svn rev #22870: branches/enc-perf/src/ include/ lib/krb5/krb/

ghudson@MIT.EDU ghudson at MIT.EDU
Thu Oct 8 10:39:25 EDT 2009


http://src.mit.edu/fisheye/changelog/krb5/?cs=22870
Commit By: ghudson
Log Message:
Change the krb5_keyblocks in the libkrb5 auth context to krb5_keys,
and use krb5_k functions to encrypt and decrypt with them.



Changed Files:
U   branches/enc-perf/src/include/k5-int.h
U   branches/enc-perf/src/lib/krb5/krb/auth_con.c
U   branches/enc-perf/src/lib/krb5/krb/auth_con.h
U   branches/enc-perf/src/lib/krb5/krb/enc_helper.c
U   branches/enc-perf/src/lib/krb5/krb/mk_cred.c
U   branches/enc-perf/src/lib/krb5/krb/mk_priv.c
U   branches/enc-perf/src/lib/krb5/krb/mk_rep.c
U   branches/enc-perf/src/lib/krb5/krb/mk_req_ext.c
U   branches/enc-perf/src/lib/krb5/krb/mk_safe.c
U   branches/enc-perf/src/lib/krb5/krb/rd_cred.c
U   branches/enc-perf/src/lib/krb5/krb/rd_priv.c
U   branches/enc-perf/src/lib/krb5/krb/rd_rep.c
U   branches/enc-perf/src/lib/krb5/krb/rd_req_dec.c
U   branches/enc-perf/src/lib/krb5/krb/rd_safe.c
U   branches/enc-perf/src/lib/krb5/krb/ser_actx.c
Modified: branches/enc-perf/src/include/k5-int.h
===================================================================
--- branches/enc-perf/src/include/k5-int.h	2009-10-08 13:44:54 UTC (rev 22869)
+++ branches/enc-perf/src/include/k5-int.h	2009-10-08 14:39:24 UTC (rev 22870)
@@ -871,6 +871,11 @@
 		krb5_keyusage keyusage, const krb5_data *plain,
 		krb5_enc_data *cipher);
 
+krb5_error_code krb5_encrypt_keyhelper
+(krb5_context context, krb5_key key,
+		krb5_keyusage keyusage, const krb5_data *plain,
+		krb5_enc_data *cipher);
+
 /*
  * End "los-proto.h"
  */

Modified: branches/enc-perf/src/lib/krb5/krb/auth_con.c
===================================================================
--- branches/enc-perf/src/lib/krb5/krb/auth_con.c	2009-10-08 13:44:54 UTC (rev 22869)
+++ branches/enc-perf/src/lib/krb5/krb/auth_con.c	2009-10-08 14:39:24 UTC (rev 22870)
@@ -56,12 +56,12 @@
 	krb5_free_address(context, auth_context->remote_port);
     if (auth_context->authentp) 
 	krb5_free_authenticator(context, auth_context->authentp);
-    if (auth_context->keyblock) 
-	krb5_free_keyblock(context, auth_context->keyblock);
+    if (auth_context->key)
+	krb5_k_free_key(context, auth_context->key);
     if (auth_context->send_subkey) 
-	krb5_free_keyblock(context, auth_context->send_subkey);
+	krb5_k_free_key(context, auth_context->send_subkey);
     if (auth_context->recv_subkey) 
-	krb5_free_keyblock(context, auth_context->recv_subkey);
+	krb5_k_free_key(context, auth_context->recv_subkey);
     if (auth_context->rcache)
 	krb5_rc_close(context, auth_context->rcache);
     if (auth_context->permitted_etypes)
@@ -158,16 +158,16 @@
 krb5_error_code KRB5_CALLCONV
 krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock)
 {
-    if (auth_context->keyblock)
-	krb5_free_keyblock(context, auth_context->keyblock);
-    return(krb5_copy_keyblock(context, keyblock, &(auth_context->keyblock)));
+    if (auth_context->key)
+	krb5_k_free_key(context, auth_context->key);
+    return(krb5_k_create_key(context, keyblock, &(auth_context->key)));
 }
 
 krb5_error_code KRB5_CALLCONV
 krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock)
 {
-    if (auth_context->keyblock)
-    	return krb5_copy_keyblock(context, auth_context->keyblock, keyblock);
+    if (auth_context->key)
+    	return krb5_k_key_keyblock(context, auth_context->key, keyblock);
     *keyblock = NULL;
     return 0;
 }
@@ -188,10 +188,10 @@
 krb5_auth_con_setsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock *keyblock)
 {
     if (ac->send_subkey != NULL)
-	krb5_free_keyblock(ctx, ac->send_subkey);
+	krb5_k_free_key(ctx, ac->send_subkey);
     ac->send_subkey = NULL;
     if (keyblock !=NULL)
-	return krb5_copy_keyblock(ctx, keyblock, &ac->send_subkey);
+	return krb5_k_create_key(ctx, keyblock, &ac->send_subkey);
     else
 	return 0;
 }
@@ -200,10 +200,10 @@
 krb5_auth_con_setrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock *keyblock)
 {
     if (ac->recv_subkey != NULL)
-	krb5_free_keyblock(ctx, ac->recv_subkey);
+	krb5_k_free_key(ctx, ac->recv_subkey);
     ac->recv_subkey = NULL;
     if (keyblock != NULL)
-	return krb5_copy_keyblock(ctx, keyblock, &ac->recv_subkey);
+	return krb5_k_create_key(ctx, keyblock, &ac->recv_subkey);
     else
 	return 0;
 }
@@ -212,7 +212,7 @@
 krb5_auth_con_getsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock)
 {
     if (ac->send_subkey != NULL)
-	return krb5_copy_keyblock(ctx, ac->send_subkey, keyblock);
+	return krb5_k_key_keyblock(ctx, ac->send_subkey, keyblock);
     *keyblock = NULL;
     return 0;
 }
@@ -221,7 +221,7 @@
 krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock)
 {
     if (ac->recv_subkey != NULL)
-	return krb5_copy_keyblock(ctx, ac->recv_subkey, keyblock);
+	return krb5_k_key_keyblock(ctx, ac->recv_subkey, keyblock);
     *keyblock = NULL;
     return 0;
 }
@@ -266,12 +266,13 @@
 krb5_auth_con_initivector(krb5_context context, krb5_auth_context auth_context)
 {
     krb5_error_code ret;
+    krb5_enctype enctype;
 
