Clean up PBKDF2 interface. Add s2k-params to string-to-key interface, except

no new decl in krb5.h yet; rename changed s2k functions to use krb5int_ prefix.
Add AES to etype table.  Delete some unused declarations.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15229 dc483132-0cff-0310-8789-dd5450dbe970

19 files changed, 133 insertions, 145 deletions

diff --git a/src/include/ChangeLog b/src/include/ChangeLog
index dffc4cb..d0ea27f 100644
--- a/src/include/ChangeLog
+++ b/src/include/ChangeLog
@@ -1,3 +1,13 @@
+2003-03-04  Ken Raeburn  <raeburn@mit.edu>
+
+	* krb5.h (ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+	ENCTYPE_AES256_CTS_HMAC_SHA1_96, CKSUMTYPE_HMAC_SHA1_96_AES128,
+	CKSUMTYPE_HMAC_SHA1_96_AES256): New macros.
+	* k5-int.h (krb5_str2key_func): Added params argument.
+	(krb5int_pbkdf2_hmac_sha1): Declare.
+	(krb5_cryptosystem_entry, krb5_cs_table_entry, SUM_FUNC,
+	SUM_VERF_FUNC, krb5_checksum_entry): Delete unused declarations.
+
 2003-02-26  Ken Raeburn  <raeburn@mit.edu>
 
 	* configure.in: Set and substitute maybe_kerberosIV.
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 2bfce56..82f2516 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -620,7 +620,7 @@ typedef krb5_error_code (*krb5_crypt_func) (const struct krb5_enc_provider *enc,
   const krb5_data *input, krb5_data *output);
 
 typedef krb5_error_code (*krb5_str2key_func) (const struct krb5_enc_provider *enc, const krb5_data *string,
-  const krb5_data *salt, krb5_keyblock *key);
+  const krb5_data *salt, const krb5_data *parm, krb5_keyblock *key);
 
 struct krb5_keytypes {
     krb5_enctype etype;
@@ -669,6 +669,10 @@ krb5_error_code krb5_hmac
 		const krb5_keyblock *key, unsigned int icount,
 		const krb5_data *input, krb5_data *output);
 
+krb5_error_code krb5int_pbkdf2_hmac_sha1 (const krb5_data *, unsigned long,
+					  const krb5_data *,
+					  const krb5_data *);
+
 /* A definition of init_state for DES based encryption systems.
  * sets up an 8-byte IV of all zeros
  */
@@ -704,74 +708,6 @@ extern const struct krb5_hash_provider krb5int_hash_md5;
 #ifdef KRB5_OLD_CRYPTO
 /* old provider api */
 
-typedef struct _krb5_cryptosystem_entry {
-    krb5_magic magic;
-    krb5_error_code (*encrypt_func) ( krb5_const_pointer /* in */,
-					       krb5_pointer /* out */,
-					       const size_t,
-					       krb5_encrypt_block *,
-					       krb5_pointer);
-    krb5_error_code (*decrypt_func) ( krb5_const_pointer /* in */,
-					       krb5_pointer /* out */,
-					       const size_t,
-					       krb5_encrypt_block *,
-					       krb5_pointer);
-    krb5_error_code (*process_key) ( krb5_encrypt_block *,
-					      const krb5_keyblock *);
-    krb5_error_code (*finish_key) ( krb5_encrypt_block *);
-    krb5_error_code (*string_to_key) (const krb5_encrypt_block *,
-						krb5_keyblock *,
-						const krb5_data *,
-						const krb5_data *);
-    krb5_error_code (*init_random_key) ( const krb5_encrypt_block *,
-						const krb5_keyblock *,
-						krb5_pointer *);
-    krb5_error_code (*finish_random_key) ( const krb5_encrypt_block *,
-						krb5_pointer *);
-    krb5_error_code (*random_key) ( const krb5_encrypt_block *,
-					      krb5_pointer,
-					      krb5_keyblock **);
-    int block_length;
-    int pad_minimum;			/* needed for cksum size computation */
-    int keysize;
-    krb5_enctype proto_enctype;		/* key type,
-					   (assigned protocol number AND
-					    table index) */
-} krb5_cryptosystem_entry;
-
-typedef struct _krb5_cs_table_entry {
-    krb5_magic magic;
-    krb5_cryptosystem_entry * system;
-    krb5_pointer random_sequence;	/* from init_random_key() */
-} krb5_cs_table_entry;
-
-
-/* could be used in a table to find a sumtype */
-typedef krb5_error_code
-	(*SUM_FUNC) (
-		const krb5_pointer /* in */,
-		const size_t /* in_length */,
-		const krb5_pointer /* key/seed */,
-		const size_t /* key/seed size */,
-		krb5_checksum * /* out_cksum */);
-
-typedef krb5_error_code
-	(*SUM_VERF_FUNC) (
-		const krb5_checksum * /* out_cksum */,
-		const krb5_pointer /* in */,
-		const size_t /* in_length */,
-		const krb5_pointer /* key/seed */,
-		const size_t /* key/seed size */);
-
-typedef struct _krb5_checksum_entry {
-    krb5_magic magic;
-    SUM_FUNC sum_func;			/* Checksum generator */
-    SUM_VERF_FUNC sum_verf_func;	/* Verifier of checksum */
-    int checksum_length;	   	/* length returned by sum_func */
-    unsigned int is_collision_proof:1;
-    unsigned int uses_key:1;
-} krb5_checksum_entry;
-
 krb5_error_code krb5_crypto_os_localaddr
 	(krb5_address ***);
 
