export list symbols

Nicolas Williams Nicolas.Williams at sun.com
Tue Oct 20 11:08:21 EDT 2009 

On Tue, Oct 20, 2009 at 10:39:05AM -0400, Zhanna Tsitkova wrote:
> As part of the crypto modularity effort I have done  a simple analysis
> of libk5crypto.export list and suggest to remove some of the symbols
> from this list. It may be done without hurting the kerb libs (link)
> integrity reducing the number of the symbols from ~160  to ~70. The
> attached libk5crypto.export_extras contains the list of the candidates
> for the removal. The updated libk5crypto.exports is also attached. 
> 
> Also, I suggest to rename the following APIs by prefixing them
> krb5int_ instead of krb5_ as these functions do not belong to the
> public API group. 

How do you know this?  There may be third party apps that do use these
symbols, even if that seems wrong.  Some interfaces may be legacy; some
should never have been exported but were.

> krb5_c_weak_enctype

I don't know what krb5_c_weak_enctype() does, but it sounds potentially
useful.

At least these

> krb5_nfold
> krb5_derive_key
> krb5_derive_random

seems like public interfaces: any function that seems private, but
which actually implements an interface from RFC3961 should be public
since there may be krb5 applications and/or plugins that need them.
Pre-auth and other plugins definitely have a legitimate need to use
RFC3961 interfaces, but "raw" krb5 apps too have a legitimate need to
use those.

These:

> krb5_encrypt_data
> krb5_hmac
> krb5_arcfour_decrypt krb5_arcfour_encrypt krb5_arcfour_encrypt_length
> krb5_cksumtypes_length krb5_cksumtypes_list
> krb5_decrypt_data
> krb5_dk_decrypt krb5_dk_encrypt krb5_dk_encrypt_length krb5_dk_make_checksum 
> krb5_enctypes_length krb5_enctypes_list
> krb5_MD4Final krb5_MD4Init krb5_MD4Update
> krb5_MD5Final krb5_MD5Init krb5_MD5Update
> krb5_old_decrypt krb5_old_encrypt krb5_old_encrypt_length
> krb5_random_confounder
> krb5_raw_decrypt krb5_raw_encrypt

sure look like they are not intended for applications, or worse, legacy,
but I've not looked carefully at which might be RFC3961 interfaces.

Nico
--

More information about the krbdev mailing list