-    if (auth_context->keyblock) {
+    if (auth_context->key) {
 	size_t blocksize;
 
-	if ((ret = krb5_c_block_size(context, auth_context->keyblock->enctype,
-				    &blocksize)))
+	enctype = krb5_k_key_enctype(context, auth_context->key);
+	if ((ret = krb5_c_block_size(context, enctype, &blocksize)))
 	    return(ret);
 	if ((auth_context->i_vector = (krb5_pointer)calloc(1,blocksize))) {
 	    return 0;

Modified: branches/enc-perf/src/lib/krb5/krb/auth_con.h
===================================================================
--- branches/enc-perf/src/lib/krb5/krb/auth_con.h	2009-10-08 13:44:54 UTC (rev 22869)
+++ branches/enc-perf/src/lib/krb5/krb/auth_con.h	2009-10-08 14:39:24 UTC (rev 22870)
@@ -8,9 +8,9 @@
     krb5_address      *	remote_port;
     krb5_address      *	local_addr;
     krb5_address      *	local_port;
-    krb5_keyblock     * keyblock;
-    krb5_keyblock     * send_subkey;
-    krb5_keyblock     * recv_subkey;
+    krb5_key            key;
+    krb5_key            send_subkey;
+    krb5_key            recv_subkey;
 
     krb5_int32		auth_context_flags;
     krb5_ui_4		remote_seq_number;

Modified: branches/enc-perf/src/lib/krb5/krb/enc_helper.c
===================================================================
--- branches/enc-perf/src/lib/krb5/krb/enc_helper.c	2009-10-08 13:44:54 UTC (rev 22869)
+++ branches/enc-perf/src/lib/krb5/krb/enc_helper.c	2009-10-08 14:39:24 UTC (rev 22870)
@@ -48,3 +48,28 @@
     return(ret);
 }
 	
+krb5_error_code
+krb5_encrypt_keyhelper(krb5_context context, krb5_key key, krb5_keyusage usage,
+		       const krb5_data *plain, krb5_enc_data *cipher)
+{
+    krb5_enctype enctype;
+    krb5_error_code ret;
+    size_t enclen;
+
+    enctype = krb5_k_key_enctype(context, key);
+    ret = krb5_c_encrypt_length(context, enctype, plain->length, &enclen);
+    if (ret != 0)
+	return ret;
+
+    cipher->ciphertext.length = enclen;
+    cipher->ciphertext.data = malloc(enclen);
+    if (cipher->ciphertext.data == NULL)
+	return ENOMEM;
+    ret = krb5_k_encrypt(context, key, usage, 0, plain, cipher);
+    if (ret) {
+	free(cipher->ciphertext.data);
+	cipher->ciphertext.data = NULL;
+    }
+
+    return ret;
+}

Modified: branches/enc-perf/src/lib/krb5/krb/mk_cred.c
===================================================================
--- branches/enc-perf/src/lib/krb5/krb/mk_cred.c	2009-10-08 13:44:54 UTC (rev 22869)
+++ branches/enc-perf/src/lib/krb5/krb/mk_cred.c	2009-10-08 14:39:24 UTC (rev 22870)
@@ -22,7 +22,7 @@
  */
 static krb5_error_code 
 encrypt_credencpart(krb5_context context, krb5_cred_enc_part *pcredpart,
-		    krb5_keyblock *pkeyblock, krb5_enc_data *pencdata)
+		    krb5_key pkey, krb5_enc_data *pencdata)
 {
     krb5_error_code 	  retval;
     krb5_data 		* scratch;
@@ -35,7 +35,7 @@
      * If the keyblock is NULL, just copy the data from the encoded
      * data to the ciphertext area.
      */
-    if (pkeyblock == NULL) {
+    if (pkey == NULL) {
 	    pencdata->ciphertext.data = scratch->data;
 	    pencdata->ciphertext.length = scratch->length;
 	    free(scratch);
@@ -43,9 +43,9 @@
     }
 
     /* call the encryption routine */
-    retval = krb5_encrypt_helper(context, pkeyblock,
-				 KRB5_KEYUSAGE_KRB_CRED_ENCPART,
-				 scratch, pencdata);
+    retval = krb5_encrypt_keyhelper(context, pkey,
+				    KRB5_KEYUSAGE_KRB_CRED_ENCPART,
+				    scratch, pencdata);
 
     if (retval) {
     	memset(pencdata->ciphertext.data, 0, pencdata->ciphertext.length);
@@ -65,7 +65,7 @@
 static krb5_error_code
 krb5_mk_ncred_basic(krb5_context context,
 		    krb5_creds **ppcreds, krb5_int32 nppcreds,
-		    krb5_keyblock *keyblock, krb5_replay_data *replaydata,
+		    krb5_key key, krb5_replay_data *replaydata,
 		    krb5_address *local_addr, krb5_address *remote_addr,
 		    krb5_cred *pcred)
 {
@@ -134,8 +134,7 @@
     pcred->tickets[i] = NULL;
 
     /* encrypt the credential encrypted part */
-    retval = encrypt_credencpart(context, &credenc, keyblock,
-				 &pcred->enc_part);
+    retval = encrypt_credencpart(context, &credenc, key, &pcred->enc_part);
 
 cleanup:
     krb5_free_cred_enc_part(context, &credenc);
@@ -158,7 +157,7 @@
     krb5_address remote_fulladdr;
     krb5_address local_fulladdr;
     krb5_error_code 	retval;
-    krb5_keyblock	 * keyblock;
+    krb5_key		key;
     krb5_replay_data    replaydata;
     krb5_cred 		 * pcred;
     krb5_int32		ncred;
@@ -188,8 +187,8 @@
     }
 
