[16260] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: [RFC] kdb: store mkey list in context and permit NULL mkey for

daemon@ATHENA.MIT.EDU (Sam Hartman)
Sat Sep 11 15:55:48 2010

From: Sam Hartman <hartmans@mit.edu>
To: Greg Hudson <ghudson@mit.edu>
Date: Sat, 11 Sep 2010 15:55:31 -0400
In-Reply-To: <1284226648.5992.1494.camel@ray> (Greg Hudson's message of "Sat, 
	11 Sep 2010 13:37:28 -0400")
Message-ID: <tsllj78vyvg.fsf@live.mit.edu>
MIME-Version: 1.0
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

>>>>> "Greg" == Greg Hudson <ghudson@MIT.EDU> writes:

    Greg> For purposes of discussion, I want to call out the performance
    Greg> impact.  Currently, the caller of krb5_dbe_decrypt_key_data is
    Greg> required to identify the correct master key using the entry's
    Greg> tl-data.  Unfortunately, that tl-data is not available to
    Greg> krb5_dbe_decrypt_key_data given its current API, so it will
    Greg> try all master keys in order.  During a master key transition,
    Greg> that will result in some extra decrypt operations on a running
    Greg> KDC.

    Greg> We can re-optimize this case by adding an optional argument to
    Greg> krb5_dbe_decrypt_key_data for the full DB entry, and passing
    Greg> that argument at all performance-sensitive call sites where we
    Greg> pass a null mkey.  As I told Sam earlier, I am happy
    Greg> considering that re-optimization to be future work, and think
    Greg> we might be able to fit it into the margin for 1.9.

O, if you don't mind it being an optional argument, it's relatively
easy, and I can try to fit into my margin.  The code for
decrypt_key_data becomes cleaner (removes the loop and the non-cleanup
goto) if you make it mandatory.
Reworking the call sites in kadmind for that was a bit more than I
wanted to do.

note that for principals where the principal is encrypted in the current
master key there is no performance impact with this code.
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
home help back first fref pref prev next nref lref last post