Implement new APIs to allow improved crypto performance

Merge branches/enc-perf to trunk.  Adds the krb5_key opaque type, the
krb5_k_* APIs to use them, and caching of derived keys when krb5_k_*
functions are used.  Updates the krb5 auth context and GSS id-rec to
use krb5_keys.

ticket: 6576

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22944 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 69 insertions, 0 deletions

diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 81bc1cf6e..e0128d058 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -341,6 +341,7 @@ struct _krb5_cryptosystem_entry;
  * begin "encryption.h"
  */
 
+/* Exposed contents of a key. */
 typedef struct _krb5_keyblock {
     krb5_magic magic;
     krb5_enctype enctype;
@@ -348,6 +349,16 @@ typedef struct _krb5_keyblock {
     krb5_octet *contents;
 } krb5_keyblock;
 
+/*
+ * Opaque identifier for a key.  Use with the krb5_k APIs for better
+ * performance for repeated operations with the same key usage.  Key
+ * identifiers must not be used simultaneously within multiple
+ * threads, as they may contain mutable internal state and are not
+ * mutex-protected.
+ */
+struct krb5_key_st;
+typedef struct krb5_key_st *krb5_key;
+
 #ifdef KRB5_OLD_CRYPTO
 typedef struct _krb5_encrypt_block {
     krb5_magic magic;
@@ -705,6 +716,64 @@ krb5_error_code KRB5_CALLCONV
     (krb5_context context, krb5_enctype enctype,
 		    size_t data_length, unsigned int *size);
 
+krb5_error_code KRB5_CALLCONV
+krb5_k_create_key(krb5_context context, const krb5_keyblock *key_data,
+		  krb5_key *out);
+
+/* Keys are logically immutable and can be "copied" by reference count. */
+void KRB5_CALLCONV krb5_k_reference_key(krb5_context context, krb5_key key);
+
+/* Decrement the reference count on a key and free it if it hits zero. */
+void KRB5_CALLCONV krb5_k_free_key(krb5_context context, krb5_key key);
+
+krb5_error_code KRB5_CALLCONV
+krb5_k_key_keyblock(krb5_context context, krb5_key key,
+		    krb5_keyblock **key_data);
+
+krb5_enctype KRB5_CALLCONV
+krb5_k_key_enctype(krb5_context context, krb5_key key);
+
+krb5_error_code KRB5_CALLCONV
+krb5_k_encrypt(krb5_context context, krb5_key key, krb5_keyusage usage,
+	       const krb5_data *cipher_state, const krb5_data *input,
+	       krb5_enc_data *output);
+
+krb5_error_code KRB5_CALLCONV
+krb5_k_encrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage,
+		   const krb5_data *cipher_state, krb5_crypto_iov *data,
+		   size_t num_data);
+
+krb5_error_code KRB5_CALLCONV
+krb5_k_decrypt(krb5_context context, krb5_key key, krb5_keyusage usage,
+	       const krb5_data *cipher_state, const krb5_enc_data *input,
+	       krb5_data *output);
+
+krb5_error_code KRB5_CALLCONV
+krb5_k_decrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage,
+		   const krb5_data *cipher_state, krb5_crypto_iov *data,
+		   size_t num_data);
+
+krb5_error_code KRB5_CALLCONV
+krb5_k_make_checksum(krb5_context context, krb5_cksumtype cksumtype,
+		     krb5_key key, krb5_keyusage usage, const krb5_data *input,
+		     krb5_checksum *cksum);
+
+krb5_error_code KRB5_CALLCONV
+krb5_k_make_checksum_iov(krb5_context context, krb5_cksumtype cksumtype,
+			 krb5_key key, krb5_keyusage usage,
+			 krb5_crypto_iov *data, size_t num_data);
+
+krb5_error_code KRB5_CALLCONV
+krb5_k_verify_checksum(krb5_context context, krb5_key key, krb5_keyusage usage,
+		       const krb5_data *data, const krb5_checksum *cksum,
+		       krb5_boolean *valid);
+
+krb5_error_code KRB5_CALLCONV
+krb5_k_verify_checksum_iov(krb5_context context, krb5_cksumtype cksumtype,
+			   krb5_key key, krb5_keyusage usage,
+			   const krb5_crypto_iov *data, size_t num_data,
+			   krb5_boolean *valid);
+
 #ifdef KRB5_OLD_CRYPTO
 /*
  * old cryptosystem routine prototypes.  These are now layered