new code are problematic. * The code could perhaps benefit from organizational simplification, such as eliminating the many small files for enc and hash providers |