Implement new APIs to allow improved crypto performance

Merge branches/enc-perf to trunk. Adds the krb5_key opaque type, the krb5_k_* APIs to use them, and caching of derived keys when krb5_k_* functions are used. Updates the krb5 auth context and GSS id-rec to use krb5_keys. ticket: 6576 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22944 dc483132-0cff-0310-8789-dd5450dbe970
author: Greg Hudson <ghudson@mit.edu> 2009-10-19 20:04:21 +0000
committer: Greg Hudson <ghudson@mit.edu> 2009-10-19 20:04:21 +0000
commit: e6b93b7dd43bb765900b2db71641479b597844da (patch)
tree: 2b6da09e37da6ca699a8cb43c87e8a4218132254 /src/lib/crypto/builtin/enc_provider
parent: 04a5d19e61bedbb1da4db52334c00f7a54a9d5a8 (diff)
download: krb5-e6b93b7dd43bb765900b2db71641479b597844da.tar.gz
krb5-e6b93b7dd43bb765900b2db71641479b597844da.tar.xz
krb5-e6b93b7dd43bb765900b2db71641479b597844da.zip
4 files changed, 48 insertions, 40 deletions
diff --git a/src/lib/crypto/builtin/enc_provider/aes.c b/src/lib/crypto/builtin/enc_provider/aes.c
index 934bc63a2c..52fb2259d8 100644
--- a/src/lib/crypto/builtin/enc_provider/aes.c
+++ b/src/lib/crypto/builtin/enc_provider/aes.c
@@ -86,7 +86,7 @@ static void xorblock(char *out, const char *in)
 }
 
 krb5_error_code
-krb5int_aes_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
+krb5int_aes_encrypt(krb5_key key, const krb5_data *ivec,
 		    const krb5_data *input, krb5_data *output)
 {
     aes_ctx ctx;
@@ -95,7 +95,8 @@ krb5int_aes_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
 
 /*    CHECK_SIZES; */
 
-    if (aes_enc_key(key->contents, key->length, &ctx) != aes_good)
+    if (aes_enc_key(key->keyblock.contents, key->keyblock.length,
+		    &ctx) != aes_good)
 	abort();
 
     if (ivec)
@@ -140,7 +141,7 @@ krb5int_aes_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
 }
 
 krb5_error_code
-krb5int_aes_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
+krb5int_aes_decrypt(krb5_key key, const krb5_data *ivec,
 		    const krb5_data *input, krb5_data *output)
 {
     aes_ctx ctx;
@@ -149,7 +150,8 @@ krb5int_aes_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
 
     CHECK_SIZES;
 
-    if (aes_dec_key(key->contents, key->length, &ctx) != aes_good)
+    if (aes_dec_key(key->keyblock.contents, key->keyblock.length,
+		    &ctx) != aes_good)
 	abort();
 
     if (ivec)
@@ -200,7 +202,7 @@ krb5int_aes_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
 }
 
 static krb5_error_code
-krb5int_aes_encrypt_iov(const krb5_keyblock *key,
+krb5int_aes_encrypt_iov(krb5_key key,
 		        const krb5_data *ivec,
 		        krb5_crypto_iov *data,
 		        size_t num_data)
@@ -210,7 +212,8 @@ krb5int_aes_encrypt_iov(const krb5_keyblock *key,
     int nblocks = 0, blockno;
     size_t input_length, i;
 
-    if (aes_enc_key(key->contents, key->length, &ctx) != aes_good)
+    if (aes_enc_key(key->keyblock.contents, key->keyblock.length, &ctx)
+	!= aes_good)
 	abort();
 
     if (ivec != NULL)
@@ -280,7 +283,7 @@ krb5int_aes_encrypt_iov(const krb5_keyblock *key,
 }
 
 static krb5_error_code
-krb5int_aes_decrypt_iov(const krb5_keyblock *key,
+krb5int_aes_decrypt_iov(krb5_key key,
 		        const krb5_data *ivec,
 		        krb5_crypto_iov *data,
 		        size_t num_data)
@@ -293,7 +296,8 @@ krb5int_aes_decrypt_iov(const krb5_keyblock *key,
 
     CHECK_SIZES;
 
