Implement new APIs to allow improved crypto performance

Merge branches/enc-perf to trunk.  Adds the krb5_key opaque type, the
krb5_k_* APIs to use them, and caching of derived keys when krb5_k_*
functions are used.  Updates the krb5 auth context and GSS id-rec to
use krb5_keys.

ticket: 6576

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22944 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 117 insertions, 14 deletions

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 77221724ca..858b9bd6db 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -635,6 +635,19 @@ krb5int_locate_server (krb5_context, const krb5_data *realm,
 		       struct addrlist *, enum locate_service_type svc,
 		       int sockettype, int family);
 
+struct derived_key {
+    krb5_data constant;
+    krb5_key dkey;
+    struct derived_key *next;
+};
+
+/* Internal structure of an opaque key identifier */
+struct krb5_key_st {
+    krb5_keyblock keyblock;
+    int refcount;
+    struct derived_key *derived;
+};
+
 /* new encryption provider api */
 
 struct krb5_enc_provider {
@@ -643,12 +656,12 @@ struct krb5_enc_provider {
     size_t block_size, keybytes, keylength;
 
     /* cipher-state == 0 fresh state thrown away at end */
-    krb5_error_code (*encrypt) (const krb5_keyblock *key,
+    krb5_error_code (*encrypt) (krb5_key key,
 				const krb5_data *cipher_state,
 				const krb5_data *input,
 				krb5_data *output);
 
-    krb5_error_code (*decrypt) (const krb5_keyblock *key,
+    krb5_error_code (*decrypt) (krb5_key key,
 				const krb5_data *ivec,
 				const krb5_data *input,
 				krb5_data *output);
@@ -661,13 +674,13 @@ struct krb5_enc_provider {
   krb5_error_code (*free_state) (krb5_data *state);
 
     /* In-place encryption/decryption of multiple buffers */
-    krb5_error_code (*encrypt_iov) (const krb5_keyblock *key,
+    krb5_error_code (*encrypt_iov) (krb5_key key,
 				    const krb5_data *cipher_state,
 				    krb5_crypto_iov *data,
 				    size_t num_data);
 
 
-    krb5_error_code (*decrypt_iov) (const krb5_keyblock *key,
+    krb5_error_code (*decrypt_iov) (krb5_key key,
 				    const krb5_data *cipher_state,
 				    krb5_crypto_iov *data,
 				    size_t num_data);
@@ -686,27 +699,27 @@ struct krb5_hash_provider {
 struct krb5_keyhash_provider {
     size_t hashsize;
 
-    krb5_error_code (*hash) (const krb5_keyblock *key,
+    krb5_error_code (*hash) (krb5_key key,
 			     krb5_keyusage keyusage,
 			     const krb5_data *ivec,
 			     const krb5_data *input,
 			     krb5_data *output);
 
-    krb5_error_code (*verify) (const krb5_keyblock *key,
+    krb5_error_code (*verify) (krb5_key key,
 			       krb5_keyusage keyusage,
 			       const krb5_data *ivec,
 			       const krb5_data *input,
 			       const krb5_data *hash,
 			       krb5_boolean *valid);
 
-    krb5_error_code (*hash_iov) (const krb5_keyblock *key,
+    krb5_error_code (*hash_iov) (krb5_key key,
 				 krb5_keyusage keyusage,
 				 const krb5_data *ivec,
 				 const krb5_crypto_iov *data,
 				 size_t num_data,
 				 krb5_data *output);
 
