New encryption API. Piece-wise encryption.

Instead of encrypt(src, dst, key, iv) that encrypts all
data in one go, now we have encrypt_init(key,iv),
encrypt_update(src,dst), and encrypt_finish(dst).

This also causes collateral changes in the internal my_crypt.cc
encryption functions and in the encryption service.

There are wrappers to provide the old all-at-once encryption
functionality. But binlog events are often written piecewise,
they'll need the new api.

include/mysql/plugin_audit.h.pp

@@ -181,21 +181,46 @@ int thd_key_create(MYSQL_THD_KEY_T *key);
 void thd_key_delete(MYSQL_THD_KEY_T *key);
 void* thd_getspecific(void* thd, MYSQL_THD_KEY_T key);
 int thd_setspecific(void* thd, MYSQL_THD_KEY_T key, void *value);
-typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen,
-                                    unsigned char* dst, unsigned int* dlen,
-                                    const unsigned char* key, unsigned int klen,
-                                    const unsigned char* iv, unsigned int ivlen,
-                                    int no_padding, unsigned int key_id,
-                                    unsigned int key_version);
 struct encryption_service_st {
-  unsigned int (*encryption_key_get_latest_version_func)(unsigned int);
-  unsigned int (*encryption_key_id_exists_func)(unsigned int);
-  unsigned int (*encryption_key_version_exists_func)(unsigned int, unsigned int);
-  unsigned int (*encryption_key_get_func)(unsigned int, unsigned int, unsigned char*, unsigned int*);
-  encrypt_decrypt_func encryption_encrypt_func;
-  encrypt_decrypt_func encryption_decrypt_func;
+  unsigned int (*encryption_key_get_latest_version_func)(unsigned int key_id);
+  unsigned int (*encryption_key_get_func)(unsigned int key_id, unsigned int key_version,
+                                          unsigned char* buffer, unsigned int* length);
+  unsigned int (*encryption_ctx_size_func)(unsigned int key_id, unsigned int key_version);
+  int (*encryption_ctx_init_func)(void *ctx, const unsigned char* key, unsigned int klen,
+                                  const unsigned char* iv, unsigned int ivlen,
+                                  int flags, unsigned int key_id,
+                                  unsigned int key_version);
+  int (*encryption_ctx_update_func)(void *ctx, const unsigned char* src, unsigned int slen,
+                                    unsigned char* dst, unsigned int* dlen);
+  int (*encryption_ctx_finish_func)(void *ctx, unsigned char* dst, unsigned int* dlen);
+  unsigned int (*encryption_encrypted_length_func)(unsigned int slen, unsigned int key_id, unsigned int key_version);
 };
 extern struct encryption_service_st encryption_handler;
+static inline unsigned int encryption_key_id_exists(unsigned int id)
+{
+  return encryption_handler.encryption_key_get_latest_version_func(id) != (~(unsigned int)0);
+}
+static inline unsigned int encryption_key_version_exists(unsigned int id, unsigned int version)
+{
+  unsigned int unused;
+  return encryption_handler.encryption_key_get_func((id),(version),(NULL),(&unused)) != (~(unsigned int)0);
+}
+static inline int encryption_crypt(const unsigned char* src, unsigned int slen,
+                                   unsigned char* dst, unsigned int* dlen,
+                                   const unsigned char* key, unsigned int klen,
+                                   const unsigned char* iv, unsigned int ivlen,
+                                   int flags, unsigned int key_id, unsigned int key_version)
+{
+  void *ctx= alloca(encryption_handler.encryption_ctx_size_func((key_id),(key_version)));
+  int res1, res2;
+  unsigned int d1, d2;
+  if ((res1= encryption_handler.encryption_ctx_init_func((ctx),(key),(klen),(iv),(ivlen),(flags),(key_id),(key_version))))
+    return res1;
+  res1= encryption_handler.encryption_ctx_update_func((ctx),(src),(slen),(dst),(&d1));
+  res2= encryption_handler.encryption_ctx_finish_func((ctx),(dst + d1),(&d2));
+  *dlen= d1 + d2;
+  return res1 ? res1 : res2;
+}
 struct st_encryption_scheme_key {
   unsigned int version;
   unsigned char key[16];

