Restructure the crypto checksum implementation to minimize

dependencies on the internals of modules.

* Keyhash providers are gone.
* The cksumtypes table contains checksum and verify functions,
  similar to the etypes encrypt and decrypt functions.  New checksum
  functions parallel the old keyhash providers, and there are also
  functions for unkeyed and derived-key HMAC checksums.
* The flags field is now used to indicate whether a checksum is
  unkeyed, but not whether it is a derived-key HMAC checksum.
* The descbc checksum is handled through a new enc_provider function
  which calculates a CBC MAC.

The OpenSSL module does not implement the CBC MAC function (it didn't
implement descbc before).  builtin/des could probably get rid of
f_cksum.c (the old DES CBC routine) with some alterations to
string2key.c.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23462 dc483132-0cff-0310-8789-dd5450dbe970

3 files changed, 25 insertions, 32 deletions

diff --git a/src/lib/crypto/krb/dk/checksum.c b/src/lib/crypto/krb/dk/checksum.c
index dee4f47..3dbde10 100644
--- a/src/lib/crypto/krb/dk/checksum.c
+++ b/src/lib/crypto/krb/dk/checksum.c
@@ -28,15 +28,15 @@
 #include "k5-int.h"
 #include "etypes.h"
 #include "dk.h"
-#include "aead.h"
+#include "cksumtypes.h"
 
 #define K5CLENGTH 5 /* 32 bit net byte order integer + one byte seed */
 
 krb5_error_code
-krb5int_dk_make_checksum(const struct krb5_hash_provider *hash,
-                         krb5_key key, krb5_keyusage usage,
-                         const krb5_crypto_iov *data, size_t num_data,
-                         krb5_data *output)
+krb5int_dk_checksum(const struct krb5_cksumtypes *ctp,
+                    krb5_key key, krb5_keyusage usage,
+                    const krb5_crypto_iov *data, size_t num_data,
+                    krb5_data *output)
 {
     const struct krb5_keytypes *ktp;
     const struct krb5_enc_provider *enc;
@@ -45,32 +45,24 @@ krb5int_dk_make_checksum(const struct krb5_hash_provider *hash,
     krb5_data datain;
     krb5_key kc;
 
+    /* Use the key's enctype (more flexible than setting an enctype in ctp). */
     ktp = find_enctype(key->keyblock.enctype);
     if (ktp == NULL)
         return KRB5_BAD_ENCTYPE;
     enc = ktp->enc;
-
-    /*
-     * key->length will be tested in enc->encrypt.
-     * output->length will be tested in krb5int_hmac.
-     */
+    if (key->keyblock.length != enc->keylength)
+        return KRB5_BAD_KEYSIZE;
 
     /* Derive the key. */
-
-    datain.data = (char *) constantdata;
-    datain.length = K5CLENGTH;
-
+    datain = make_data(constantdata, K5CLENGTH);
     store_32_be(usage, constantdata);
-
-    datain.data[4] = (char) 0x99;
-
+    constantdata[4] = (char) 0x99;
     ret = krb5int_derive_key(enc, key, &kc, &datain);
     if (ret)
         return ret;
 
     /* Hash the data. */
-
-    ret = krb5int_hmac(hash, kc, data, num_data, output);
+    ret = krb5int_hmac(ctp->hash, kc, data, num_data, output);
     if (ret)
         memset(output->data, 0, output->length);
 
diff --git a/src/lib/crypto/krb/dk/deps b/src/lib/crypto/krb/dk/deps
index 1fa446a..029fe6a 100644
--- a/src/lib/crypto/krb/dk/deps
+++ b/src/lib/crypto/krb/dk/deps
@@ -4,15 +4,15 @@
 checksum.so checksum.po $(OUTPRE)checksum.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
-  $(COM_ERR_DEPS) $(srcdir)/../aead.h $(srcdir)/../cksumtypes.h \
-  $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \
-  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
-  $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
-  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
-  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
-  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
-  $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
-  $(top_srcdir)/include/socket-utils.h checksum.c dk.h
+  $(COM_ERR_DEPS) $(srcdir)/../cksumtypes.h $(srcdir)/../etypes.h \
+  $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+  $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+  $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+  $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+  $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+  $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+  checksum.c dk.h
 dk_aead.so dk_aead.po $(OUTPRE)dk_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../aead.h \
diff --git a/src/lib/crypto/krb/dk/dk.h b/src/lib/crypto/krb/dk/dk.h
index 5e00268..0fdd984 100644
--- a/src/lib/crypto/krb/dk/dk.h
+++ b/src/lib/crypto/krb/dk/dk.h
@@ -27,6 +27,7 @@
 
 #include "k5-int.h"
 #include "etypes.h"
+#include "cksumtypes.h"
 
 unsigned int
 krb5int_dk_crypto_length(const struct krb5_keytypes *ktp,
@@ -69,10 +70,10 @@ krb5int_derive_key(const struct krb5_enc_provider *enc,
                    const krb5_data *in_constant);
 
 krb5_error_code
-krb5int_dk_make_checksum(const struct krb5_hash_provider *hash,
-                         krb5_key key, krb5_keyusage usage,
-                         const krb5_crypto_iov *data, size_t num_data,
-                         krb5_data *output);
+krb5int_dk_checksum(const struct krb5_cksumtypes *ctp,
+                    krb5_key key, krb5_keyusage usage,
+                    const krb5_crypto_iov *data, size_t num_data,
+                    krb5_data *output);
 
 krb5_error_code
 krb5int_derive_random(const struct krb5_enc_provider *enc,