diff --git a/src/include/krb5.hin b/src/include/krb5.hin
index e53606c..c6f7040 100644
--- a/src/include/krb5.hin
+++ b/src/include/krb5.hin
@@ -361,6 +361,8 @@ typedef struct _krb5_enc_data {
 #define	ENCTYPE_DES3_CBC_RAW	0x0006	/* DES-3 cbc mode raw */
 #define ENCTYPE_DES_HMAC_SHA1	0x0008
 #define ENCTYPE_DES3_CBC_SHA1	0x0010
+#define ENCTYPE_AES128_CTS_HMAC_SHA1_96	0x0011
+#define ENCTYPE_AES256_CTS_HMAC_SHA1_96	0x0012
 #define ENCTYPE_ARCFOUR_HMAC	0x0017
 #define ENCTYPE_ARCFOUR_HMAC_EXP 0x0018
 #define ENCTYPE_UNKNOWN		0x01ff
@@ -378,6 +380,8 @@ typedef struct _krb5_enc_data {
 #define	CKSUMTYPE_RSA_MD5_DES	0x0008
 #define CKSUMTYPE_NIST_SHA	0x0009
 #define CKSUMTYPE_HMAC_SHA1_DES3	0x000c
+#define CKSUMTYPE_HMAC_SHA1_96_AES128	0x000f
+#define CKSUMTYPE_HMAC_SHA1_96_AES256	0x0010
 #define CKSUMTYPE_HMAC_MD5_ARCFOUR -138 /*Microsoft md5 hmac cksumtype*/
 
 /* The following are entropy source designations. Whenever
diff --git a/src/lib/crypto/ChangeLog b/src/lib/crypto/ChangeLog
index b5448c8..fae236d 100644
--- a/src/lib/crypto/ChangeLog
+++ b/src/lib/crypto/ChangeLog
@@ -1,3 +1,21 @@
+2003-03-04  Ken Raeburn  <raeburn@mit.edu>
+
+	* etypes.c: Include aes_s2k.h.
+	(krb5_enctypes): Add AES enctypes.  Update s2k function names.
+	* pbkdf2.c (krb5int_pbkdf2): Now static.  Output data descriptor
+	is const.
+	(krb5int_pbkdf2_hmac_sha1_128, krb5int_pbkdf2_hmac_sha1_256):
+	Deleted.
+	* string_to_key.c (krb5_c_string_to_key_with_params): Renamed from
+	krb5_c_string_to_key, takes new params argument and passes it
+	through.
+	(krb5_c_string_to_key): New function, passes null params.
+	* t_pkcs5.c (test_pbkdf2_rfc3211): Update calls to
+	krb5int_pbkdf2_hmac_sha1 for new API.
+	* vectors.c (test_mit_des_s2k): Update krb5_des_string_to_key call
+	for new API.
+	* Makefile.in: Update dependencies.
+
 2003-03-03  Ken Raeburn  <raeburn@mit.edu>
 
