[Heimdal-source-changes] [heimdal/heimdal] 694d1e: krb5: Store a digest context in the crypto structu...

GitHub noreply at github.com
Tis May 15 16:22:14 CEST 2018 

  Branch: refs/heads/sxw/iovecs
  Home:   https://github.com/heimdal/heimdal
  Commit: 694d1eefe5d3422e1378730e008381c6c14e6d07
      https://github.com/heimdal/heimdal/commit/694d1eefe5d3422e1378730e008381c6c14e6d07
  Author: Simon Wilkinson <sxw at auristor.com>
  Date:   2018-05-15 (Tue, 15 May 2018)

  Changed paths:
    M lib/krb5/crypto-aes-sha1.c
    M lib/krb5/crypto-aes-sha2.c
    M lib/krb5/crypto-arcfour.c
    M lib/krb5/crypto-des-common.c
    M lib/krb5/crypto-des.c
    M lib/krb5/crypto-des3.c
    M lib/krb5/crypto-evp.c
    M lib/krb5/crypto-null.c
    M lib/krb5/crypto.c
    M lib/krb5/crypto.h
    M lib/krb5/pac.c
    M lib/krb5/test_rfc3961.c

  Log Message:
  -----------
  krb5: Store a digest context in the crypto structure

Creating and destroying an EVP_CTX_MD structure with every hash
operation is very expensive. Speed things up by caching one within
the krb5_crypto structure. krb5_crypto can already only be safely
used by one thread at a time - adding a message digest context here
shouldn't introduce any further threading risks.

Users of the stashed context must be careful to ensure that they
call no other hash functions whilst they are in the middle of using
the context.


  Commit: 39c66891a9083122df8eaae1d3d0226b739cc33c
      https://github.com/heimdal/heimdal/commit/39c66891a9083122df8eaae1d3d0226b739cc33c
  Author: Simon Wilkinson <sxw at auristor.com>
  Date:   2018-05-15 (Tue, 15 May 2018)

  Changed paths:
    M lib/krb5/crypto-aes-sha2.c
    M lib/krb5/crypto-evp.c
    M lib/krb5/crypto.c
    M lib/krb5/crypto.h

  Log Message:
  -----------
  krb5: Stash the HMAC context in the krb5_crypto object

Store the EVP HMAC context in the krb5_crypto object so that we
don't have to allocate it for every hashing operating we perform.


  Commit: 1d4c1db2c6bfea6978e922d9dc07b6d41a9ba596
      https://github.com/heimdal/heimdal/commit/1d4c1db2c6bfea6978e922d9dc07b6d41a9ba596
  Author: Simon Wilkinson <sxw at auristor.com>
  Date:   2018-05-15 (Tue, 15 May 2018)

  Changed paths:
    M lib/hcrypto/hmac.c

  Log Message:
  -----------
  hcrypto: Make more buffers persist across HMAC operations

If we don't change MD algorithm across two calls to HMAC_Init_ex
using the same context, don't bother reallocating all of our buffers.


  Commit: a5129667cbce04b50e98c6df71baf750ab770d9f
      https://github.com/heimdal/heimdal/commit/a5129667cbce04b50e98c6df71baf750ab770d9f
  Author: Simon Wilkinson <sxw at auristor.com>
  Date:   2018-05-15 (Tue, 15 May 2018)

  Changed paths:
    M lib/krb5/crypto.c
    M lib/krb5/crypto.h

  Log Message:
  -----------
  krb5: Expand list of vector types that are hashed

So that we can eventually use iovec hashes with encrypt, as well
as sign operations, add CRYPTO_TYPE_HEADER and CRYPTO_TYPE_PADDING
to the list of iovecs which will be hashed.


  Commit: 3a54994aabdfc3246287e146ab9682c66572034f
      https://github.com/heimdal/heimdal/commit/3a54994aabdfc3246287e146ab9682c66572034f
  Author: Simon Wilkinson <sxw at your-file-system.com>
  Date:   2018-05-15 (Tue, 15 May 2018)

  Changed paths:
    M lib/krb5/crypto.c

  Log Message:
  -----------
  krb5: Actually 0 padding

When we decide we need to zero the padding iovec, do so with 0, not
with the length that we've determined.

This had no effect because we zero the padding properly later, but it
should be fixed, so that things still work when the later memset() goes
away.