-    if (aes_dec_key(key->contents, key->length, &ctx) != aes_good)
+    if (aes_dec_key(key->keyblock.contents, key->keyblock.length,
+		    &ctx) != aes_good)
 	abort();
 
     if (ivec != NULL)
diff --git a/src/lib/crypto/builtin/enc_provider/des.c b/src/lib/crypto/builtin/enc_provider/des.c
index 433032dd31..d73a1d2901 100644
--- a/src/lib/crypto/builtin/enc_provider/des.c
+++ b/src/lib/crypto/builtin/enc_provider/des.c
@@ -32,14 +32,14 @@
 
 
 static krb5_error_code
-k5_des_docrypt(const krb5_keyblock *key, const krb5_data *ivec,
+k5_des_docrypt(krb5_key key, const krb5_data *ivec,
 	       const krb5_data *input, krb5_data *output, int enc)
 {
     mit_des_key_schedule schedule;
 
-    /* key->enctype was checked by the caller */
+    /* key->keyblock.enctype was checked by the caller */
 
-    if (key->length != 8)
+    if (key->keyblock.length != 8)
 	return(KRB5_BAD_KEYSIZE);
     if ((input->length%8) != 0)
 	return(KRB5_BAD_MSIZE);
@@ -48,7 +48,7 @@ k5_des_docrypt(const krb5_keyblock *key, const krb5_data *ivec,
     if (input->length != output->length)
 	return(KRB5_BAD_MSIZE);
 
-    switch (mit_des_key_sched(key->contents, schedule)) {
+    switch (mit_des_key_sched(key->keyblock.contents, schedule)) {
     case -1:
 	return(KRB5DES_BAD_KEYPAR);
     case -2:
@@ -71,30 +71,30 @@ k5_des_docrypt(const krb5_keyblock *key, const krb5_data *ivec,
 }
 
 static krb5_error_code
-k5_des_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
+k5_des_encrypt(krb5_key key, const krb5_data *ivec,
 	       const krb5_data *input, krb5_data *output)
 {
     return(k5_des_docrypt(key, ivec, input, output, 1));
 }
 
 static krb5_error_code
-k5_des_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
+k5_des_decrypt(krb5_key key, const krb5_data *ivec,
 	       const krb5_data *input, krb5_data *output)
 {
     return(k5_des_docrypt(key, ivec, input, output, 0));
 }
 
 static krb5_error_code
-k5_des_docrypt_iov(const krb5_keyblock *key, const krb5_data *ivec,
+k5_des_docrypt_iov(krb5_key key, const krb5_data *ivec,
 		   krb5_crypto_iov *data, size_t num_data, int enc)
 {
     mit_des_key_schedule schedule;
     size_t input_length = 0;
     unsigned int i;
 
-    /* key->enctype was checked by the caller */
+    /* key->keyblock.enctype was checked by the caller */
 
-    if (key->length != 8)
+    if (key->keyblock.length != 8)
 	return(KRB5_BAD_KEYSIZE);
 
     for (i = 0; i < num_data; i++) {
@@ -109,7 +109,7 @@ k5_des_docrypt_iov(const krb5_keyblock *key, const krb5_data *ivec,
     if (ivec && (ivec->length != 8))
 	return(KRB5_BAD_MSIZE);
 
-    switch (mit_des_key_sched(key->contents, schedule)) {
+    switch (mit_des_key_sched(key->keyblock.contents, schedule)) {
     case -1:
 	return(KRB5DES_BAD_KEYPAR);
     case -2:
@@ -128,7 +128,7 @@ k5_des_docrypt_iov(const krb5_keyblock *key, const krb5_data *ivec,
 }
 
 static krb5_error_code
-k5_des_encrypt_iov(const krb5_keyblock *key,
+k5_des_encrypt_iov(krb5_key key,
 		    const krb5_data *ivec,
 		    krb5_crypto_iov *data,
 		    size_t num_data)
@@ -137,7 +137,7 @@ k5_des_encrypt_iov(const krb5_keyblock *key,
 }
 
 static krb5_error_code
-k5_des_decrypt_iov(const krb5_keyblock *key,
+k5_des_decrypt_iov(krb5_key key,
 		   const krb5_data *ivec,
 		   krb5_crypto_iov *data,
 		   size_t num_data)
diff --git a/src/lib/crypto/builtin/enc_provider/des3.c b/src/lib/crypto/builtin/enc_provider/des3.c
index 7dba292ae0..eae504b8c3 100644
--- a/src/lib/crypto/builtin/enc_provider/des3.c
+++ b/src/lib/crypto/builtin/enc_provider/des3.c
@@ -30,13 +30,13 @@
 #include <rand2key.h>
 
 static krb5_error_code
-validate_and_schedule(const krb5_keyblock *key, const krb5_data *ivec,
+validate_and_schedule(krb5_key key, const krb5_data *ivec,
 		      const krb5_data *input, const krb5_data *output,
 		      mit_des3_key_schedule *schedule)
 {
-    /* key->enctype was checked by the caller */
+    /* key->keyblock.enctype was checked by the caller */
 