 	* pbkdf2.c (F): Now takes krb5_data for password and salt.
diff --git a/src/lib/crypto/Makefile.in b/src/lib/crypto/Makefile.in
index 1f6ede7..ccb26af 100644
--- a/src/lib/crypto/Makefile.in
+++ b/src/lib/crypto/Makefile.in
@@ -412,7 +412,8 @@ etypes.so etypes.po $(OUTPRE)etypes.$(OBJEXT): etypes.c $(SRCTOP)/include/k5-int
   $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
   $(BUILDTOP)/include/profile.h $(srcdir)/enc_provider/enc_provider.h \
   $(srcdir)/hash_provider/hash_provider.h etypes.h $(srcdir)/old/old.h \
-  $(srcdir)/raw/raw.h $(srcdir)/dk/dk.h $(srcdir)/arcfour/arcfour.h
+  $(srcdir)/raw/raw.h $(srcdir)/dk/dk.h $(srcdir)/arcfour/arcfour.h \
+  $(srcdir)/aes/aes_s2k.h
 hmac.so hmac.po $(OUTPRE)hmac.$(OBJEXT): hmac.c $(SRCTOP)/include/k5-int.h \
   $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
   $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
diff --git a/src/lib/crypto/arcfour/ChangeLog b/src/lib/crypto/arcfour/ChangeLog
index 7442af5..5727d19 100644
--- a/src/lib/crypto/arcfour/ChangeLog
+++ b/src/lib/crypto/arcfour/ChangeLog
@@ -1,3 +1,9 @@
+2003-03-04  Ken Raeburn  <raeburn@mit.edu>
+
+	* arcfour.c (krb5int_arcfour_string_to_key): Renamed from
+	krb5_... and added new s2k-params argument, which must be null.
+	* arcfour.h: Updated.
+
 2003-02-03  Sam Hartman  <hartmans@mit.edu>
 
 	* arcfour.c (krb5_arcfour_encrypt_length): l40, the 40-bit
diff --git a/src/lib/crypto/arcfour/arcfour.h b/src/lib/crypto/arcfour/arcfour.h
index 39bf824..c6e4353 100644
--- a/src/lib/crypto/arcfour/arcfour.h
+++ b/src/lib/crypto/arcfour/arcfour.h
@@ -25,10 +25,11 @@ krb5_error_code krb5_arcfour_decrypt(const struct krb5_enc_provider *,
 			const krb5_data *,
 			krb5_data *);
 
-extern krb5_error_code krb5_arcfour_string_to_key(
+extern krb5_error_code krb5int_arcfour_string_to_key(
      const struct krb5_enc_provider *,
      const krb5_data *,
      const krb5_data *,
+     const krb5_data *,
      krb5_keyblock *);
 
 extern const struct krb5_enc_provider krb5int_enc_arcfour;
diff --git a/src/lib/crypto/arcfour/string_to_key.c b/src/lib/crypto/arcfour/string_to_key.c
index 1fecd4d..2212d71 100644
--- a/src/lib/crypto/arcfour/string_to_key.c
+++ b/src/lib/crypto/arcfour/string_to_key.c
@@ -12,15 +12,16 @@ static void asctouni(unsigned char *unicode, unsigned char *ascii, size_t len)
 }
 
 krb5_error_code
-krb5_arcfour_string_to_key(enc, string, salt, key)
-	const struct krb5_enc_provider *enc;
-	const krb5_data *string;
-	const krb5_data *salt;
-	krb5_keyblock *key;
+krb5int_arcfour_string_to_key(const struct krb5_enc_provider *enc,
+			      const krb5_data *string, const krb5_data *salt,
+			      const krb5_data *params, krb5_keyblock *key)
 {
   size_t len,slen;
   unsigned char *copystr;
   krb5_MD4_CTX md4_context;
+
+  if (params != NULL)
+      return KRB5_ERR_BAD_S2K_PARAMS;
   
   if (key->length != 16)
     return (KRB5_BAD_MSIZE);
diff --git a/src/lib/crypto/dk/ChangeLog b/src/lib/crypto/dk/ChangeLog
index df04069..9ed3a8d 100644
--- a/src/lib/crypto/dk/ChangeLog
+++ b/src/lib/crypto/dk/ChangeLog
@@ -1,3 +1,9 @@
+2003-03-04  Ken Raeburn  <raeburn@mit.edu>
+
+	* stringtokey.c (krb5int_dk_string_to_key): Renamed from
+	krb5_... and added s2k-params argument.
+	* dk.h: Updated.
+
 2003-01-10  Ken Raeburn  <raeburn@mit.edu>
 