  Commit: 0dac5d279eb8ee0292d88f681832734af69c8a93
      https://github.com/heimdal/heimdal/commit/0dac5d279eb8ee0292d88f681832734af69c8a93
  Author: Simon Wilkinson <sxw at auristor.com>
  Date:   2018-05-15 (Tue, 15 May 2018)

  Changed paths:
    M lib/krb5/crypto.c

  Log Message:
  -----------
  krb5: Use iovec checksum in krb5_encrypt_iov_ivec

Use the iovec checksum routines in krb5_encrypt_iov_ivec. This
still marshalls all of the iovecs together to perform the encryption
operation, but this change halves the amount of time spent on
data marshalling in this function.


  Commit: f0d96ce32c5e5ff3425f1313c2a2e736128bc5c9
      https://github.com/heimdal/heimdal/commit/f0d96ce32c5e5ff3425f1313c2a2e736128bc5c9
  Author: Simon Wilkinson <sxw at auristor.com>
  Date:   2018-05-15 (Tue, 15 May 2018)

  Changed paths:
    M lib/krb5/crypto-aes-sha1.c
    M lib/krb5/crypto-aes-sha2.c
    M lib/krb5/crypto-arcfour.c
    M lib/krb5/crypto-des.c
    M lib/krb5/crypto-des3.c
    M lib/krb5/crypto-null.c
    M lib/krb5/crypto.c
    M lib/krb5/crypto.h

  Log Message:
  -----------
  krb5: Add an optional encrypt_iov function to encryption types

Add a encrypt_iov function pointer to all of our encryption types
which can be used to implement an iovec based encryption routine.

Modify krb5_encrypt_iov so that it calls the iovec based routine
if it is available.


  Commit: c5e30f965031c0f2bb30f55ce0b12dd0c9524900
      https://github.com/heimdal/heimdal/commit/c5e30f965031c0f2bb30f55ce0b12dd0c9524900
  Author: Simon Wilkinson <sxw at auristor.com>
  Date:   2018-05-15 (Tue, 15 May 2018)

  Changed paths:
    M lib/krb5/crypto-aes-sha1.c
    M lib/krb5/crypto-des3.c
    M lib/krb5/crypto-evp.c

  Log Message:
  -----------
  krb5: Add EVP iovec encryption routines

Add iovec routines for both padded CBC, and CTS EVP based encryption.

These routines go to great lengths to minimise the number of times
we call EVP_Cipher. With some EVP implementations (such as OpenSSL's
AES-NI) there is a significant entrance and exit overhead from this
routine, due to the use of SIMD vectors for the ivec.


  Commit: ba38ef608418d8dc64dd6bc1dbf08e5c869c2752
      https://github.com/heimdal/heimdal/commit/ba38ef608418d8dc64dd6bc1dbf08e5c869c2752
  Author: Simon Wilkinson <sxw at auristor.com>
  Date:   2018-05-15 (Tue, 15 May 2018)

  Changed paths:
    M lib/krb5/crypto-aes-sha1.c
    M lib/krb5/crypto.c

  Log Message:
  -----------
  krb5: Add a verify mode for the HMAC_SHA1 checksum

Add a verify operation for this checksum. If a verify operation isn't
defined, then the verify_checksum code has to dynamically allocate and
free a block of memory for the computed checksum, which can be a
significant overhead when performing bulk data encryption.


  Commit: 4dff725c5924991ec1e979b31f67b6dc7faf587c
      https://github.com/heimdal/heimdal/commit/4dff725c5924991ec1e979b31f67b6dc7faf587c
  Author: Simon Wilkinson <sxw at auristor.com>
  Date:   2018-05-15 (Tue, 15 May 2018)

  Changed paths:
    M lib/krb5/crypto.c

  Log Message:
  -----------
  krb5: Use iovecs for krb5_decrypt_iov_ivec

When we have an underlying iovec encryption function, use iovecs for
checksum-then-encrypt alogrithms in decrypt_iov_ivec, rather than
coalescing iovecs into a single memory buffer.


Compare: https://github.com/heimdal/heimdal/compare/505880853543...4dff725c5924
      **NOTE:** This service been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/

      Functionality will be removed from GitHub.com on January 31st, 2019.

More information about the Heimdal-source-changes mailing list