pull up 3des implementation from the marc-3des branch

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11001 dc483132-0cff-0310-8789-dd5450dbe970

8 files changed, 424 insertions, 57 deletions

diff --git a/src/include/ChangeLog b/src/include/ChangeLog
index b3c8848e00..d66def009e 100644
--- a/src/include/ChangeLog
+++ b/src/include/ChangeLog
@@ -1,3 +1,21 @@
+1998-10-26  Marc Horowitz  <marc@mit.edu>
+
+	* krb5.hin: add new interfaces for new crypto API and key
+	derivation/key usage.  Add new (krb5_get_permitted_enctypes,
+	krb5_is_permitted_enctype) api for querying permitted etypes from
+	krb5.conf, and new auth_context flag
+	(KRB5_AUTH_CONTEXT_PERMIT_ALL) to override this.  Fix bug in
+	krb5_kt_get_type.
+	
+	* k5-int.h: make changes related to new crypto API and key
+	derivation/key usage
+
+Tue Sep  1 19:32:33 1998  Tom Yu  <tlyu@mit.edu>
+
+	* krb5.hin: Add ENCTYPE_LOCAL_DES3_HMAC_SHA1, in order to deal
+	with marc's current des3 cryptosystem until we figure out what
+	we're actually going to use for a standardized cryptosystem.
+
 Wed Jul  1 19:14:25 1998  Theodore Y. Ts'o  <tytso@mit.edu>
 
 	* win-mac.h: Make size_t to be an unsigned long instead of
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index db82e0266e..fa8824c49e 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -34,6 +34,33 @@
  * documentation shall at all times remain with M.I.T., and USER agrees to 
  * preserve same.  
  */
+
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ * 
+ * All rights reserved.
+ * 
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government.  It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  FundsXpress makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
 /*
  * This prototype for k5-int.h (Krb5 internals include file)
  * includes the user-visible definitions from krb5.h and then
@@ -152,6 +179,8 @@ typedef unsigned char	u_char;
 #define labs(x) abs(x)
 #endif
 
+/* #define KRB5_OLD_CRYPTO is done in krb5.h */
+
 #endif /* KRB5_CONFIG__ */
 
 /*
@@ -500,11 +529,125 @@ void krb5_os_free_context
 krb5_error_code krb5_find_config_files
         KRB5_PROTOTYPE(());
 