 	* Makefile.in: Add AC_SUBST_FILE marker for libobj_frag.
diff --git a/src/lib/crypto/dk/dk.h b/src/lib/crypto/dk/dk.h
index 8d4c497..0171016 100644
--- a/src/lib/crypto/dk/dk.h
+++ b/src/lib/crypto/dk/dk.h
@@ -45,10 +45,10 @@ krb5_error_code krb5_dk_decrypt
 		const krb5_data *ivec, const krb5_data *input,
 		krb5_data *arg_output);
 
-krb5_error_code krb5_dk_string_to_key
+krb5_error_code krb5int_dk_string_to_key
 (const struct krb5_enc_provider *enc, 
 		const krb5_data *string, const krb5_data *salt,
-		krb5_keyblock *key);
+		const krb5_data *params, krb5_keyblock *key);
 
 krb5_error_code krb5_derive_key
 (const struct krb5_enc_provider *enc,
diff --git a/src/lib/crypto/dk/stringtokey.c b/src/lib/crypto/dk/stringtokey.c
index a0bd344..be13ca4 100644
--- a/src/lib/crypto/dk/stringtokey.c
+++ b/src/lib/crypto/dk/stringtokey.c
@@ -30,11 +30,9 @@ static const unsigned char kerberos[] = "kerberos";
 #define kerberos_len (sizeof(kerberos)-1)
 
 krb5_error_code
-krb5_dk_string_to_key(enc, string, salt, key)
-     const struct krb5_enc_provider *enc;
-     const krb5_data *string;
-     const krb5_data *salt;
-     krb5_keyblock *key;
+krb5int_dk_string_to_key(const struct krb5_enc_provider *enc,
+			 const krb5_data *string, const krb5_data *salt,
+			 const krb5_data *parms, krb5_keyblock *key)
 {
     krb5_error_code ret;
     size_t keybytes, keylength, concatlen;
diff --git a/src/lib/crypto/etypes.c b/src/lib/crypto/etypes.c
index 6d8f50b..1cc570c 100644
--- a/src/lib/crypto/etypes.c
+++ b/src/lib/crypto/etypes.c
@@ -32,6 +32,7 @@
 #include "raw.h"
 #include "dk.h"
 #include "arcfour.h"
+#include "aes_s2k.h"
 
 /* these will be linear searched.  if they ever get big, a binary
    search or hash table would be better, which means these would need
@@ -44,82 +45,93 @@ const struct krb5_keytypes krb5_enctypes_list[] = {
       "des-cbc-crc", "DES cbc mode with CRC-32",
       &krb5int_enc_des, &krb5int_hash_crc32,
       krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
-      krb5_des_string_to_key },
+      krb5int_des_string_to_key },
     { ENCTYPE_DES_CBC_MD4,
       "des-cbc-md4", "DES cbc mode with RSA-MD4",
       &krb5int_enc_des, &krb5int_hash_md4,
       krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
-      krb5_des_string_to_key },
+      krb5int_des_string_to_key },
     { ENCTYPE_DES_CBC_MD5,
       "des-cbc-md5", "DES cbc mode with RSA-MD5",
       &krb5int_enc_des, &krb5int_hash_md5,
       krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
-      krb5_des_string_to_key },
+      krb5int_des_string_to_key },
     { ENCTYPE_DES_CBC_MD5,
       "des", "DES cbc mode with RSA-MD5", /* alias */
       &krb5int_enc_des, &krb5int_hash_md5,
       krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
-      krb5_des_string_to_key },
+      krb5int_des_string_to_key },
 
     { ENCTYPE_DES_CBC_RAW,
       "des-cbc-raw", "DES cbc mode raw",
       &krb5int_enc_des, NULL,
       krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt,
-      krb5_des_string_to_key },
+      krb5int_des_string_to_key },
     { ENCTYPE_DES3_CBC_RAW,
       "des3-cbc-raw", "Triple DES cbc mode raw",
       &krb5int_enc_des3, NULL,
       krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt,
-      krb5_dk_string_to_key },
+      krb5int_dk_string_to_key },
 