     /* Get keyblock */
-    if ((keyblock = auth_context->send_subkey) == NULL) 
-	keyblock = auth_context->keyblock;
+    if ((key = auth_context->send_subkey) == NULL)
+	key = auth_context->key;
 
     /* Get replay info */
     if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
@@ -246,7 +245,7 @@
     }
 
     /* Setup creds structure */
-    if ((retval = krb5_mk_ncred_basic(context, ppcreds, ncred, keyblock,
+    if ((retval = krb5_mk_ncred_basic(context, ppcreds, ncred, key,
 				      &replaydata, plocal_fulladdr, 
 				      premote_fulladdr, pcred))) {
 	goto error;

Modified: branches/enc-perf/src/lib/krb5/krb/mk_priv.c
===================================================================
--- branches/enc-perf/src/lib/krb5/krb/mk_priv.c	2009-10-08 13:44:54 UTC (rev 22869)
+++ branches/enc-perf/src/lib/krb5/krb/mk_priv.c	2009-10-08 14:39:24 UTC (rev 22870)
@@ -33,10 +33,11 @@
 
 static krb5_error_code
 krb5_mk_priv_basic(krb5_context context, const krb5_data *userdata,
-		   const krb5_keyblock *keyblock, krb5_replay_data *replaydata,
+		   krb5_key key, krb5_replay_data *replaydata,
 		   krb5_address *local_addr, krb5_address *remote_addr,
 		   krb5_pointer i_vector, krb5_data *outbuf)
 {
+    krb5_enctype	enctype = krb5_k_key_enctype(context, key);
     krb5_error_code 	retval;
     krb5_priv 		privmsg;
     krb5_priv_enc_part 	privmsg_enc_part;
@@ -44,7 +45,7 @@
     size_t		blocksize, enclen;
 
     privmsg.enc_part.kvno = 0;	/* XXX allow user-set? */
-    privmsg.enc_part.enctype = keyblock->enctype; 
+    privmsg.enc_part.enctype = enctype;
 
     privmsg_enc_part.user_data = *userdata;
     privmsg_enc_part.s_address = local_addr;
@@ -60,7 +61,7 @@
 	return retval;
 
     /* put together an eblock for this encryption */
-    if ((retval = krb5_c_encrypt_length(context, keyblock->enctype,
+    if ((retval = krb5_c_encrypt_length(context, enctype,
 					scratch1->length, &enclen)))
 	goto clean_scratch;
 
@@ -73,15 +74,14 @@
 
     /* call the encryption routine */
     if (i_vector) {
-	if ((retval = krb5_c_block_size(context, keyblock->enctype,
-					&blocksize)))
+	if ((retval = krb5_c_block_size(context, enctype, &blocksize)))
 	    goto clean_encpart;
 
 	ivdata.length = blocksize;
 	ivdata.data = i_vector;
     }
 
-    if ((retval = krb5_c_encrypt(context, keyblock,
+    if ((retval = krb5_k_encrypt(context, key,
 				 KRB5_KEYUSAGE_KRB_PRIV_ENCPART,
 				 i_vector?&ivdata:0,
 				 scratch1, &privmsg.enc_part)))
@@ -115,15 +115,15 @@
 	     krb5_replay_data *outdata)
 {
     krb5_error_code 	  retval;
-    krb5_keyblock       * keyblock;
+    krb5_key              key;
     krb5_replay_data      replaydata;
 
     /* Clear replaydata block */
     memset(&replaydata, 0, sizeof(krb5_replay_data));
 
     /* Get keyblock */
-    if ((keyblock = auth_context->send_subkey) == NULL)
-	keyblock = auth_context->keyblock;
+    if ((key = auth_context->send_subkey) == NULL)
+	key = auth_context->key;
 
     /* Get replay info */
     if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
@@ -192,7 +192,7 @@
 	}
     }
 
-    if ((retval = krb5_mk_priv_basic(context, userdata, keyblock, &replaydata, 
+    if ((retval = krb5_mk_priv_basic(context, userdata, key, &replaydata,
 				     plocal_fulladdr, premote_fulladdr,
 				     auth_context->i_vector, outbuf))) {
 	CLEANUP_DONE();

Modified: branches/enc-perf/src/lib/krb5/krb/mk_rep.c
===================================================================
--- branches/enc-perf/src/lib/krb5/krb/mk_rep.c	2009-10-08 13:44:54 UTC (rev 22869)
+++ branches/enc-perf/src/lib/krb5/krb/mk_rep.c	2009-10-08 14:39:24 UTC (rev 22870)
@@ -80,7 +80,8 @@
     if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) ||
 	(auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
 	(auth_context->local_seq_number == 0)) {
-	if ((retval = krb5_generate_seq_number(context, auth_context->keyblock,
+	if ((retval = krb5_generate_seq_number(context,
+					       &auth_context->key->keyblock,
 					       &auth_context->local_seq_number)))
             return(retval);
     }
@@ -98,11 +99,11 @@
 	assert(auth_context->negotiated_etype != ENCTYPE_NULL);
 
 	retval = krb5int_generate_and_save_subkey (context, auth_context,
-						   auth_context->keyblock,
+						   &auth_context->key->keyblock,
 						   auth_context->negotiated_etype);
 	if (retval)
 	    return retval;
-	repl.subkey = auth_context->send_subkey;
+	repl.subkey = &auth_context->send_subkey->keyblock;
     } else
 	repl.subkey = auth_context->authentp->subkey;
 
@@ -115,9 +116,9 @@
     if ((retval = encode_krb5_ap_rep_enc_part(&repl, &scratch)))
 	return retval;
 