+#endif /* KRB5_LIBOS_PROTO__ */
+
+/* new encryption provider api */
+
+struct krb5_enc_provider {
+    void (*block_size) KRB5_NPROTOTYPE
+    ((size_t *output));
+
+    /* keybytes is the input size to make_key; 
+       keylength is the output size */
+    void (*keysize) KRB5_NPROTOTYPE
+    ((size_t *keybytes, size_t *keylength));
+
+    /* ivec == 0 is an all-zeros ivec */
+    krb5_error_code (*encrypt) KRB5_NPROTOTYPE
+    ((krb5_const krb5_keyblock *key, krb5_const krb5_data *ivec,
+      krb5_const krb5_data *input, krb5_data *output));
+
+    krb5_error_code (*decrypt) KRB5_NPROTOTYPE
+    ((krb5_const krb5_keyblock *key, krb5_const krb5_data *ivec,
+      krb5_const krb5_data *input, krb5_data *output));
+
+    krb5_error_code (*make_key) KRB5_NPROTOTYPE
+    ((krb5_const krb5_data *randombits, krb5_keyblock *key));
+};
+
+struct krb5_hash_provider {
+    void (*hash_size) KRB5_NPROTOTYPE
+    ((size_t *output));
+
+    void (*block_size) KRB5_NPROTOTYPE
+    ((size_t *output));
+
+    /* this takes multiple inputs to avoid lots of copying. */
+    krb5_error_code (*hash) KRB5_NPROTOTYPE
+    ((unsigned int icount, krb5_const krb5_data *input, krb5_data *output));
+};
+
+struct krb5_keyhash_provider {
+    void (*hash_size) KRB5_NPROTOTYPE
+    ((size_t *output));
+
+    krb5_error_code (*hash) KRB5_NPROTOTYPE
+    ((krb5_const krb5_keyblock *key, krb5_const krb5_data *ivec,
+      krb5_const krb5_data *input, krb5_data *output));
+
+    krb5_error_code (*verify) KRB5_NPROTOTYPE
+    ((krb5_const krb5_keyblock *key, krb5_const krb5_data *ivec,
+      krb5_const krb5_data *input, krb5_const krb5_data *hash,
+      krb5_boolean *valid));
+};
+
+typedef void (*krb5_encrypt_length_func) KRB5_NPROTOTYPE
+((krb5_const struct krb5_enc_provider *enc,
+  krb5_const struct krb5_hash_provider *hash,
+  size_t inputlen, size_t *length));
+
+typedef krb5_error_code (*krb5_crypt_func) KRB5_NPROTOTYPE
+((krb5_const struct krb5_enc_provider *enc,
+  krb5_const struct krb5_hash_provider *hash,
+  krb5_const krb5_keyblock *key, krb5_keyusage usage,
+  krb5_const krb5_data *ivec, 
+  krb5_const krb5_data *input, krb5_data *output));
+
+typedef krb5_error_code (*krb5_str2key_func) KRB5_NPROTOTYPE
+((krb5_const struct krb5_enc_provider *enc, krb5_const krb5_data *string,
+  krb5_const krb5_data *salt, krb5_keyblock *key));
+
+struct krb5_keytypes {
+    krb5_enctype etype;
+    char *in_string;
+    char *out_string;
+    struct krb5_enc_provider *enc;
+    struct krb5_hash_provider *hash;
+    krb5_encrypt_length_func encrypt_len;
+    krb5_crypt_func encrypt;
+    krb5_crypt_func decrypt;
+    krb5_str2key_func str2key;
+};
+
+struct krb5_cksumtypes {
+    krb5_cksumtype ctype;
+    unsigned int flags;
+    char *in_string;
+    char *out_string;
+    /* if the hash is keyed, this is the etype it is keyed with.
+       Actually, it can be keyed by any etype which has the same
+       enc_provider as the specified etype.  DERIVE checksums can
+       be keyed with any valid etype. */
+    krb5_enctype keyed_etype;
+    /* I can't statically initialize a union, so I'm just going to use
+       two pointers here.  The keyhash is used if non-NULL.  If NULL,
+       then HMAC/hash with derived keys is used if the relevant flag
+       is set.  Otherwise, a non-keyed hash is computed.  This is all
+       kind of messy, but so is the krb5 api. */
+    struct krb5_keyhash_provider *keyhash;
+    struct krb5_hash_provider *hash;
+};
+
+#define KRB5_CKSUMFLAG_DERIVE		0x0001
+#define KRB5_CKSUMFLAG_NOT_COLL_PROOF	0x0002
 
 /*
- * in here to deal with stuff from lib/crypto/os
+ * in here to deal with stuff from lib/crypto
  */
 
+void krb5_nfold
+KRB5_PROTOTYPE((int inbits, krb5_const unsigned char *in,
+		int outbits, unsigned char *out));
+
+krb5_error_code krb5_hmac
+KRB5_PROTOTYPE((krb5_const struct krb5_hash_provider *hash,
+		krb5_const krb5_keyblock *key, unsigned int icount,
+		krb5_const krb5_data *input, krb5_data *output));
+
+
+#ifdef KRB5_OLD_CRYPTO
+/* old provider api */
+
 typedef struct _krb5_cryptosystem_entry {
     krb5_magic magic;
     krb5_error_code (*encrypt_func) KRB5_NPROTOTYPE(( krb5_const_pointer /* in */,
@@ -573,23 +716,6 @@ typedef struct _krb5_checksum_entry {
     unsigned int uses_key:1;
 } krb5_checksum_entry;
 
