Code review request: 8016594: Native Windows ccache still reads DES tickets

Weijun Wang weijun.wang at oracle.com
Wed Aug 7 13:30:37 UTC 2013


First, thanks for your feedbacks.

I only intended to fix etypes in this bug and since I don't have a lot 
of experience on native kerberos on Mac (it is the Heimdal impl instead 
of MIT's) I didn't want to touch a lot.

Precisely, comparing only "krbtgt" is not enough. When doing cross-realm 
auth from R1 to R2, it's likely to have "krbtgt/R2 at R1" in ccache and it 
should not used as initial TGT.

Shall we fix this in another bug when I (or QE) are more familiar with 
native krb5 on Mac?

Thanks
Max

On 8/7/13 9:09 PM, Xuelei Fan wrote:
> On 8/7/2013 7:53 PM, Dmitry Samersoff wrote:
>> Xuelei,
>>
>> 1. strncmp calls strlen at first, so explicit call to strlen is not
>> necessary.
>>
> I was wondering to make the comparing when the length of serverName is
> bigger than strlen("krbtgt").  For example, "krbtgt_extra".  Mine
> suggested code is incorrect, as the output name of krb5_unparse_name may
> be "krbtgt_extra/h.o.s.t at realm", but not "krbtgt_extra".
>
> It's a little problem, but we might want to make the comparing more
> precisely.
>
>> 2. strlen("krbtgt") == sizeof("krbtgt")-1
>> as sizeof count terminating 0.
>>
> You are right.
>
> Xuelei
>
>> -Dmitry
>>
>>
>> On 2013-08-07 15:31, Xuelei Fan wrote:
>>> On 8/7/2013 6:58 PM, Weijun Wang wrote:
>>>>
>>>>
>>>> On 8/7/13 5:23 PM, Dmitry Samersoff wrote:
>>>>> Weijun,
>>>>>
>>>>> nativeccache.c:
>>>>>
>>>>> 322: Could you change strlen("krbtgt") to sizeof("krbtgt")-1 to save a
>>>>> bit of computer power?
>>>>
>>>> Sure.
>>>
>>> strncmp() is normally work with strlen() while comparing two strings, in
>>> case the length of the two string are not equal.
>>>
>>> - 322  if (strncmp (serverName, "krbtgt", strlen("krbtgt")) == 0 &&
>>> + 322  if (strlen(serverName) == sizeof("krbtgt") &&
>>> +        strncmp (serverName, "krbtgt", sizeof("krbtgt")) == 0 &&
>>>
>>> BTW, as it is a local function, would you like to add a "static" keyword
>>> to isIn() function?
>>>
>>> Xuelei
>>>
>>
>>
>



More information about the security-dev mailing list