export list symbols

Nicolas Williams Nicolas.Williams at sun.com
Tue Oct 20 11:08:21 EDT 2009

On Tue, Oct 20, 2009 at 10:39:05AM -0400, Zhanna Tsitkova wrote:
> As part of the crypto modularity effort I have done  a simple analysis
> of libk5crypto.export list and suggest to remove some of the symbols
> from this list. It may be done without hurting the kerb libs (link)
> integrity reducing the number of the symbols from ~160  to ~70. The
> attached libk5crypto.export_extras contains the list of the candidates
> for the removal. The updated libk5crypto.exports is also attached. 
> Also, I suggest to rename the following APIs by prefixing them
> krb5int_ instead of krb5_ as these functions do not belong to the
> public API group. 

How do you know this?  There may be third party apps that do use these
symbols, even if that seems wrong.  Some interfaces may be legacy; some
should never have been exported but were.

> krb5_c_weak_enctype

I don't know what krb5_c_weak_enctype() does, but it sounds potentially

At least these

> krb5_nfold
> krb5_derive_key
> krb5_derive_random

seems like public interfaces: any function that seems private, but
which actually implements an interface from RFC3961 should be public
since there may be krb5 applications and/or plugins that need them.
Pre-auth and other plugins definitely have a legitimate need to use
RFC3961 interfaces, but "raw" krb5 apps too have a legitimate need to
use those.


> krb5_encrypt_data
> krb5_hmac
> krb5_arcfour_decrypt krb5_arcfour_encrypt krb5_arcfour_encrypt_length
> krb5_cksumtypes_length krb5_cksumtypes_list
> krb5_decrypt_data
> krb5_dk_decrypt krb5_dk_encrypt krb5_dk_encrypt_length krb5_dk_make_checksum 
> krb5_enctypes_length krb5_enctypes_list
> krb5_MD4Final krb5_MD4Init krb5_MD4Update
> krb5_MD5Final krb5_MD5Init krb5_MD5Update
> krb5_old_decrypt krb5_old_encrypt krb5_old_encrypt_length
> krb5_random_confounder
> krb5_raw_decrypt krb5_raw_encrypt

sure look like they are not intended for applications, or worse, legacy,
but I've not looked carefully at which might be RFC3961 interfaces.


More information about the krbdev mailing list