-
-/* This array is indexed by encryption type */
-extern krb5_cs_table_entry * NEAR krb5_csarray[];
-extern int krb5_max_cryptosystem;
-
-/* This array is indexed by key type */
-extern krb5_cs_table_entry * NEAR krb5_enctype_array[];
-extern krb5_enctype krb5_max_enctype;
-
-/* This array is indexed by checksum type */
-extern krb5_checksum_entry * NEAR krb5_cksumarray[];
-extern krb5_cksumtype krb5_max_cksum;
-
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_random_confounder
-	KRB5_PROTOTYPE((size_t,
-		krb5_pointer ));
-
 krb5_error_code krb5_crypto_os_localaddr
 	KRB5_PROTOTYPE((krb5_address ***));
 
@@ -599,7 +725,15 @@ krb5_error_code krb5_crypto_us_timeofday
 
 time_t gmt_mktime KRB5_PROTOTYPE((struct tm *));
 
-#endif /* KRB5_LIBOS_PROTO__ */
+#endif /* KRB5_OLD_CRYPTO */
+
+/* this helper fct is in libkrb5, but it makes sense declared here. */
+
+krb5_error_code krb5_encrypt_helper
+KRB5_PROTOTYPE((krb5_context context, krb5_const krb5_keyblock *key,
+		krb5_keyusage usage, krb5_const krb5_data *plain,
+		krb5_enc_data *cipher));
+
 /*
  * End "los-proto.h"
  */
@@ -1201,6 +1335,7 @@ krb5_error_code krb5_encode_kdc_rep
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_const krb5_msgtype,
 		krb5_const krb5_enc_kdc_rep_part *,
+		int using_subkey,
 		krb5_const krb5_keyblock *,
 		krb5_kdc_rep *,
 		krb5_data ** ));
diff --git a/src/include/kerberosIV/ChangeLog b/src/include/kerberosIV/ChangeLog
index 85f624b066..0ecf2b09e7 100644
--- a/src/include/kerberosIV/ChangeLog
+++ b/src/include/kerberosIV/ChangeLog
@@ -1,3 +1,9 @@
+Thu Sep 17 18:23:26 1998  Tom Yu  <tlyu@mit.edu>
+
+	* krb_db.h: ifdef out the declarations for kerb_get_* and
+	kerb_db_* to avoid problems with krb4 compat code in the kdc,
+	which declares some of these static.
+
 Wed Feb 18 15:51:41 1998  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in: Remove trailing slash from thisconfigdir.  Fix up
diff --git a/src/include/kerberosIV/krb_db.h b/src/include/kerberosIV/krb_db.h
index 4925137c43..dc2265d960 100644
--- a/src/include/kerberosIV/krb_db.h
+++ b/src/include/kerberosIV/krb_db.h
@@ -104,11 +104,13 @@ typedef struct {
 }
         Dba;
 
+#if 0
 extern int kerb_get_principal();
 extern int kerb_put_principal();
 extern int kerb_db_get_stat();
 extern int kerb_db_put_stat();
 extern int kerb_get_dba();
 extern int kerb_db_get_dba();
+#endif
 
 #endif /* KRB_DB_DEFS */
diff --git a/src/include/krb5.hin b/src/include/krb5.hin
index 9949524045..8b1d42f0d0 100644
--- a/src/include/krb5.hin
+++ b/src/include/krb5.hin
@@ -24,6 +24,32 @@
  * General definitions for Kerberos version 5.
  */
 
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ * 
+ * All rights reserved.
+ * 
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government.  It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  FundsXpress makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
 #ifndef KRB5_GENERAL__
 #define KRB5_GENERAL__
 
@@ -54,6 +80,7 @@
 #define THREEPARAMOPEN(x,y,z) open(x,y,z)
 #endif
 
+#define KRB5_OLD_CRYPTO
 
 #ifdef HAVE_SYS_TYPES_H
 #include <sys/types.h>
@@ -131,10 +158,11 @@ typedef	unsigned int krb5_boolean;
 typedef	unsigned int krb5_msgtype;	
 typedef	unsigned int krb5_kvno;	
 
