diff options
| author | Greg Hudson <ghudson@mit.edu> | 2021-09-27 13:38:10 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2021-10-12 10:44:07 -0400 |
| commit | c5b413c3d59725c4e3c9b041e480f102f2188c63 (patch) | |
| tree | edf0d26369c0a33ad3b0ac3f3d76d8f792bc6b7f /src/include/krb5/krb5.hin | |
| parent | b5efdddd503020c2b64ccf9c30bb09117035f3ce (diff) | |
| download | krb5-c5b413c3d59725c4e3c9b041e480f102f2188c63.zip krb5-c5b413c3d59725c4e3c9b041e480f102f2188c63.tar.gz krb5-c5b413c3d59725c4e3c9b041e480f102f2188c63.tar.bz2 | |
Always use platform PRNG
Remove the fortuna and device PRNG modules and PRNG modularity, and
move the prng_os implementation into prng.c. Remove the crypto_mod.h
requirement to implement failure-free AES256 and SHA256. Deprecate
krb5_c_random_add_entropy() and krb5_c_random_os_entropy() and remove
their call sites. Deprecate and ignore the -W (weak random) option to
kadmind and kdb5_util create, and stop using it in the test suite.
ticket: 9032 (new)
Diffstat (limited to 'src/include/krb5/krb5.hin')
| -rw-r--r-- | src/include/krb5/krb5.hin | 58 |
1 files changed, 10 insertions, 48 deletions
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index 7017837..d083b92 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -464,27 +464,14 @@ typedef struct _krb5_crypto_iov { #define CKSUMTYPE_MD5_HMAC_ARCFOUR -137 /* Microsoft netlogon */ #define CKSUMTYPE_HMAC_MD5_ARCFOUR -138 /**< RFC 4757 */ -/* - * The following are entropy source designations. Whenever - * krb5_C_random_add_entropy is called, one of these source ids is passed in. - * This allows the library to better estimate bits of entropy in the sample and - * to keep track of what sources of entropy have contributed enough entropy. - * Sources marked internal MUST NOT be used by applications outside the - * Kerberos library - */ - +/* Constants for the deprecated krb5_c_random_add_entropy() */ enum { - KRB5_C_RANDSOURCE_OLDAPI = 0, /*calls to krb5_C_RANDOM_SEED (INTERNAL)*/ - KRB5_C_RANDSOURCE_OSRAND = 1, /* /dev/random or equivalent (internal)*/ - KRB5_C_RANDSOURCE_TRUSTEDPARTY = 2, /* From KDC or other trusted party*/ - /* - * This source should be used carefully; data in this category - * should be from a third party trusted to give random bits - * For example keys issued by the KDC in the application server. - */ - KRB5_C_RANDSOURCE_TIMING = 3, /* Timing of operations*/ - KRB5_C_RANDSOURCE_EXTERNAL_PROTOCOL = 4, /*Protocol data possibly from attacker*/ - KRB5_C_RANDSOURCE_MAX = 5 /*Do not use; maximum source ID*/ + KRB5_C_RANDSOURCE_OLDAPI = 0, + KRB5_C_RANDSOURCE_OSRAND = 1, + KRB5_C_RANDSOURCE_TRUSTEDPARTY = 2, + KRB5_C_RANDSOURCE_TIMING = 3, + KRB5_C_RANDSOURCE_EXTERNAL_PROTOCOL = 4, + KRB5_C_RANDSOURCE_MAX = 5 }; #ifndef krb5_roundup @@ -765,19 +752,7 @@ krb5_error_code KRB5_CALLCONV krb5_c_random_to_key(krb5_context context, krb5_enctype enctype, krb5_data *random_data, krb5_keyblock *k5_random_key); -/** - * Add entropy to the pseudo-random number generator. - * - * @param [in] context Library context - * @param [in] randsource Entropy source (see KRB5_RANDSOURCE types) - * @param [in] data Data - * - * Contribute entropy to the PRNG used by krb5 crypto operations. This may or - * may not affect the output of the next crypto operation requiring random - * data. - * - * @retval 0 Success; otherwise - Kerberos error codes - */ +/** @deprecated This call is no longer necessary. */ krb5_error_code KRB5_CALLCONV krb5_c_random_add_entropy(krb5_context context, unsigned int randsource, const krb5_data *data); @@ -797,24 +772,11 @@ krb5_c_random_add_entropy(krb5_context context, unsigned int randsource, krb5_error_code KRB5_CALLCONV krb5_c_random_make_octets(krb5_context context, krb5_data *data); -/** - * Collect entropy from the OS if possible. - * - * @param [in] context Library context - * @param [in] strong Strongest available source of entropy - * @param [out] success 1 if OS provides entropy, 0 otherwise - * - * If @a strong is non-zero, this function attempts to use the strongest - * available source of entropy. Setting this flag may cause the function to - * block on some operating systems. Good uses include seeding the PRNG for - * kadmind and realm setup. - * - * @retval 0 Success; otherwise - Kerberos error codes - */ +/** @deprecated This call is no longer necessary. */ krb5_error_code KRB5_CALLCONV krb5_c_random_os_entropy(krb5_context context, int strong, int *success); -/** @deprecated Replaced by krb5_c_* API family. */ +/** @deprecated This call is no longer necessary. */ krb5_error_code KRB5_CALLCONV krb5_c_random_seed(krb5_context context, krb5_data *data); |