Restructure the crypto checksum implementation to minimize

dependencies on the internals of modules.

* Keyhash providers are gone.
* The cksumtypes table contains checksum and verify functions,
  similar to the etypes encrypt and decrypt functions.  New checksum
  functions parallel the old keyhash providers, and there are also
  functions for unkeyed and derived-key HMAC checksums.
* The flags field is now used to indicate whether a checksum is
  unkeyed, but not whether it is a derived-key HMAC checksum.
* The descbc checksum is handled through a new enc_provider function
  which calculates a CBC MAC.

The OpenSSL module does not implement the CBC MAC function (it didn't
implement descbc before).  builtin/des could probably get rid of
f_cksum.c (the old DES CBC routine) with some alterations to
string2key.c.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23462 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 17 insertions, 30 deletions

diff --git a/src/lib/crypto/krb/make_checksum_iov.c b/src/lib/crypto/krb/make_checksum_iov.c
index 9ac70f5..dcffa48 100644
--- a/src/lib/crypto/krb/make_checksum_iov.c
+++ b/src/lib/crypto/krb/make_checksum_iov.c
@@ -37,50 +37,37 @@ krb5_k_make_checksum_iov(krb5_context context,
                          krb5_crypto_iov *data,
                          size_t num_data)
 {
-    unsigned int i;
-    size_t cksumlen;
     krb5_error_code ret;
     krb5_data cksum_data;
     krb5_crypto_iov *checksum;
     const struct krb5_cksumtypes *ctp;
 
-    for (i = 0; i < krb5int_cksumtypes_length; i++) {
-        if (krb5int_cksumtypes_list[i].ctype == cksumtype)
-            break;
-    }
-    if (i == krb5int_cksumtypes_length)
+    ctp = find_cksumtype(cksumtype);
+    if (ctp == NULL)
         return KRB5_BAD_ENCTYPE;
-    ctp = &krb5int_cksumtypes_list[i];
 
-    if (ctp->keyhash != NULL)
-        cksum_data.length = ctp->keyhash->hashsize;
-    else
-        cksum_data.length = ctp->hash->hashsize;
-
-    if (ctp->trunc_size != 0)
-        cksumlen = ctp->trunc_size;
-    else
-        cksumlen = cksum_data.length;
+    ret = verify_key(ctp, key);
+    if (ret != 0)
+        return ret;
 
     checksum = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_CHECKSUM);
-    if (checksum == NULL || checksum->data.length < cksumlen)
+    if (checksum == NULL || checksum->data.length < ctp->output_size)
         return(KRB5_BAD_MSIZE);
 
-    cksum_data.data = malloc(cksum_data.length);
-    if (cksum_data.data == NULL)
-        return(ENOMEM);
+    ret = alloc_data(&cksum_data, ctp->compute_size);
+    if (ret != 0)
+        return ret;
 
-    ret = krb5int_c_make_checksum_iov(&krb5int_cksumtypes_list[i],
-                                      key, usage, data, num_data,
-                                      &cksum_data);
-    if (ret == 0) {
-        memcpy(checksum->data.data, cksum_data.data, cksumlen);
-        checksum->data.length = cksumlen;
-    }
+    ret = ctp->checksum(ctp, key, usage, data, num_data, &cksum_data);
+    if (ret != 0)
+        goto cleanup;
 
-    free(cksum_data.data);
+    memcpy(checksum->data.data, cksum_data.data, ctp->output_size);
+    checksum->data.length = ctp->output_size;
 
-    return(ret);
+cleanup:
+    zapfree(cksum_data.data, ctp->compute_size);
+    return ret;
 }
 
 krb5_error_code KRB5_CALLCONV