-    krb5_error_code (*verify_iov) (const krb5_keyblock *key,
+    krb5_error_code (*verify_iov) (krb5_key key,
 				  krb5_keyusage keyusage,
 				  const krb5_data *ivec,
 				  const krb5_crypto_iov *data,
@@ -724,7 +737,7 @@ struct krb5_aead_provider {
     krb5_error_code (*encrypt_iov) (const struct krb5_aead_provider *aead,
 				    const struct krb5_enc_provider *enc,
 				    const struct krb5_hash_provider *hash,
-				    const krb5_keyblock *key,
+				    krb5_key key,
 				    krb5_keyusage keyusage,
 				    const krb5_data *ivec,
 				    krb5_crypto_iov *data,
@@ -732,7 +745,7 @@ struct krb5_aead_provider {
     krb5_error_code (*decrypt_iov) (const struct krb5_aead_provider *aead,
 				    const struct krb5_enc_provider *enc,
 				    const struct krb5_hash_provider *hash,
-				    const krb5_keyblock *key,
+				    krb5_key key,
 				    krb5_keyusage keyusage,
 				    const krb5_data *ivec,
 				    krb5_crypto_iov *data,
@@ -749,11 +762,22 @@ void krb5_nfold
 
 krb5_error_code krb5_hmac
 (const struct krb5_hash_provider *hash,
-		const krb5_keyblock *key, unsigned int icount,
+		krb5_key key, unsigned int icount,
 		const krb5_data *input, krb5_data *output);
 
 krb5_error_code krb5int_hmac_iov
 (const struct krb5_hash_provider *hash,
+		krb5_key key,
+		const krb5_crypto_iov *data, size_t num_data,
+		krb5_data *output);
+
+krb5_error_code krb5int_hmac_keyblock
+(const struct krb5_hash_provider *hash,
+		const krb5_keyblock *key, unsigned int icount,
+		const krb5_data *input, krb5_data *output);
+
+krb5_error_code krb5int_hmac_iov_keyblock
+(const struct krb5_hash_provider *hash,
 		const krb5_keyblock *key,
 		const krb5_crypto_iov *data, size_t num_data,
 		krb5_data *output);
@@ -808,13 +832,18 @@ krb5_error_code krb5int_c_combine_keys
 (krb5_context context, krb5_keyblock *key1, krb5_keyblock *key2,
 		krb5_keyblock *outkey);
 
+
 void  krb5int_c_free_keyblock
 (krb5_context, krb5_keyblock *key);
 void  krb5int_c_free_keyblock_contents
 	(krb5_context, krb5_keyblock *);
-krb5_error_code   krb5int_c_init_keyblock
+krb5_error_code krb5int_c_init_keyblock
 		(krb5_context, krb5_enctype enctype,
 		size_t length, krb5_keyblock **out); 
+krb5_error_code krb5int_c_copy_keyblock
+(krb5_context context, const krb5_keyblock *from, krb5_keyblock **to);
+krb5_error_code krb5int_c_copy_keyblock_contents
+(krb5_context context, const krb5_keyblock *from, krb5_keyblock *to);
 
 /*
  * Internal - for cleanup.
@@ -850,6 +879,11 @@ krb5_error_code krb5_encrypt_helper
 		krb5_keyusage keyusage, const krb5_data *plain,
 		krb5_enc_data *cipher);
 
+krb5_error_code krb5_encrypt_keyhelper
+(krb5_context context, krb5_key key,
+		krb5_keyusage keyusage, const krb5_data *plain,
+		krb5_enc_data *cipher);
+
 /*
  * End "los-proto.h"
  */
@@ -2566,10 +2600,10 @@ krb5_error_code krb5_decrypt_data
 		krb5_data *enc_data);
 
 krb5_error_code
-krb5int_aes_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
+krb5int_aes_encrypt(krb5_key key, const krb5_data *ivec,
 		    const krb5_data *input, krb5_data *output);
 krb5_error_code
-krb5int_aes_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
+krb5int_aes_decrypt(krb5_key key, const krb5_data *ivec,
 		    const krb5_data *input, krb5_data *output);
 
 struct _krb5_kt {	/* should move into k5-int.h */
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 81bc1cf6e5..e0128d0586 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -341,6 +341,7 @@ struct _krb5_cryptosystem_entry;
  * begin "encryption.h"
  */
 