-    if ((retval = krb5_encrypt_helper(context, auth_context->keyblock,
-				      KRB5_KEYUSAGE_AP_REP_ENCPART,
-				      scratch, &reply.enc_part)))
+    if ((retval = krb5_encrypt_keyhelper(context, auth_context->key,
+					 KRB5_KEYUSAGE_AP_REP_ENCPART,
+					 scratch, &reply.enc_part)))
 	goto cleanup_scratch;
 
     if (!(retval = encode_krb5_ap_rep(&reply, &toutbuf))) {

Modified: branches/enc-perf/src/lib/krb5/krb/mk_req_ext.c
===================================================================
--- branches/enc-perf/src/lib/krb5/krb/mk_req_ext.c	2009-10-08 13:44:54 UTC (rev 22869)
+++ branches/enc-perf/src/lib/krb5/krb/mk_req_ext.c	2009-10-08 14:39:24 UTC (rev 22870)
@@ -73,7 +73,7 @@
 static krb5_error_code 
 krb5_generate_authenticator (krb5_context,
 				       krb5_authenticator *, krb5_principal,
-				       krb5_checksum *, krb5_keyblock *,
+				       krb5_checksum *, krb5_key,
 				       krb5_ui_4, krb5_authdata **,
 				       krb5_enctype *desired_etypes,
 				       krb5_enctype tkt_enctype);
@@ -93,6 +93,7 @@
     } rnd_data;
     krb5_data d;
     krb5_error_code retval;
+    krb5_keyblock *kb = NULL;
 
     if (krb5_crypto_us_timeofday(&rnd_data.sec, &rnd_data.usec) == 0) {
 	d.length = sizeof(rnd_data);
@@ -100,22 +101,23 @@
 	krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_TIMING, &d);
     }
 
-    if (auth_context->send_subkey)
-	krb5_free_keyblock(context, auth_context->send_subkey);
-    if ((retval = krb5_generate_subkey_extended(context, keyblock, enctype,
-						&auth_context->send_subkey)))
+    retval = krb5_generate_subkey_extended(context, keyblock, enctype, &kb);
+    if (retval)
 	return retval;
+    retval = krb5_auth_con_setsendsubkey(context, auth_context, kb);
+    if (retval)
+	goto cleanup;
+    retval = krb5_auth_con_setrecvsubkey(context, auth_context, kb);
+    if (retval)
+	goto cleanup;
 
-    if (auth_context->recv_subkey)
-	krb5_free_keyblock(context, auth_context->recv_subkey);
-    retval = krb5_copy_keyblock(context, auth_context->send_subkey,
-				&auth_context->recv_subkey);
+cleanup:
     if (retval) {
-	krb5_free_keyblock(context, auth_context->send_subkey);
-	auth_context->send_subkey = NULL;
-	return retval;
+	(void) krb5_auth_con_setsendsubkey(context, auth_context, NULL);
+	(void) krb5_auth_con_setrecvsubkey(context, auth_context, NULL);
     }
-    return 0;
+    krb5_free_keyblock(context, kb);
+    return retval;
 }
 
 krb5_error_code KRB5_CALLCONV
@@ -159,14 +161,14 @@
 	*auth_context = new_auth_context;
     }
 
-    if ((*auth_context)->keyblock != NULL) {
-	krb5_free_keyblock(context, (*auth_context)->keyblock);
-	(*auth_context)->keyblock = NULL;
+    if ((*auth_context)->key != NULL) {
+	krb5_k_free_key(context, (*auth_context)->key);
+	(*auth_context)->key = NULL;
     }
 
     /* set auth context keyblock */
-    if ((retval = krb5_copy_keyblock(context, &in_creds->keyblock, 
-				     &((*auth_context)->keyblock))))
+    if ((retval = krb5_k_create_key(context, &in_creds->keyblock,
+				    &((*auth_context)->key))))
 	goto cleanup;
 
     /* generate seq number if needed */
@@ -205,16 +207,18 @@
 	    checksum.length = in_data->length;
 	    checksum.contents = (krb5_octet *) in_data->data;
 	} else {
+	    krb5_enctype enctype = krb5_k_key_enctype(context,
+						      (*auth_context)->key);
 	    krb5_cksumtype cksumtype;
-	    retval = krb5int_c_mandatory_cksumtype(context, (*auth_context)->keyblock->enctype,
+	    retval = krb5int_c_mandatory_cksumtype(context, enctype,
 						   &cksumtype);
 	    if (retval)
 		goto cleanup_cksum;
 	    if ((*auth_context)->req_cksumtype)
 		cksumtype = (*auth_context)->req_cksumtype;
-	    if ((retval = krb5_c_make_checksum(context, 
+	    if ((retval = krb5_k_make_checksum(context,
 					       cksumtype,
-					       (*auth_context)->keyblock,
+					       (*auth_context)->key,
 					       KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM,
 					       in_data, &checksum)))
 		goto cleanup_cksum;
@@ -297,7 +301,7 @@
 static krb5_error_code
 krb5_generate_authenticator(krb5_context context, krb5_authenticator *authent,
 			    krb5_principal client, krb5_checksum *cksum,
-			    krb5_keyblock *key, krb5_ui_4 seq_number,
+			    krb5_key key, krb5_ui_4 seq_number,
 			    krb5_authdata **authorization,
 			    krb5_enctype *desired_etypes,
 			    krb5_enctype tkt_enctype)
@@ -307,7 +311,7 @@
     authent->client = client;
     authent->checksum = cksum;
     if (key) {
-	retval = krb5_copy_keyblock(context, key, &authent->subkey);
+	retval = krb5_k_key_keyblock(context, key, &authent->subkey);
 	if (retval)
 	    return retval;
     } else

Modified: branches/enc-perf/src/lib/krb5/krb/mk_safe.c
===================================================================
--- branches/enc-perf/src/lib/krb5/krb/mk_safe.c	2009-10-08 13:44:54 UTC (rev 22869)
+++ branches/enc-perf/src/lib/krb5/krb/mk_safe.c	2009-10-08 14:39:24 UTC (rev 22870)
@@ -48,7 +48,7 @@
 */
 static krb5_error_code
 krb5_mk_safe_basic(krb5_context context, const krb5_data *userdata,
-		   const krb5_keyblock *keyblock, krb5_replay_data *replaydata,
+		   krb5_key key, krb5_replay_data *replaydata,
 		   krb5_address *local_addr, krb5_address *remote_addr,
 		   krb5_cksumtype sumtype, krb5_data *outbuf)
 {
@@ -88,7 +88,7 @@
     if ((retval = encode_krb5_safe(&safemsg, &scratch1)))
 	return retval;
 
