extending MIT krb5 string-to-key API

Ken Raeburn raeburn at MIT.EDU
Wed Mar 5 19:37:18 EST 2003

Our current string-to-key API consists of these two functions:

    krb5_error_code KRB5_CALLCONV
        (krb5_context context, krb5_enctype enctype,
                        const krb5_data *string, const krb5_data *salt,
                        krb5_keyblock *key);

    #ifdef KRB5_OLD_CRYPTO
    krb5_error_code KRB5_CALLCONV krb5_string_to_key
            (krb5_context context,
                    const krb5_encrypt_block * eblock,
                    krb5_keyblock * keyblock,
                    const krb5_data * data,
                    const krb5_data * salt);

Neither has a hook for the new "string-to-key parameters" we need to
add to implement AES, unless we want to do ugly things with the

Unless there are objections or better suggestions, I'll add this new
function to krb5.h and krb5_32.def.  (Is the current Mac export list
in the krb5 tree or the kfm tree?)  I don't plan to update the

    krb5_error_code KRB5_CALLCONV
    krb5_c_string_to_key_with_params(krb5_context context,
                                     krb5_enctype enctype,
                                     const krb5_data *string,
                                     const krb5_data *salt,
                                     const krb5_data *params,
                                     krb5_keyblock *key);

Since we've cast the existing API into stone now, I won't remove or
change krb5_c_string_to_key, but it's now the wrong thing for any code
to call that wants to get the user's real Kerberos key.  Comments?


More information about the krbdev mailing list