-typedef	unsigned int krb5_addrtype;
-typedef unsigned int krb5_enctype;
-typedef unsigned int krb5_cksumtype;
-typedef unsigned int krb5_authdatatype;
+typedef	krb5_int32 krb5_addrtype;
+typedef krb5_int32 krb5_enctype;
+typedef krb5_int32 krb5_cksumtype;
+typedef krb5_int32 krb5_authdatatype;
+typedef krb5_int32 krb5_keyusage;
 
 typedef krb5_int32	krb5_preauthtype; /* This may change, later on */
 typedef	krb5_int32	krb5_flags;
@@ -286,6 +314,17 @@ typedef struct _krb5_keyblock {
     krb5_octet FAR *contents;
 } krb5_keyblock;
 
+#ifdef KRB5_OLD_CRYPTO
+typedef struct _krb5_encrypt_block {
+    krb5_magic magic;
+    krb5_enctype crypto_entry;		/* to call krb5_encrypt_size, you need
+					   this.  it was a pointer, but it
+					   doesn't have to be.  gross. */
+    krb5_keyblock FAR *key;
+    krb5_int32 priv_size;		/* Size of private data */
+} krb5_encrypt_block;
+#endif
+
 typedef struct _krb5_checksum {
     krb5_magic magic;
     krb5_cksumtype checksum_type;	/* checksum type */
@@ -293,15 +332,6 @@ typedef struct _krb5_checksum {
     krb5_octet FAR *contents;
 } krb5_checksum;
 
-typedef struct _krb5_encrypt_block {
-    krb5_magic magic;
-    struct _krb5_cryptosystem_entry FAR * crypto_entry;
-    krb5_keyblock FAR *key;
-    krb5_pointer priv;			/* for private use, e.g. DES
-					   key schedules */
-    krb5_int32 priv_size;		/* Size of private data */
-} krb5_encrypt_block;
-
 typedef struct _krb5_enc_data {
     krb5_magic magic;
     krb5_enctype enctype;
@@ -315,9 +345,15 @@ typedef struct _krb5_enc_data {
 #define	ENCTYPE_DES_CBC_MD4	0x0002	/* DES cbc mode with RSA-MD4 */
 #define	ENCTYPE_DES_CBC_MD5	0x0003	/* DES cbc mode with RSA-MD5 */
 #define	ENCTYPE_DES_CBC_RAW	0x0004	/* DES cbc mode raw */
+/* XXX deprecated? */
 #define	ENCTYPE_DES3_CBC_SHA	0x0005	/* DES-3 cbc mode with NIST-SHA */
 #define	ENCTYPE_DES3_CBC_RAW	0x0006	/* DES-3 cbc mode raw */
+#define ENCTYPE_DES3_HMAC_SHA1	0x0007
+#define ENCTYPE_DES_HMAC_SHA1	0x0008
 #define ENCTYPE_UNKNOWN		0x01ff
+/* local crud */
+/* marc's DES-3 with 32-bit length */
+#define ENCTYPE_LOCAL_DES3_HMAC_SHA1 0x7007
 
 #define	CKSUMTYPE_CRC32		0x0001
 #define	CKSUMTYPE_RSA_MD4	0x0002
@@ -328,7 +364,7 @@ typedef struct _krb5_enc_data {
 #define	CKSUMTYPE_RSA_MD5	0x0007
 #define	CKSUMTYPE_RSA_MD5_DES	0x0008
 #define CKSUMTYPE_NIST_SHA	0x0009
-#define CKSUMTYPE_HMAC_SHA	0x000a
+#define CKSUMTYPE_HMAC_SHA1	0x000a
 
 #ifndef krb5_roundup
 /* round x up to nearest multiple of y */
@@ -349,8 +385,118 @@ typedef struct _krb5_enc_data {
 extern "C" {
 #endif
 