-    if ((retval = krb5_c_make_checksum(context, sumtype, keyblock,
+    if ((retval = krb5_k_make_checksum(context, sumtype, key,
 				       KRB5_KEYUSAGE_KRB_SAFE_CKSUM,
 				       scratch1, &safe_checksum)))
 	goto cleanup_checksum;
@@ -115,15 +115,15 @@
 	     krb5_replay_data *outdata)
 {
     krb5_error_code 	  retval;
-    krb5_keyblock       * keyblock;
+    krb5_key              key;
     krb5_replay_data      replaydata;
 
     /* Clear replaydata block */
     memset(&replaydata, 0, sizeof(krb5_replay_data));
 
-    /* Get keyblock */
-    if ((keyblock = auth_context->send_subkey) == NULL)
-	keyblock = auth_context->keyblock;
+    /* Get key */
+    if ((key = auth_context->send_subkey) == NULL)
+	key = auth_context->key;
 
     /* Get replay info */
     if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
@@ -195,10 +195,11 @@
     }
 
     {
+	krb5_enctype enctype = krb5_k_key_enctype(context, key);
 	unsigned int nsumtypes;
 	unsigned int i;
 	krb5_cksumtype *sumtypes;
-	retval = krb5_c_keyed_checksum_types (context, keyblock->enctype,
+	retval = krb5_c_keyed_checksum_types (context, enctype,
 					      &nsumtypes, &sumtypes);
 	if (retval) {
 	    CLEANUP_DONE ();
@@ -218,7 +219,7 @@
 	sumtype = sumtypes[i];
 	krb5_free_cksumtypes (context, sumtypes);
     }
-    if ((retval = krb5_mk_safe_basic(context, userdata, keyblock, &replaydata, 
+    if ((retval = krb5_mk_safe_basic(context, userdata, key, &replaydata,
 				     plocal_fulladdr, premote_fulladdr,
 				     sumtype, outbuf))) {
 	CLEANUP_DONE();

Modified: branches/enc-perf/src/lib/krb5/krb/rd_cred.c
===================================================================
--- branches/enc-perf/src/lib/krb5/krb/rd_cred.c	2009-10-08 13:44:54 UTC (rev 22869)
+++ branches/enc-perf/src/lib/krb5/krb/rd_cred.c	2009-10-08 14:39:24 UTC (rev 22870)
@@ -13,7 +13,7 @@
  */
 static krb5_error_code 
 decrypt_credencdata(krb5_context context, krb5_cred *pcred,
-		    krb5_keyblock *pkeyblock, krb5_cred_enc_part *pcredenc)
+		    krb5_key pkey, krb5_cred_enc_part *pcredenc)
 {
     krb5_cred_enc_part  * ppart = NULL;
     krb5_error_code 	  retval;
@@ -23,8 +23,8 @@
     if (!(scratch.data = (char *)malloc(scratch.length))) 
 	return ENOMEM;
 
-    if (pkeyblock != NULL) {
-	if ((retval = krb5_c_decrypt(context, pkeyblock,
+    if (pkey != NULL) {
+	if ((retval = krb5_k_decrypt(context, pkey,
 				     KRB5_KEYUSAGE_KRB_CRED_ENCPART, 0,
 				     &pcred->enc_part, &scratch)))
 	    goto cleanup;
@@ -53,7 +53,7 @@
 
 static krb5_error_code 
 krb5_rd_cred_basic(krb5_context context, krb5_data *pcreddata,
-		   krb5_keyblock *pkeyblock, krb5_replay_data *replaydata,
+		   krb5_key pkey, krb5_replay_data *replaydata,
 		   krb5_creds ***pppcreds)
 {
     krb5_error_code       retval;
@@ -68,7 +68,7 @@
 
     memset(&encpart, 0, sizeof(encpart));
 
-    if ((retval = decrypt_credencdata(context, pcred, pkeyblock, &encpart)))
+    if ((retval = decrypt_credencdata(context, pcred, pkey, &encpart)))
 	goto cleanup_cred;
 
 
@@ -167,12 +167,12 @@
 	     krb5_replay_data *outdata)
 {
     krb5_error_code       retval;
-    krb5_keyblock       * keyblock;
+    krb5_key              key;
     krb5_replay_data      replaydata;
 
-    /* Get keyblock */
-    if ((keyblock = auth_context->recv_subkey) == NULL)
-	keyblock = auth_context->keyblock;
+    /* Get key */
+    if ((key = auth_context->recv_subkey) == NULL)
+	key = auth_context->key;
 
     if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) ||
       (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
@@ -186,14 +186,14 @@
 
 
     /*
-     * If decrypting with the first keyblock we try fails, perhaps the
+     * If decrypting with the first key we try fails, perhaps the
      * credentials are stored in the session key so try decrypting with
      * that.
      */
-    if ((retval = krb5_rd_cred_basic(context, pcreddata, keyblock,
+    if ((retval = krb5_rd_cred_basic(context, pcreddata, key,
 				     &replaydata, pppcreds))) {
 	if ((retval = krb5_rd_cred_basic(context, pcreddata,
-					 auth_context->keyblock,
+					 auth_context->key,
 					 &replaydata, pppcreds))) {
 	    return retval;
 	}