+/* Exposed contents of a key. */
 typedef struct _krb5_keyblock {
     krb5_magic magic;
     krb5_enctype enctype;
@@ -348,6 +349,16 @@ typedef struct _krb5_keyblock {
     krb5_octet *contents;
 } krb5_keyblock;
 
+/*
+ * Opaque identifier for a key.  Use with the krb5_k APIs for better
+ * performance for repeated operations with the same key usage.  Key
+ * identifiers must not be used simultaneously within multiple
+ * threads, as they may contain mutable internal state and are not
+ * mutex-protected.
+ */
+struct krb5_key_st;
+typedef struct krb5_key_st *krb5_key;
+
 #ifdef KRB5_OLD_CRYPTO
 typedef struct _krb5_encrypt_block {
     krb5_magic magic;
@@ -705,6 +716,64 @@ krb5_error_code KRB5_CALLCONV
     (krb5_context context, krb5_enctype enctype,
 		    size_t data_length, unsigned int *size);
 
+krb5_error_code KRB5_CALLCONV
+krb5_k_create_key(krb5_context context, const krb5_keyblock *key_data,
+		  krb5_key *out);
+
+/* Keys are logically immutable and can be "copied" by reference count. */
+void KRB5_CALLCONV krb5_k_reference_key(krb5_context context, krb5_key key);
+
+/* Decrement the reference count on a key and free it if it hits zero. */
+void KRB5_CALLCONV krb5_k_free_key(krb5_context context, krb5_key key);
+
+krb5_error_code KRB5_CALLCONV
+krb5_k_key_keyblock(krb5_context context, krb5_key key,
+		    krb5_keyblock **key_data);
+
+krb5_enctype KRB5_CALLCONV
+krb5_k_key_enctype(krb5_context context, krb5_key key);
+
+krb5_error_code KRB5_CALLCONV
+krb5_k_encrypt(krb5_context context, krb5_key key, krb5_keyusage usage,
+	       const krb5_data *cipher_state, const krb5_data *input,
+	       krb5_enc_data *output);
+
+krb5_error_code KRB5_CALLCONV
+krb5_k_encrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage,
+		   const krb5_data *cipher_state, krb5_crypto_iov *data,
+		   size_t num_data);
+
+krb5_error_code KRB5_CALLCONV
+krb5_k_decrypt(krb5_context context, krb5_key key, krb5_keyusage usage,
+	       const krb5_data *cipher_state, const krb5_enc_data *input,
+	       krb5_data *output);
+
+krb5_error_code KRB5_CALLCONV
+krb5_k_decrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage,
+		   const krb5_data *cipher_state, krb5_crypto_iov *data,
+		   size_t num_data);
+
+krb5_error_code KRB5_CALLCONV
+krb5_k_make_checksum(krb5_context context, krb5_cksumtype cksumtype,
+		     krb5_key key, krb5_keyusage usage, const krb5_data *input,
+		     krb5_checksum *cksum);
+
+krb5_error_code KRB5_CALLCONV
+krb5_k_make_checksum_iov(krb5_context context, krb5_cksumtype cksumtype,
+			 krb5_key key, krb5_keyusage usage,
+			 krb5_crypto_iov *data, size_t num_data);
+
+krb5_error_code KRB5_CALLCONV
+krb5_k_verify_checksum(krb5_context context, krb5_key key, krb5_keyusage usage,
+		       const krb5_data *data, const krb5_checksum *cksum,
+		       krb5_boolean *valid);
+
+krb5_error_code KRB5_CALLCONV
+krb5_k_verify_checksum_iov(krb5_context context, krb5_cksumtype cksumtype,
+			   krb5_key key, krb5_keyusage usage,
+			   const krb5_crypto_iov *data, size_t num_data,
+			   krb5_boolean *valid);
+
 #ifdef KRB5_OLD_CRYPTO
 /*
  * old cryptosystem routine prototypes.  These are now layered