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+    krb5_c_encrypt
+    KRB5_PROTOTYPE((krb5_context context, krb5_const krb5_keyblock *key,
+		    krb5_keyusage usage, krb5_const krb5_data *ivec,
+		    krb5_const krb5_data *input, krb5_enc_data *output));
+
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+    krb5_c_decrypt
+    KRB5_PROTOTYPE((krb5_context context, krb5_const krb5_keyblock *key,
+		    krb5_keyusage usage, krb5_const krb5_data *ivec,
+		    krb5_const krb5_enc_data *input, krb5_data *output));
+
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+    krb5_c_encrypt_length
+    KRB5_PROTOTYPE((krb5_context context, krb5_enctype enctype,
+		    size_t inputlen, size_t *length));
+
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+    krb5_c_block_size
+    KRB5_PROTOTYPE((krb5_context context, krb5_enctype enctype,
+		    size_t *blocksize));
+
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+    krb5_c_make_random_key
+    KRB5_PROTOTYPE((krb5_context context, krb5_enctype enctype,
+		    krb5_keyblock *random_key));
+
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+    krb5_c_random_make_octets
+    KRB5_PROTOTYPE((krb5_context context, krb5_data *data));
+
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+    krb5_c_random_seed
+    KRB5_PROTOTYPE((krb5_context context, krb5_data *data));
+
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+    krb5_c_string_to_key
+    KRB5_PROTOTYPE((krb5_context context, krb5_enctype enctype,
+		    krb5_const krb5_data *string, krb5_const krb5_data *salt,
+		    krb5_keyblock *key));
+
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+    krb5_c_enctype_compare
+    KRB5_PROTOTYPE((krb5_context context, krb5_enctype e1, krb5_enctype e2,
+		    krb5_boolean *similar));
+
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+    krb5_c_make_checksum
+    KRB5_PROTOTYPE((krb5_context context, krb5_cksumtype cksumtype,
+		    krb5_const krb5_keyblock *key, krb5_keyusage usage,
+		    krb5_const krb5_data *input, krb5_checksum *cksum));
+    
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+    krb5_c_verify_checksum
+    KRB5_PROTOTYPE((krb5_context context, 
+		    krb5_const krb5_keyblock *key, krb5_keyusage usage,
+		    krb5_const krb5_data *data,
+		    krb5_const krb5_checksum *cksum,
+		    krb5_boolean *valid));
+    
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+    krb5_c_checksum_length
+    KRB5_PROTOTYPE((krb5_context context, krb5_cksumtype cksumtype,
+		    size_t *length));
+
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+    krb5_c_keyed_checksum_types
+    KRB5_PROTOTYPE((krb5_context context, krb5_enctype enctype, 
+		    unsigned int *count, krb5_cksumtype **cksumtypes));
+
+#define KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS		1
+#define KRB5_KEYUSAGE_KDC_REP_TICKET		2
+#define KRB5_KEYUSAGE_AS_REP_ENCPART		3
+#define KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY	4
+#define KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY		5
+#define KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM	6
+#define KRB5_KEYUSAGE_TGS_REQ_AUTH		7
+#define KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY	8
+#define KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY	9
+#define KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM		10
+#define KRB5_KEYUSAGE_AP_REQ_AUTH		11
+#define KRB5_KEYUSAGE_AP_REP_ENCPART		12
+#define KRB5_KEYUSAGE_KRB_PRIV_ENCPART		13
+#define KRB5_KEYUSAGE_KRB_CRED_ENCPART		14
+#define KRB5_KEYUSAGE_KRB_SAFE_CKSUM		15
+#define KRB5_KEYUSAGE_APP_DATA_ENCRYPT		16
+#define KRB5_KEYUSAGE_APP_DATA_CKSUM		17
+#define KRB5_KEYUSAGE_KRB_ERROR_CKSUM		18
+#define KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM	19
+#define KRB5_KEYUSAGE_AD_MTE			20
+#define KRB5_KEYUSAGE_AD_ITE			21
+
+/* XXX need to register these */
+
+#define KRB5_KEYUSAGE_GSS_TOK_MIC		22
+#define KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG	23
+#define KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV		24
+
+
+krb5_boolean KRB5_CALLCONV valid_enctype
+	KRB5_PROTOTYPE((krb5_const krb5_enctype ktype));
+krb5_boolean KRB5_CALLCONV valid_cksumtype
+	KRB5_PROTOTYPE((krb5_const krb5_cksumtype ctype));
+krb5_boolean KRB5_CALLCONV is_coll_proof_cksum
+	KRB5_PROTOTYPE((krb5_const krb5_cksumtype ctype));
+krb5_boolean KRB5_CALLCONV is_keyed_cksum
+	KRB5_PROTOTYPE((krb5_const krb5_cksumtype ctype));
+
+#ifdef KRB5_OLD_CRYPTO
 /*
- * cryptosystem routine prototypes
+ * old cryptosystem routine prototypes.  These are now layered
+ * on top of the functions above.
  */
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_encrypt
 	KRB5_PROTOTYPE((krb5_context context,
@@ -402,7 +548,7 @@ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_use_enctype
 		krb5_const krb5_enctype enctype));
 KRB5_DLLIMP size_t KRB5_CALLCONV krb5_encrypt_size
 	KRB5_PROTOTYPE((krb5_const size_t length,
-		krb5_const struct _krb5_cryptosystem_entry FAR * crypto));
+		krb5_enctype crypto));
 KRB5_DLLIMP size_t KRB5_CALLCONV krb5_checksum_size
 	KRB5_PROTOTYPE((krb5_context context,
 		krb5_const krb5_cksumtype ctype));
@@ -422,15 +568,6 @@ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_verify_checksum
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_random_confounder
 	KRB5_PROTOTYPE((size_t, krb5_pointer));
 