Modified: branches/enc-perf/src/lib/krb5/krb/rd_priv.c
===================================================================
--- branches/enc-perf/src/lib/krb5/krb/rd_priv.c	2009-10-08 13:44:54 UTC (rev 22869)
+++ branches/enc-perf/src/lib/krb5/krb/rd_priv.c	2009-10-08 14:39:24 UTC (rev 22870)
@@ -54,8 +54,7 @@
 
 static krb5_error_code
 krb5_rd_priv_basic(krb5_context context, const krb5_data *inbuf,
-		   const krb5_keyblock *keyblock,
-		   const krb5_address *local_addr,
+		   const krb5_key key, const krb5_address *local_addr,
 		   const krb5_address *remote_addr, krb5_pointer i_vector,
 		   krb5_replay_data *replaydata, krb5_data *outbuf)
 {
@@ -65,6 +64,7 @@
     krb5_priv_enc_part  * privmsg_enc_part;
     size_t		  blocksize;
     krb5_data		  ivdata;
+    krb5_enctype	  enctype;
 
     if (!krb5_is_krb_priv(inbuf))
 	return KRB5KRB_AP_ERR_MSG_TYPE;
@@ -74,8 +74,8 @@
 	return retval;
     
     if (i_vector) {
-	if ((retval = krb5_c_block_size(context, keyblock->enctype,
-					&blocksize)))
+	enctype = krb5_k_key_enctype(context, key);
+	if ((retval = krb5_c_block_size(context, enctype, &blocksize)))
 	    goto cleanup_privmsg;
 
 	ivdata.length = blocksize;
@@ -88,7 +88,7 @@
 	goto cleanup_privmsg;
     }
 
-    if ((retval = krb5_c_decrypt(context, keyblock,
+    if ((retval = krb5_k_decrypt(context, key,
 				 KRB5_KEYUSAGE_KRB_PRIV_ENCPART, 
 				 i_vector?&ivdata:0,
 				 &privmsg->enc_part, &scratch)))
@@ -156,12 +156,12 @@
 	     krb5_replay_data *outdata)
 {
     krb5_error_code 	  retval;
-    krb5_keyblock       * keyblock;
+    krb5_key              key;
     krb5_replay_data	  replaydata;
 
-    /* Get keyblock */
-    if ((keyblock = auth_context->recv_subkey) == NULL)
-	keyblock = auth_context->keyblock;
+    /* Get key */
+    if ((key = auth_context->recv_subkey) == NULL)
+	key = auth_context->key;
 
     if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) ||
       (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
@@ -213,7 +213,7 @@
     }
 
     memset(&replaydata, 0, sizeof(replaydata));
-    if ((retval = krb5_rd_priv_basic(context, inbuf, keyblock,
+    if ((retval = krb5_rd_priv_basic(context, inbuf, key,
 				     plocal_fulladdr,
 				     premote_fulladdr,
 				     auth_context->i_vector,

Modified: branches/enc-perf/src/lib/krb5/krb/rd_rep.c
===================================================================
--- branches/enc-perf/src/lib/krb5/krb/rd_rep.c	2009-10-08 13:44:54 UTC (rev 22869)
+++ branches/enc-perf/src/lib/krb5/krb/rd_rep.c	2009-10-08 14:39:24 UTC (rev 22870)
@@ -95,7 +95,7 @@
 	goto clean_scratch;
     }
 
-    retval = krb5_c_decrypt(context, auth_context->keyblock,
+    retval = krb5_k_decrypt(context, auth_context->key,
 			    KRB5_KEYUSAGE_AP_REP_ENCPART, 0,
 			    &reply->enc_part, &scratch);
     if (retval)
@@ -115,23 +115,14 @@
 
     /* Set auth subkey. */
     if (enc->subkey) {
-	if (auth_context->recv_subkey) {
-	    krb5_free_keyblock(context, auth_context->recv_subkey);
-	    auth_context->recv_subkey = NULL;
-	}
-	retval = krb5_copy_keyblock(context, enc->subkey,
-				    &auth_context->recv_subkey);
+	retval = krb5_auth_con_setrecvsubkey(context, auth_context,
+					     enc->subkey);
 	if (retval)
 	    goto clean_scratch;
-	if (auth_context->send_subkey) {
-	    krb5_free_keyblock(context, auth_context->send_subkey);
-	    auth_context->send_subkey = NULL;
-	}
-	retval = krb5_copy_keyblock(context, enc->subkey,
-				    &auth_context->send_subkey);
+	retval = krb5_auth_con_setsendsubkey(context, auth_context,
+					     enc->subkey);
 	if (retval) {
-	    krb5_free_keyblock(context, auth_context->send_subkey);
-	    auth_context->send_subkey = NULL;
+	    (void) krb5_auth_con_setrecvsubkey(context, auth_context, NULL);
 	    goto clean_scratch;
 	}
 	/* Not used for anything yet. */
@@ -178,7 +169,7 @@
 	return(ENOMEM);
     }
 
-    if ((retval = krb5_c_decrypt(context, auth_context->keyblock,
+    if ((retval = krb5_k_decrypt(context, auth_context->key,
 				 KRB5_KEYUSAGE_AP_REP_ENCPART, 0,
 				 &reply->enc_part, &scratch)))
 	goto clean_scratch;

Modified: branches/enc-perf/src/lib/krb5/krb/rd_req_dec.c
===================================================================
--- branches/enc-perf/src/lib/krb5/krb/rd_req_dec.c	2009-10-08 13:44:54 UTC (rev 22869)
+++ branches/enc-perf/src/lib/krb5/krb/rd_req_dec.c	2009-10-08 14:39:24 UTC (rev 22870)
@@ -227,12 +227,13 @@
        do we need special processing here ?	*/
 
     /* decrypt the ticket */
-    if ((*auth_context)->keyblock) { /* User to User authentication */
-    	if ((retval = krb5_decrypt_tkt_part(context, (*auth_context)->keyblock,
+    if ((*auth_context)->key) { /* User to User authentication */
+    	if ((retval = krb5_decrypt_tkt_part(context,
+					    &(*auth_context)->key->keyblock,
 					    req->ticket)))
 	    goto cleanup;
-	krb5_free_keyblock(context, (*auth_context)->keyblock);
-	(*auth_context)->keyblock = NULL;
+	krb5_k_free_key(context, (*auth_context)->key);
+	(*auth_context)->key = NULL;
     } else {
     	if ((retval = krb5_rd_req_decrypt_tkt_part(context, req, server, keytab)))
 	    goto cleanup;
@@ -459,14 +460,14 @@
 