     { ENCTYPE_DES3_CBC_SHA1,
       "des3-cbc-sha1", "Triple DES cbc mode with HMAC/sha1",
       &krb5int_enc_des3, &krb5int_hash_sha1,
       krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
-      krb5_dk_string_to_key },
+      krb5int_dk_string_to_key },
     { ENCTYPE_DES3_CBC_SHA1,	/* alias */
       "des3-hmac-sha1", "Triple DES cbc mode with HMAC/sha1",
       &krb5int_enc_des3, &krb5int_hash_sha1,
       krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
-      krb5_dk_string_to_key },
+      krb5int_dk_string_to_key },
     { ENCTYPE_DES3_CBC_SHA1,	/* alias */
       "des3-cbc-sha1-kd", "Triple DES cbc mode with HMAC/sha1",
       &krb5int_enc_des3, &krb5int_hash_sha1,
       krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
-      krb5_dk_string_to_key },
+      krb5int_dk_string_to_key },
 
     { ENCTYPE_DES_HMAC_SHA1,
       "des-hmac-sha1", "DES with HMAC/sha1",
       &krb5int_enc_des, &krb5int_hash_sha1,
       krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
-      krb5_dk_string_to_key },
+      krb5int_dk_string_to_key },
     { ENCTYPE_ARCFOUR_HMAC, 
       "arcfour-hmac","ArcFour with HMAC/md5", &krb5int_enc_arcfour,
       &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
-      krb5_arcfour_decrypt, krb5_arcfour_string_to_key },
+      krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
     { ENCTYPE_ARCFOUR_HMAC,  /* alias */
       "rc4-hmac", "ArcFour with HMAC/md5", &krb5int_enc_arcfour,
       &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
-      krb5_arcfour_decrypt, krb5_arcfour_string_to_key },
+      krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
     { ENCTYPE_ARCFOUR_HMAC,  /* alias */
       "arcfour-hmac-md5", "ArcFour with HMAC/md5", &krb5int_enc_arcfour,
       &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
-      krb5_arcfour_decrypt, krb5_arcfour_string_to_key },
+      krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
     { ENCTYPE_ARCFOUR_HMAC_EXP, 
       "arcfour-hmac-exp", "Exportable ArcFour with HMAC/md5",
       &krb5int_enc_arcfour,
       &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
-      krb5_arcfour_decrypt, krb5_arcfour_string_to_key },
+      krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
     { ENCTYPE_ARCFOUR_HMAC_EXP, /* alias */
       "rc4-hmac-exp", "Exportable ArcFour with HMAC/md5",
       &krb5int_enc_arcfour,
       &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
-      krb5_arcfour_decrypt, krb5_arcfour_string_to_key },
+      krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
     { ENCTYPE_ARCFOUR_HMAC_EXP, /* alias */
       "arcfour-hmac-md5-exp", "Exportable ArcFour with HMAC/md5",
       &krb5int_enc_arcfour,
       &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
-      krb5_arcfour_decrypt, krb5_arcfour_string_to_key },
+      krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
+
+    { ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+      "aes128-cts-hmac-sha1-96", "AES-128 CTS mode with 96-bit SHA-1 HMAC",
+      &krb5int_enc_aes128, &krb5int_hash_sha1,
+      krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
+      krb5int_aes_string_to_key },
+    { ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+      "aes256-cts-hmac-sha1-96", "AES-256 CTS mode with 96-bit SHA-1 HMAC",
+      &krb5int_enc_aes256, &krb5int_hash_sha1,
+      krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
+      krb5int_aes_string_to_key },
 
 #ifdef ATHENA_DES3_KLUDGE
     /*
@@ -131,7 +143,7 @@ const struct krb5_keytypes krb5_enctypes_list[] = {
       "Triple DES with HMAC/sha1 and 32-bit length code",
       &krb5int_enc_des3, &krb5int_hash_sha1,
       krb5_marc_dk_encrypt_length, krb5_marc_dk_encrypt, krb5_marc_dk_decrypt,
-      krb5_dk_string_to_key },
+      krb5int_dk_string_to_key },
 #endif
 };
 
diff --git a/src/lib/crypto/old/ChangeLog b/src/lib/crypto/old/ChangeLog
index 0cdd659..c23b403 100644
--- a/src/lib/crypto/old/ChangeLog
+++ b/src/lib/crypto/old/ChangeLog
@@ -1,3 +1,9 @@
+2003-03-04  Ken Raeburn  <raeburn@mit.edu>
+
+	* des_stringtokey.c (krb5int_des_string_to_key): Renamed from
+	krb5_... and added s2k-params argument which must be null.
+	* old.h: Updated.
+
 2003-01-10  Ken Raeburn  <raeburn@mit.edu>
 