-krb5_boolean KRB5_CALLCONV valid_enctype
-	KRB5_PROTOTYPE((krb5_const krb5_enctype ktype));
-krb5_boolean KRB5_CALLCONV valid_cksumtype
-	KRB5_PROTOTYPE((krb5_const krb5_cksumtype ctype));
-krb5_boolean KRB5_CALLCONV is_coll_proof_cksum
-	KRB5_PROTOTYPE((krb5_const krb5_cksumtype ctype));
-krb5_boolean KRB5_CALLCONV is_keyed_cksum
-	KRB5_PROTOTYPE((krb5_const krb5_cksumtype ctype));
-
 krb5_error_code krb5_encrypt_data
 	KRB5_PROTOTYPE((krb5_context context, krb5_keyblock *key, 
 		krb5_pointer ivec, krb5_data *data, 
@@ -440,6 +577,9 @@ krb5_error_code krb5_decrypt_data
 	KRB5_PROTOTYPE((krb5_context context, krb5_keyblock *key, 
 		krb5_pointer ivec, krb5_enc_data *data, 
 		krb5_data *enc_data));
+
+#endif /* KRB5_OLD_CRYPTO */
+
 #ifdef __cplusplus
 }
 #endif
@@ -961,6 +1101,7 @@ typedef struct _krb5_pwd_data {
 #define KRB5_AUTH_CONTEXT_RET_TIME	0x00000002
 #define KRB5_AUTH_CONTEXT_DO_SEQUENCE	0x00000004
 #define KRB5_AUTH_CONTEXT_RET_SEQUENCE	0x00000008
+#define KRB5_AUTH_CONTEXT_PERMIT_ALL	0x00000010
  
 typedef struct krb5_replay_data { 
     krb5_timestamp	timestamp; 
@@ -1222,7 +1363,7 @@ typedef struct _krb5_kt_ops {
     void * serializer;
 } krb5_kt_ops;
 