-    if (key->length != 24)
+    if (key->keyblock.length != 24)
 	return(KRB5_BAD_KEYSIZE);
     if ((input->length%8) != 0)
 	return(KRB5_BAD_MSIZE);
@@ -45,7 +45,7 @@ validate_and_schedule(const krb5_keyblock *key, const krb5_data *ivec,
     if (input->length != output->length)
 	return(KRB5_BAD_MSIZE);
 
-    switch (mit_des3_key_sched(*(mit_des3_cblock *)key->contents,
+    switch (mit_des3_key_sched(*(mit_des3_cblock *)key->keyblock.contents,
 			       *schedule)) {
     case -1:
 	return(KRB5DES_BAD_KEYPAR);
@@ -56,7 +56,7 @@ validate_and_schedule(const krb5_keyblock *key, const krb5_data *ivec,
 }
 
 static krb5_error_code
-validate_and_schedule_iov(const krb5_keyblock *key, const krb5_data *ivec,
+validate_and_schedule_iov(krb5_key key, const krb5_data *ivec,
 			  const krb5_crypto_iov *data, size_t num_data,
 			  mit_des3_key_schedule *schedule)
 {
@@ -69,14 +69,14 @@ validate_and_schedule_iov(const krb5_keyblock *key, const krb5_data *ivec,
 	    input_length += iov->data.length;
     }
 
-    if (key->length != 24)
+    if (key->keyblock.length != 24)
 	return(KRB5_BAD_KEYSIZE);
     if ((input_length%8) != 0)
 	return(KRB5_BAD_MSIZE);
     if (ivec && (ivec->length != 8))
 	return(KRB5_BAD_MSIZE);
 
-    switch (mit_des3_key_sched(*(mit_des3_cblock *)key->contents,
+    switch (mit_des3_key_sched(*(mit_des3_cblock *)key->keyblock.contents,
 			       *schedule)) {
     case -1:
 	return(KRB5DES_BAD_KEYPAR);
@@ -87,7 +87,7 @@ validate_and_schedule_iov(const krb5_keyblock *key, const krb5_data *ivec,
 }
 
 static krb5_error_code
-k5_des3_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
+k5_des3_encrypt(krb5_key key, const krb5_data *ivec,
 		const krb5_data *input, krb5_data *output)
 {
     mit_des3_key_schedule schedule;
@@ -109,7 +109,7 @@ k5_des3_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
 }
 
 static krb5_error_code
-k5_des3_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
+k5_des3_decrypt(krb5_key key, const krb5_data *ivec,
 		const krb5_data *input, krb5_data *output)
 {
     mit_des3_key_schedule schedule;
@@ -131,7 +131,7 @@ k5_des3_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
 }
 
 static krb5_error_code
-k5_des3_encrypt_iov(const krb5_keyblock *key,
+k5_des3_encrypt_iov(krb5_key key,
 		    const krb5_data *ivec,
 		    krb5_crypto_iov *data,
 		    size_t num_data)
@@ -154,7 +154,7 @@ k5_des3_encrypt_iov(const krb5_keyblock *key,
 }
 
 static krb5_error_code
-k5_des3_decrypt_iov(const krb5_keyblock *key,
+k5_des3_decrypt_iov(krb5_key key,
 		    const krb5_data *ivec,
 		    krb5_crypto_iov *data,
 		    size_t num_data)
diff --git a/src/lib/crypto/builtin/enc_provider/rc4.c b/src/lib/crypto/builtin/enc_provider/rc4.c
index df2c914f88..47c131da4d 100644
--- a/src/lib/crypto/builtin/enc_provider/rc4.c
+++ b/src/lib/crypto/builtin/enc_provider/rc4.c
@@ -29,7 +29,7 @@ static void k5_arcfour_crypt(ArcfourContext *ctx, unsigned char *dest,
 
 /* Interface layer to kerb5 crypto layer */
 static krb5_error_code
-k5_arcfour_docrypt(const krb5_keyblock *, const krb5_data *,
+k5_arcfour_docrypt(krb5_key, const krb5_data *,
 		   const krb5_data *, krb5_data *);
 
 static const unsigned char arcfour_weakkey1[] = {0x00, 0x00, 0xfd};
@@ -113,14 +113,14 @@ k5_arcfour_init(ArcfourContext *ctx, const unsigned char *key,
 