 	* Makefile.in: Add AC_SUBST_FILE marker for libobj_frag.
diff --git a/src/lib/crypto/old/des_stringtokey.c b/src/lib/crypto/old/des_stringtokey.c
index ee3e1d0..fd3440b 100644
--- a/src/lib/crypto/old/des_stringtokey.c
+++ b/src/lib/crypto/old/des_stringtokey.c
@@ -34,11 +34,14 @@ extern krb5_error_code mit_des_string_to_key_int
 		 const krb5_data * salt);
 
 krb5_error_code
-krb5_des_string_to_key(enc, string, salt, key)
+krb5int_des_string_to_key(enc, string, salt, parm, key)
      const struct krb5_enc_provider *enc;
      const krb5_data *string;
      const krb5_data *salt;
+     const krb5_data *parm;
      krb5_keyblock *key;
 {
+    if (parm != NULL)
+	return KRB5_ERR_BAD_S2K_PARAMS;
     return(mit_des_string_to_key_int(key, string, salt));
 }
diff --git a/src/lib/crypto/old/old.h b/src/lib/crypto/old/old.h
index b22b168..94ee642 100644
--- a/src/lib/crypto/old/old.h
+++ b/src/lib/crypto/old/old.h
@@ -45,7 +45,8 @@ krb5_error_code krb5_old_decrypt
 		const krb5_data *ivec, const krb5_data *input,
 		krb5_data *arg_output);
 
-krb5_error_code krb5_des_string_to_key
+krb5_error_code krb5int_des_string_to_key
 (const struct krb5_enc_provider *enc,
-		const krb5_data *string, const krb5_data *salt, 
+		const krb5_data *string, const krb5_data *salt,
+		const krb5_data *params,
 		krb5_keyblock *key);
diff --git a/src/lib/crypto/pbkdf2.c b/src/lib/crypto/pbkdf2.c
index d93b5b8..d8a3f8b 100644
--- a/src/lib/crypto/pbkdf2.c
+++ b/src/lib/crypto/pbkdf2.c
@@ -32,24 +32,12 @@
 #include "k5-int.h"
 #include "hash_provider.h"
 
-/* for k5-int.h */
-extern krb5_error_code
+/* Not exported, for now.  */
+static krb5_error_code
 krb5int_pbkdf2 (krb5_error_code (*prf)(krb5_keyblock *, krb5_data *,
 				       krb5_data *),
 		size_t hlen, const krb5_data *pass, const krb5_data *salt,
-		unsigned long count, krb5_data *output);
-extern krb5_error_code
-krb5int_pbkdf2_hmac_sha1 (const krb5_data *out, unsigned long count,
-			  const krb5_data *pass, const krb5_data *salt);
-extern krb5_error_code
-krb5int_pbkdf2_hmac_sha1_128 (char *out, unsigned long count,
-			      const krb5_data *pass, const krb5_data *salt);
-extern krb5_error_code
-krb5int_pbkdf2_hmac_sha1_256 (char *out, unsigned long count,
-			      const krb5_data *pass, const krb5_data *salt);
-
-
-
+		unsigned long count, const krb5_data *output);
 
 static int debug_hmac = 0;
 
@@ -161,12 +149,12 @@ F(char *output, char *u_tmp1, char *u_tmp2,
     return 0;
 }
 