-#define krb5_kt_get_type(context, keytab) (*(keytab)->ops->prefix)
+#define krb5_kt_get_type(context, keytab) ((keytab)->ops->prefix)
 #define krb5_kt_get_name(context, keytab, name, namelen) krb5_x((keytab)->ops->get_name,(context, keytab,name,namelen))
 #define krb5_kt_close(context, keytab) krb5_x((keytab)->ops->close,(context, keytab))
 #define krb5_kt_get_entry(context, keytab, principal, vno, enctype, entry) krb5_x((keytab)->ops->get,(context, keytab, principal, vno, enctype, entry))
@@ -1267,6 +1408,12 @@ krb5_error_code krb5_get_tgs_ktypes
 		krb5_const_principal,
 		krb5_enctype **));
 
+krb5_error_code krb5_get_permitted_enctypes
+	KRB5_PROTOTYPE((krb5_context, krb5_enctype **));
+
+krb5_boolean krb5_is_permitted_enctype
+	KRB5_PROTOTYPE((krb5_context, krb5_enctype));
+
 /* libkrb.spec */
 krb5_error_code krb5_kdc_rep_decrypt_proc
 	KRB5_PROTOTYPE((krb5_context,
@@ -1616,6 +1763,8 @@ KRB5_DLLIMP void KRB5_CALLCONV krb5_free_cred_enc_part
 	KRB5_PROTOTYPE((krb5_context, krb5_cred_enc_part FAR *));
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_checksum
 	KRB5_PROTOTYPE((krb5_context, krb5_checksum FAR *));
+KRB5_DLLIMP void KRB5_CALLCONV krb5_free_checksum_contents
+	KRB5_PROTOTYPE((krb5_context, krb5_checksum FAR *));
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_keyblock
 	KRB5_PROTOTYPE((krb5_context, krb5_keyblock FAR *));
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_keyblock_contents
@@ -1636,6 +1785,8 @@ KRB5_DLLIMP void KRB5_CALLCONV krb5_free_data_contents
 	KRB5_PROTOTYPE((krb5_context, krb5_data FAR *));
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_unparsed_name
 	KRB5_PROTOTYPE((krb5_context, char FAR *));
+KRB5_DLLIMP void KRB5_CALLCONV krb5_free_cksumtypes
+	KRB5_PROTOTYPE((krb5_context, krb5_cksumtype FAR *));
 
 /* From krb5/os but needed but by the outside world */
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_us_timeofday
diff --git a/src/include/krb5/ChangeLog b/src/include/krb5/ChangeLog
index 202608002e..af894dad15 100644
--- a/src/include/krb5/ChangeLog
+++ b/src/include/krb5/ChangeLog
@@ -1,3 +1,8 @@
+1998-10-26  Marc Horowitz  <marc@mit.edu>
+
+	* kdb_dbc.h, kdb.h: update kdb api to be compatible with the new
+	crypto api.
+
 Wed Jul  8 04:30:22 1998  Geoffrey King  <gjking@mit.edu>
 
 	* adm_proto.h: Added prototype for new function krb5_klog_reopen()
diff --git a/src/include/krb5/kdb.h b/src/include/krb5/kdb.h
index 6a75372d11..65731279f7 100644
--- a/src/include/krb5/kdb.h
+++ b/src/include/krb5/kdb.h
@@ -24,6 +24,31 @@
  * KDC Database interface definitions.
  */
 
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ * 
+ * All rights reserved.
+ * 
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government.  It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  FundsXpress makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
 
 #ifndef KRB5_KDB5__
 #define KRB5_KDB5__
@@ -208,8 +233,7 @@ krb5_error_code krb5_db_iterate
 krb5_error_code krb5_db_verify_master_key
 	KRB5_PROTOTYPE((krb5_context,
 		   krb5_principal, 
-		   krb5_keyblock *, 
-		   krb5_encrypt_block *));
+		   krb5_keyblock *));
 krb5_error_code krb5_db_store_mkey 
 	KRB5_PROTOTYPE((krb5_context,
 		   char *,
@@ -224,10 +248,10 @@ krb5_error_code krb5_db_setup_mkey_name
 		   krb5_principal *));
 
 krb5_error_code krb5_db_set_mkey
-        KRB5_PROTOTYPE((krb5_context, krb5_encrypt_block *));
+        KRB5_PROTOTYPE((krb5_context, krb5_keyblock *));
 