     (*auth_context)->remote_seq_number = (*auth_context)->authentp->seq_number;
     if ((*auth_context)->authentp->subkey) {
-	if ((retval = krb5_copy_keyblock(context,
-					 (*auth_context)->authentp->subkey,
-					 &((*auth_context)->recv_subkey))))
+	if ((retval = krb5_k_create_key(context,
+					(*auth_context)->authentp->subkey,
+					&((*auth_context)->recv_subkey))))
 	    goto cleanup;
-	retval = krb5_copy_keyblock(context, (*auth_context)->authentp->subkey,
-				    &((*auth_context)->send_subkey));
+	retval = krb5_k_create_key(context, (*auth_context)->authentp->subkey,
+				   &((*auth_context)->send_subkey));
 	if (retval) {
-	    krb5_free_keyblock(context, (*auth_context)->recv_subkey);
+	    krb5_k_free_key(context, (*auth_context)->recv_subkey);
 	    (*auth_context)->recv_subkey = NULL;
 	    goto cleanup;
 	}
@@ -475,8 +476,8 @@
 	(*auth_context)->send_subkey = 0;
     }
 
-    if ((retval = krb5_copy_keyblock(context, req->ticket->enc_part2->session,
-				     &((*auth_context)->keyblock))))
+    if ((retval = krb5_k_create_key(context, req->ticket->enc_part2->session,
+				    &((*auth_context)->key))))
 	goto cleanup;
 
     debug_log_authz_data("ticket", req->ticket->enc_part2->authorization_data);
@@ -499,7 +500,8 @@
     	*ap_req_options = req->ap_options & AP_OPTS_WIRE_MASK;
 	if (rfc4537_etypes_len != 0)
 	    *ap_req_options |= AP_OPTS_ETYPE_NEGOTIATION;
-	if ((*auth_context)->negotiated_etype != (*auth_context)->keyblock->enctype)
+	if ((*auth_context)->negotiated_etype !=
+	    krb5_k_key_enctype(context, (*auth_context)->key))
 	    *ap_req_options |= AP_OPTS_USE_SUBKEY;
     }
 

Modified: branches/enc-perf/src/lib/krb5/krb/rd_safe.c
===================================================================
--- branches/enc-perf/src/lib/krb5/krb/rd_safe.c	2009-10-08 13:44:54 UTC (rev 22869)
+++ branches/enc-perf/src/lib/krb5/krb/rd_safe.c	2009-10-08 14:39:24 UTC (rev 22870)
@@ -46,7 +46,7 @@
  */
 static krb5_error_code
 krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf,
-		   const krb5_keyblock *keyblock,
+		   krb5_key key,
 		   const krb5_address *recv_addr,
 		   const krb5_address *sender_addr,
 		   krb5_replay_data *replaydata, krb5_data *outbuf)
@@ -124,7 +124,7 @@
     if (retval)
 	goto cleanup;
 
-    retval = krb5_c_verify_checksum(context, keyblock,
+    retval = krb5_k_verify_checksum(context, key,
 				    KRB5_KEYUSAGE_KRB_SAFE_CKSUM,
 				    scratch, his_cksum, &valid);
 
@@ -136,7 +136,7 @@
 	 * Checksum over only the KRB-SAFE-BODY, like RFC 1510 says, in
 	 * case someone actually implements it correctly.
 	 */
-	retval = krb5_c_verify_checksum(context, keyblock,
+	retval = krb5_k_verify_checksum(context, key,
 					KRB5_KEYUSAGE_KRB_SAFE_CKSUM,
 					&safe_body, his_cksum, &valid);
 	if (!valid) {
@@ -164,7 +164,7 @@
 	     krb5_replay_data *outdata)
 {
     krb5_error_code 	  retval;
-    krb5_keyblock	* keyblock;
+    krb5_key		  key;
     krb5_replay_data	  replaydata;
 
     if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) ||
@@ -180,9 +180,9 @@
     if (!auth_context->remote_addr)
 	return KRB5_REMOTE_ADDR_REQUIRED;
 
-    /* Get keyblock */
-    if ((keyblock = auth_context->recv_subkey) == NULL)
-	keyblock = auth_context->keyblock;
+    /* Get key */
+    if ((key = auth_context->recv_subkey) == NULL)
+	key = auth_context->key;
 
 {
     krb5_address * premote_fulladdr;
@@ -220,7 +220,7 @@
     }
 
     memset(&replaydata, 0, sizeof(replaydata));
-    if ((retval = krb5_rd_safe_basic(context, inbuf, keyblock,
+    if ((retval = krb5_rd_safe_basic(context, inbuf, key,
 				     plocal_fulladdr, premote_fulladdr,
 				     &replaydata, outbuf))) {
 	CLEANUP_DONE();

Modified: branches/enc-perf/src/lib/krb5/krb/ser_actx.c
===================================================================
--- branches/enc-perf/src/lib/krb5/krb/ser_actx.c	2009-10-08 13:44:54 UTC (rev 22869)
+++ branches/enc-perf/src/lib/krb5/krb/ser_actx.c	2009-10-08 14:39:24 UTC (rev 22870)
@@ -75,6 +75,7 @@
     krb5_error_code	kret;
     krb5_auth_context	auth_context;
     size_t		required;
+    krb5_enctype	enctype;
 
     /*
      * krb5_auth_context requires at minimum:
@@ -92,9 +93,9 @@
 	kret = 0;
 
 	/* Calculate size required by i_vector - ptooey */
-	if (auth_context->i_vector && auth_context->keyblock) {
-	    kret = krb5_c_block_size(kcontext, auth_context->keyblock->enctype,
-				     &required);
+	if (auth_context->i_vector && auth_context->key) {
+	    enctype = krb5_k_key_enctype(kcontext, auth_context->key);
+	    kret = krb5_c_block_size(kcontext, enctype, &required);
 	} else {
 	    required = 0;
 	}
@@ -141,11 +142,11 @@
 		required += sizeof(krb5_int32);
 	}
 