-krb5_error_code
+static krb5_error_code
 krb5int_pbkdf2 (krb5_error_code (*prf)(krb5_keyblock *, krb5_data *,
 				       krb5_data *),
 		size_t hlen,
 		const krb5_data *pass, const krb5_data *salt,
-		unsigned long count, krb5_data *output)
+		unsigned long count, const krb5_data *output)
 {
     int l, r, i;
     char *utmp1, *utmp2;
@@ -258,23 +246,3 @@ krb5int_pbkdf2_hmac_sha1 (const krb5_data *out, unsigned long count,
 {
     return krb5int_pbkdf2 (foo, 20, pass, salt, count, out);
 }
-
-krb5_error_code
-krb5int_pbkdf2_hmac_sha1_128 (char *out, unsigned long count,
-			      const krb5_data *pass, const krb5_data *salt)
-{
-    krb5_data out_d;
-    out_d.data = out;
-    out_d.length = 16;
-    return krb5int_pbkdf2 (foo, 20, pass, salt, count, &out_d);
-}
-
-krb5_error_code
-krb5int_pbkdf2_hmac_sha1_256 (char *out, unsigned long count,
-			      const krb5_data *pass, const krb5_data *salt)
-{
-    krb5_data out_d;
-    out_d.data = out;
-    out_d.length = 32;
-    return krb5int_pbkdf2 (foo, 20, pass, salt, count, &out_d);
-}
diff --git a/src/lib/crypto/string_to_key.c b/src/lib/crypto/string_to_key.c
index f6ddf9d..cccfd1c 100644
--- a/src/lib/crypto/string_to_key.c
+++ b/src/lib/crypto/string_to_key.c
@@ -35,6 +35,19 @@ krb5_c_string_to_key(context, enctype, string, salt, key)
      const krb5_data *salt;
      krb5_keyblock *key;
 {
+    return krb5_c_string_to_key_with_params(context, enctype, string, salt,
+					    NULL, key);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_string_to_key_with_params(context, enctype, string, salt, params, key)
+     krb5_context context;
+     krb5_enctype enctype;
+     const krb5_data *string;
+     const krb5_data *salt;
+     const krb5_data *params;
+     krb5_keyblock *key;
+{
     int i;
     krb5_error_code ret;
     const struct krb5_enc_provider *enc;
@@ -59,7 +72,8 @@ krb5_c_string_to_key(context, enctype, string, salt, key)
     key->enctype = enctype;
     key->length = keylength;
 
-    if ((ret = ((*(krb5_enctypes_list[i].str2key))(enc, string, salt, key)))) {
+    ret = (*krb5_enctypes_list[i].str2key)(enc, string, salt, params, key);
+    if (ret) {
 	memset(key->contents, 0, keylength);
 	free(key->contents);
     }
diff --git a/src/lib/crypto/t_pkcs5.c b/src/lib/crypto/t_pkcs5.c
index 30e8574..db25528 100644
--- a/src/lib/crypto/t_pkcs5.c
+++ b/src/lib/crypto/t_pkcs5.c
@@ -49,7 +49,7 @@ static void test_pbkdf2_rfc3211()
 {
     char x[100];
     krb5_error_code err;
-    krb5_data d;
+    krb5_data d, pass, salt;
     int i;
 
     /* RFC 3211 test cases.  */
@@ -80,8 +80,11 @@ static void test_pbkdf2_rfc3211()
 	       t[i].count, t[i].len * 8, t[i].len, t[i].pass);
 
 	d.length = t[i].len;
-	err = krb5int_pbkdf2_hmac_sha1 (x, d.length, t[i].count,
-					t[i].pass, t[i].salt);
+	pass.data = t[i].pass;
+	pass.length = strlen(pass.data);
+	salt.data = t[i].salt;
+	salt.length = strlen(salt.data);
+	err = krb5int_pbkdf2_hmac_sha1 (&d, t[i].count, &pass, &salt);
 	if (err) {
 	    printf("error in computing pbkdf2: %s\n", error_message(err));
 	    exit(1);
diff --git a/src/lib/crypto/vectors.c b/src/lib/crypto/vectors.c
index b5ca63e..20c5d7c 100644
--- a/src/lib/crypto/vectors.c
+++ b/src/lib/crypto/vectors.c
@@ -136,7 +136,7 @@ test_mit_des_s2k ()
 	printf ("\npassword: %-25s", buf);
 	printhex (strlen(p), p);
 	printf ("\n");
-	r = krb5_des_string_to_key (0, &pd, &sd, &key);
+	r = krb5int_des_string_to_key (0, &pd, &sd, 0, &key);
 	printf (  "DES key:  %-25s", "");
 	printhex (key.length, key.contents);
 	printf ("\n\n");