 krb5_error_code krb5_db_get_mkey
-        KRB5_PROTOTYPE((krb5_context, krb5_encrypt_block **));
+        KRB5_PROTOTYPE((krb5_context, krb5_keyblock **));
 krb5_error_code krb5_db_destroy 
 	KRB5_PROTOTYPE((krb5_context,
 		   char * ));
@@ -246,7 +270,7 @@ krb5_boolean krb5_db_set_lockmode
 krb5_error_code	krb5_db_fetch_mkey
 	KRB5_PROTOTYPE((krb5_context,
 		   krb5_principal, 
-		   krb5_encrypt_block *, 
+		   krb5_enctype, 
 		   krb5_boolean,
 		   krb5_boolean, 
 		   char *,
@@ -260,14 +284,14 @@ krb5_error_code krb5_db_close_database
 
 krb5_error_code krb5_dbekd_encrypt_key_data
 	KRB5_PROTOTYPE((krb5_context,
-		   krb5_encrypt_block *,
+		   const krb5_keyblock *,
 		   const krb5_keyblock *,
 		   const krb5_keysalt *,
 		   int,
 		   krb5_key_data *));
 krb5_error_code krb5_dbekd_decrypt_key_data
 	KRB5_PROTOTYPE((krb5_context,
-		   krb5_encrypt_block *,
+		   const krb5_keyblock *,
 		   const krb5_key_data *,
 		   krb5_keyblock *,
 		   krb5_keysalt *));
@@ -343,7 +367,7 @@ struct __krb5_key_salt_tuple;
 
 krb5_error_code krb5_dbe_cpw
         KRB5_PROTOTYPE((krb5_context,
-			krb5_encrypt_block  *,
+			krb5_keyblock  *,
 			struct __krb5_key_salt_tuple *,
 			int,
 			char *,
@@ -351,20 +375,20 @@ krb5_error_code krb5_dbe_cpw
 			krb5_db_entry *));
 krb5_error_code krb5_dbe_apw
         KRB5_PROTOTYPE((krb5_context,
-                   krb5_encrypt_block  *,
+                   krb5_keyblock  *,
                    struct __krb5_key_salt_tuple *,
                    int,
                    char *,
                    krb5_db_entry *));
 krb5_error_code krb5_dbe_crk
         KRB5_PROTOTYPE((krb5_context,
-                   krb5_encrypt_block  *,
+                   krb5_keyblock  *,
                    struct __krb5_key_salt_tuple *,
                    int,
                    krb5_db_entry *));
 krb5_error_code krb5_dbe_ark
         KRB5_PROTOTYPE((krb5_context,
-                   krb5_encrypt_block  *,
+                   krb5_keyblock  *,
                    struct __krb5_key_salt_tuple *,
                    int,
                    krb5_db_entry *));
diff --git a/src/include/krb5/kdb_dbc.h b/src/include/krb5/kdb_dbc.h
index 3dfd0d8416..e0bbd1b476 100644
--- a/src/include/krb5/kdb_dbc.h
+++ b/src/include/krb5/kdb_dbc.h
@@ -24,6 +24,32 @@
  * KDC Database context definitions.
  */
 
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ * 
+ * All rights reserved.
+ * 
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government.  It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  FundsXpress makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
 
 #ifndef KRB5_KDB5_DBC__
 #define KRB5_KDB5_DBC__
@@ -43,7 +69,7 @@ typedef struct __krb5_db_context {
     int                 db_locks_held;  /* Number of times locked       */
     int                 db_lock_mode;   /* Last lock mode, e.g. greatest*/
     krb5_boolean        db_nb_locks;    /* [Non]Blocking lock modes     */
-    krb5_encrypt_block *db_master_key;  /* Master key of database       */
+    krb5_keyblock      *db_master_key;  /* Master key of database       */
     kdb5_dispatch_table *db_dispatch;   /* Dispatch table               */
 } krb5_db_context;