-	/* Calculate size required by keyblock, if appropriate */
-	if (!kret && auth_context->keyblock) {
+	/* Calculate size required by key, if appropriate */
+	if (!kret && auth_context->key) {
 	    kret = krb5_size_opaque(kcontext,
-				    KV5M_KEYBLOCK,
-				    (krb5_pointer) auth_context->keyblock,
+				    KV5M_KEYBLOCK, (krb5_pointer)
+				    &auth_context->key->keyblock,
 				    &required);
 	    if (!kret)
 		required += sizeof(krb5_int32);
@@ -154,8 +155,8 @@
 	/* Calculate size required by send_subkey, if appropriate */
 	if (!kret && auth_context->send_subkey) {
 	    kret = krb5_size_opaque(kcontext,
-				    KV5M_KEYBLOCK,
-				    (krb5_pointer) auth_context->send_subkey,
+				    KV5M_KEYBLOCK, (krb5_pointer)
+				    &auth_context->send_subkey->keyblock,
 				    &required);
 	    if (!kret)
 		required += sizeof(krb5_int32);
@@ -164,8 +165,8 @@
 	/* Calculate size required by recv_subkey, if appropriate */
 	if (!kret && auth_context->recv_subkey) {
 	    kret = krb5_size_opaque(kcontext,
-				    KV5M_KEYBLOCK,
-				    (krb5_pointer) auth_context->recv_subkey,
+				    KV5M_KEYBLOCK, (krb5_pointer)
+				    &auth_context->recv_subkey->keyblock,
 				    &required);
 	    if (!kret)
 		required += sizeof(krb5_int32);
@@ -197,6 +198,7 @@
     size_t		remain;
     size_t              obuf;
     krb5_int32		obuf32;
+    krb5_enctype	enctype;
 
     required = 0;
     bp = *buffer;
@@ -224,9 +226,8 @@
 
 	    /* Now figure out the number of bytes for i_vector and write it */
 	    if (auth_context->i_vector) {
-		kret = krb5_c_block_size(kcontext,
-					 auth_context->keyblock->enctype,
-					 &obuf);
+		enctype = krb5_k_key_enctype(kcontext, auth_context->key);
+		kret = krb5_c_block_size(kcontext, enctype, &obuf);
 	    } else {
 		obuf = 0;
 	    }
@@ -289,12 +290,12 @@
 	    }
 
 	    /* Now handle keyblock, if appropriate */
-	    if (!kret && auth_context->keyblock) {
+	    if (!kret && auth_context->key) {
 		(void) krb5_ser_pack_int32(TOKEN_KEYBLOCK, &bp, &remain);
 		kret = krb5_externalize_opaque(kcontext,
 					       KV5M_KEYBLOCK,
 					       (krb5_pointer)
-					       auth_context->keyblock,
+					       &auth_context->key->keyblock,
 					       &bp,
 					       &remain);
 	    }
@@ -304,8 +305,8 @@
 		(void) krb5_ser_pack_int32(TOKEN_LSKBLOCK, &bp, &remain);
 		kret = krb5_externalize_opaque(kcontext,
 					       KV5M_KEYBLOCK,
-					       (krb5_pointer)
-					       auth_context->send_subkey,
+					       (krb5_pointer) &auth_context->
+					       send_subkey->keyblock,
 					       &bp,
 					       &remain);
 	    }
@@ -315,8 +316,8 @@
 		(void) krb5_ser_pack_int32(TOKEN_RSKBLOCK, &bp, &remain);
 		kret = krb5_externalize_opaque(kcontext,
 					       KV5M_KEYBLOCK,
-					       (krb5_pointer)
-					       auth_context->recv_subkey,
+					       (krb5_pointer) &auth_context->
+					       recv_subkey->keyblock,
 					       &bp,
 					       &remain);
 	    }
@@ -345,6 +346,22 @@
     return(kret);
 }
 
+/* Internalize a keyblock and convert it to a key. */
+static krb5_error_code
+intern_key(krb5_context ctx, krb5_key *key, krb5_octet **bp, size_t *sp)
+{
+    krb5_keyblock *keyblock;
+    krb5_error_code ret;
+
+    ret = krb5_internalize_opaque(ctx, KV5M_KEYBLOCK,
+				  (krb5_pointer *) &keyblock, bp, sp);
+    if (ret != 0)
+	return ret;
+    ret = krb5_k_create_key(ctx, keyblock, key);
+    krb5_free_keyblock(ctx, keyblock);
+    return ret;
+}
+
 /*
  * krb5_auth_context_internalize()	- Internalize the krb5_auth_context.
  */
@@ -464,37 +481,29 @@
 
 	    /* This is the keyblock */
 	    if (!kret && (tag == TOKEN_KEYBLOCK)) {
-		if (!(kret = krb5_internalize_opaque(kcontext,
-						     KV5M_KEYBLOCK,
-						     (krb5_pointer *)
-						     &auth_context->keyblock,
-						     &bp,
-						     &remain)))
+		if (!(kret = intern_key(kcontext,
+					&auth_context->key,
+					&bp,
+					&remain)))
 		    kret = krb5_ser_unpack_int32(&tag, &bp, &remain);
 	    }
 
 	    /* This is the send_subkey */
 	    if (!kret && (tag == TOKEN_LSKBLOCK)) {
-		if (!(kret = krb5_internalize_opaque(kcontext,
-						     KV5M_KEYBLOCK,
-						     (krb5_pointer *)
-						     &auth_context->
-						     send_subkey,
-						     &bp,
-						     &remain)))
+		if (!(kret = intern_key(kcontext,
+					&auth_context->send_subkey,
+					&bp,
+					&remain)))
 		    kret = krb5_ser_unpack_int32(&tag, &bp, &remain);
 	    }
 
 	    /* This is the recv_subkey */
 	    if (!kret) {
 		if (tag == TOKEN_RSKBLOCK) {
-		    kret = krb5_internalize_opaque(kcontext,
-						   KV5M_KEYBLOCK,
-						   (krb5_pointer *)
-						   &auth_context->
-						   recv_subkey,
-						   &bp,
-						   &remain);
+		    kret = intern_key(kcontext,
+				      &auth_context->recv_subkey,
+				      &bp,
+				      &remain);
 		}
 		else {
 		    /*




More information about the cvs-krb5 mailing list