krb5: add unkeyed SHA-2 checksum types

Add unkeyed checksum types for SHA-256, SHA-384 and SHA-512, for future
internal use. They are assigned private (negative) checksum types and must
never appear in cleartext on the wire.

lib/asn1/krb5.asn1

@@ -250,7 +250,10 @@ CKSUMTYPE ::= INTEGER {
 	CKSUMTYPE_HMAC_SHA384_192_AES256(20),
 	CKSUMTYPE_GSSAPI(0x8003),
 	CKSUMTYPE_HMAC_MD5(-138),	-- unofficial microsoft number
-	CKSUMTYPE_HMAC_MD5_ENC(-1138)	-- even more unofficial
+	CKSUMTYPE_HMAC_MD5_ENC(-1138),	-- even more unofficial
+	CKSUMTYPE_SHA256(-21),
+	CKSUMTYPE_SHA384(-22),
+	CKSUMTYPE_SHA512(-23)
 }
 
 --enctypes

lib/krb5/crypto-algs.c

@@ -55,7 +55,10 @@ struct _krb5_checksum_type *_krb5_checksum_types[] = {
     &_krb5_checksum_hmac_sha1_aes256,
     &_krb5_checksum_hmac_sha256_128_aes128,
     &_krb5_checksum_hmac_sha384_192_aes256,
-    &_krb5_checksum_hmac_md5
+    &_krb5_checksum_hmac_md5,
+    &_krb5_checksum_sha256,
+    &_krb5_checksum_sha384,
+    &_krb5_checksum_sha512
 };
 
 int _krb5_num_checksums

lib/krb5/crypto.c

@@ -167,23 +167,45 @@ _key_schedule(krb5_context context,
  ************************************************************/
 
 static krb5_error_code
-SHA1_checksum(krb5_context context,
+EVP_unkeyed_checksum(krb5_context context,
-	      krb5_crypto crypto,
+		     krb5_crypto crypto,
-	      struct _krb5_key_data *key,
+		     struct _krb5_key_data *key,
-	      unsigned usage,
+		     unsigned usage,
-	      const struct krb5_crypto_iov *iov,
+		     const struct krb5_crypto_iov *iov,
-	      int niov,
+		     int niov,
-	      Checksum *C)
+		     Checksum *C,
+		     const EVP_MD *md)
 {
     if (_krb5_evp_digest_iov(crypto,
 			     iov, niov,
 			     C->checksum.data, NULL,
-			     EVP_sha1(), NULL) != 1)
+			     md, NULL) != 1)
-	krb5_abortx(context, "sha1 checksum failed");
+	krb5_abortx(context, "unkeyed checksum failed");
 
     return 0;
 }
 
+#define EVP_SHA_CHECKSUM(name)				    \
+							    \
+    static krb5_error_code				    \
+    SHA ## name ##_checksum(krb5_context context,	    \
+		       krb5_crypto crypto,		    \
+		       struct _krb5_key_data *key,	    \
+		       unsigned usage,			    \
+		       const struct krb5_crypto_iov *iov,   \
+		       int niov,			    \
+		       Checksum *C)			    \
+    {							    \
+	return EVP_unkeyed_checksum(context, crypto, key,   \
+				    usage, iov, niov,	    \
+				    C, EVP_sha##name());    \
+    }
+
+EVP_SHA_CHECKSUM(1)
+EVP_SHA_CHECKSUM(256)
+EVP_SHA_CHECKSUM(384)
+EVP_SHA_CHECKSUM(512)
+
 /* HMAC according to RFC2104 */
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 _krb5_internal_hmac_iov(krb5_context context,
@@ -369,15 +391,21 @@ _krb5_SP_HMAC_SHA1_verify(krb5_context context,
     return 0;
 }
 
-struct _krb5_checksum_type _krb5_checksum_sha1 = {
+#define SHA_CHECKSUM(name, blocksize, outputsize)	    \
-    CKSUMTYPE_SHA1,
+    struct _krb5_checksum_type _krb5_checksum_sha##name = { \
-    "sha1",
+	CKSUMTYPE_SHA##name,				    \
-    64,
+	"sha" #name,					    \
-    20,
+	blocksize,					    \
-    F_CPROOF,
+	outputsize,					    \
-    SHA1_checksum,
+	F_CPROOF,					    \
-    NULL
+	SHA##name##_checksum,				    \
-};
+	NULL						    \
+    };
+
+SHA_CHECKSUM(1,   64,  20);
+SHA_CHECKSUM(256, 64,  32);
+SHA_CHECKSUM(384, 128, 48);
+SHA_CHECKSUM(512, 128, 64);
 
 KRB5_LIB_FUNCTION struct _krb5_checksum_type * KRB5_LIB_CALL
 _krb5_find_checksum(krb5_cksumtype type)

lib/krb5/crypto.h

@@ -151,7 +151,9 @@ extern struct _krb5_checksum_type _krb5_checksum_hmac_sha256_128_aes128;
 extern struct _krb5_checksum_type _krb5_checksum_hmac_sha384_192_aes256;
 extern struct _krb5_checksum_type _krb5_checksum_hmac_md5;
 extern struct _krb5_checksum_type _krb5_checksum_sha1;
-extern struct _krb5_checksum_type _krb5_checksum_sha2;
+extern struct _krb5_checksum_type _krb5_checksum_sha256;
+extern struct _krb5_checksum_type _krb5_checksum_sha384;
+extern struct _krb5_checksum_type _krb5_checksum_sha512;
 
 extern struct _krb5_checksum_type *_krb5_checksum_types[];
 extern int _krb5_num_checksums;