 /* The workhorse of the arcfour system, this impliments the cipher */
 static krb5_error_code
-k5_arcfour_docrypt(const krb5_keyblock *key, const krb5_data *state,
+k5_arcfour_docrypt(krb5_key key, const krb5_data *state,
 	       const krb5_data *input, krb5_data *output)
 {
   ArcfourContext *arcfour_ctx;
   ArcFourCipherState *cipher_state;
   int ret;
 
-  if (key->length != 16)
+  if (key->keyblock.length != 16)
     return(KRB5_BAD_KEYSIZE);
   if (state && (state->length != sizeof (ArcFourCipherState)))
     return(KRB5_BAD_MSIZE);
@@ -131,7 +131,8 @@ k5_arcfour_docrypt(const krb5_keyblock *key, const krb5_data *state,
     cipher_state = (ArcFourCipherState *) state->data;
     arcfour_ctx=&cipher_state->ctx;
     if (cipher_state->initialized == 0) {
-      if ((ret=k5_arcfour_init(arcfour_ctx, key->contents, key->length))) {
+      if ((ret=k5_arcfour_init(arcfour_ctx, key->keyblock.contents,
+			       key->keyblock.length))) {
 	return ret;
       }
       cipher_state->initialized = 1;
@@ -142,7 +143,8 @@ k5_arcfour_docrypt(const krb5_keyblock *key, const krb5_data *state,
     arcfour_ctx=malloc(sizeof (ArcfourContext));
     if (arcfour_ctx == NULL)
       return ENOMEM;
-    if ((ret=k5_arcfour_init(arcfour_ctx, key->contents, key->length))) {
+    if ((ret=k5_arcfour_init(arcfour_ctx, key->keyblock.contents,
+			     key->keyblock.length))) {
       free(arcfour_ctx);
       return (ret);
     }
@@ -157,7 +159,7 @@ k5_arcfour_docrypt(const krb5_keyblock *key, const krb5_data *state,
 
 /* In-place encryption */
 static krb5_error_code
-k5_arcfour_docrypt_iov(const krb5_keyblock *key,
+k5_arcfour_docrypt_iov(krb5_key key,
 		       const krb5_data *state,
 		       krb5_crypto_iov *data,
 		       size_t num_data)
@@ -167,7 +169,7 @@ k5_arcfour_docrypt_iov(const krb5_keyblock *key,
     krb5_error_code ret;
     size_t i;
 
-    if (key->length != 16)
+    if (key->keyblock.length != 16)
 	return KRB5_BAD_KEYSIZE;
     if (state != NULL && (state->length != sizeof(ArcFourCipherState)))
 	return KRB5_BAD_MSIZE;
@@ -176,7 +178,8 @@ k5_arcfour_docrypt_iov(const krb5_keyblock *key,
 	cipher_state = (ArcFourCipherState *)state->data;
 	arcfour_ctx = &cipher_state->ctx;
 	if (cipher_state->initialized == 0) {
-	    ret = k5_arcfour_init(arcfour_ctx, key->contents, key->length);
+	    ret = k5_arcfour_init(arcfour_ctx, key->keyblock.contents,
+				  key->keyblock.length);
 	    if (ret != 0)
 		return ret;
 
@@ -187,7 +190,8 @@ k5_arcfour_docrypt_iov(const krb5_keyblock *key,
 	if (arcfour_ctx == NULL)
 	    return ENOMEM;
 
-	ret = k5_arcfour_init(arcfour_ctx, key->contents, key->length);
+	ret = k5_arcfour_init(arcfour_ctx, key->keyblock.contents,
+			      key->keyblock.length);
 	if (ret != 0) {
 	    free(arcfour_ctx);
 	    return ret;
author	Greg Hudson <ghudson@mit.edu>	2009-10-19 20:04:21 +0000
committer	Greg Hudson <ghudson@mit.edu>	2009-10-19 20:04:21 +0000
commit	e6b93b7dd43bb765900b2db71641479b597844da (patch)
tree	2b6da09e37da6ca699a8cb43c87e8a4218132254 /src/lib/crypto/builtin/enc_provider
parent	04a5d19e61bedbb1da4db52334c00f7a54a9d5a8 (diff)
download	krb5-e6b93b7dd43bb765900b2db71641479b597844da.tar.gz krb5-e6b93b7dd43bb765900b2db71641479b597844da.tar.xz krb5-e6b93b7dd43bb765900b2db71641479b597844da.zip