FIPS certification
Theodore Tso
tytso at MIT.EDU
Sat Feb 28 12:43:48 EST 2009
On Sat, Feb 28, 2009 at 12:01:46AM -0600, Nicolas Williams wrote:
>
> Solaris at the time did not expose a krb5 API, so it was trivial for us
> (Wyllys) to change krb5_keyblock and to add initializers for it. But
> when it comes to contributing these changes to MIT we'll run into this
> problem. There are solutions that preserve compatibility with code that
> allocates krb5_keyblock on the stack, but they aren't pretty. Breaking
> the ABI could be considered -- it'd be a smallish break, but it won't be
> Sun deciding that, but the MIT Kerberos community.
It might be possible to dispatch on krb5_keyblock->magic to determine
whether it the new fields are there, and in places where a passed in
krb5_keyblock is allocated on the stack, the called function could
allocate a new-style krb5_keyblock and import the key. (How many such
places are there? I didn't think there would be that many.) It
wouldn't be that pretty, yes, but if it's considered important to
preserve the ABI, it's probably doable...
- Ted
More information about the Kerberos
mailing list