include/mysql/plugin_auth.h.pp

@@ -181,21 +181,46 @@ int thd_key_create(MYSQL_THD_KEY_T *key);
 void thd_key_delete(MYSQL_THD_KEY_T *key);
 void* thd_getspecific(void* thd, MYSQL_THD_KEY_T key);
 int thd_setspecific(void* thd, MYSQL_THD_KEY_T key, void *value);
-typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen,
-                                    unsigned char* dst, unsigned int* dlen,
-                                    const unsigned char* key, unsigned int klen,
-                                    const unsigned char* iv, unsigned int ivlen,
-                                    int no_padding, unsigned int key_id,
-                                    unsigned int key_version);
 struct encryption_service_st {
-  unsigned int (*encryption_key_get_latest_version_func)(unsigned int);
-  unsigned int (*encryption_key_id_exists_func)(unsigned int);
-  unsigned int (*encryption_key_version_exists_func)(unsigned int, unsigned int);
-  unsigned int (*encryption_key_get_func)(unsigned int, unsigned int, unsigned char*, unsigned int*);
-  encrypt_decrypt_func encryption_encrypt_func;
-  encrypt_decrypt_func encryption_decrypt_func;
+  unsigned int (*encryption_key_get_latest_version_func)(unsigned int key_id);
+  unsigned int (*encryption_key_get_func)(unsigned int key_id, unsigned int key_version,
+                                          unsigned char* buffer, unsigned int* length);
+  unsigned int (*encryption_ctx_size_func)(unsigned int key_id, unsigned int key_version);
+  int (*encryption_ctx_init_func)(void *ctx, const unsigned char* key, unsigned int klen,
+                                  const unsigned char* iv, unsigned int ivlen,
+                                  int flags, unsigned int key_id,
+                                  unsigned int key_version);
+  int (*encryption_ctx_update_func)(void *ctx, const unsigned char* src, unsigned int slen,
+                                    unsigned char* dst, unsigned int* dlen);
+  int (*encryption_ctx_finish_func)(void *ctx, unsigned char* dst, unsigned int* dlen);
+  unsigned int (*encryption_encrypted_length_func)(unsigned int slen, unsigned int key_id, unsigned int key_version);
 };
 extern struct encryption_service_st encryption_handler;
+static inline unsigned int encryption_key_id_exists(unsigned int id)
+{
+  return encryption_handler.encryption_key_get_latest_version_func(id) != (~(unsigned int)0);
+}
+static inline unsigned int encryption_key_version_exists(unsigned int id, unsigned int version)
+{
+  unsigned int unused;
+  return encryption_handler.encryption_key_get_func((id),(version),(NULL),(&unused)) != (~(unsigned int)0);
+}
+static inline int encryption_crypt(const unsigned char* src, unsigned int slen,
+                                   unsigned char* dst, unsigned int* dlen,
+                                   const unsigned char* key, unsigned int klen,
+                                   const unsigned char* iv, unsigned int ivlen,
+                                   int flags, unsigned int key_id, unsigned int key_version)
+{
+  void *ctx= alloca(encryption_handler.encryption_ctx_size_func((key_id),(key_version)));
+  int res1, res2;
+  unsigned int d1, d2;
+  if ((res1= encryption_handler.encryption_ctx_init_func((ctx),(key),(klen),(iv),(ivlen),(flags),(key_id),(key_version))))
+    return res1;
+  res1= encryption_handler.encryption_ctx_update_func((ctx),(src),(slen),(dst),(&d1));
+  res2= encryption_handler.encryption_ctx_finish_func((ctx),(dst + d1),(&d2));
+  *dlen= d1 + d2;
+  return res1 ? res1 : res2;
+}
 struct st_encryption_scheme_key {
   unsigned int version;
   unsigned char key[16];

include/mysql/plugin_encryption.h

@@ -36,6 +36,8 @@ struct st_mariadb_encryption
 {
   int interface_version;                        /**< version plugin uses */
 
+  /*********** KEY MANAGEMENT ********************************************/
+
   /**
     function returning latest key version for a given key id
 
@@ -66,8 +68,17 @@ struct st_mariadb_encryption
   unsigned int (*get_key)(unsigned int key_id, unsigned int version,
                           unsigned char *key, unsigned int *key_length);
 
-  encrypt_decrypt_func encrypt;
-  encrypt_decrypt_func decrypt;
+  /*********** ENCRYPTION ************************************************/
+
+  uint (*crypt_ctx_size)(unsigned int key_id, unsigned int key_version);
+  int (*crypt_ctx_init)(void *ctx, const unsigned char* key, unsigned int klen,
+                        const unsigned char* iv, unsigned int ivlen,
+                        int flags, unsigned int key_id,
+                        unsigned int key_version);
+  int (*crypt_ctx_update)(void *ctx, const unsigned char* src, unsigned int slen,
+                          unsigned char* dst, unsigned int* dlen);
+  int (*crypt_ctx_finish)(void *ctx, unsigned char* dst, unsigned int* dlen);
+  uint (*encrypted_length)(unsigned int slen, unsigned int key_id, unsigned int key_version);
 };
 #endif
 

include/mysql/plugin_encryption.h.pp

@@ -181,21 +181,46 @@ int thd_key_create(MYSQL_THD_KEY_T *key);
 void thd_key_delete(MYSQL_THD_KEY_T *key);
 void* thd_getspecific(void* thd, MYSQL_THD_KEY_T key);
 int thd_setspecific(void* thd, MYSQL_THD_KEY_T key, void *value);
-typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen,
-                                    unsigned char* dst, unsigned int* dlen,
-                                    const unsigned char* key, unsigned int klen,
-                                    const unsigned char* iv, unsigned int ivlen,
-                                    int no_padding, unsigned int key_id,
-                                    unsigned int key_version);
 struct encryption_service_st {
-  unsigned int (*encryption_key_get_latest_version_func)(unsigned int);
-  unsigned int (*encryption_key_id_exists_func)(unsigned int);
-  unsigned int (*encryption_key_version_exists_func)(unsigned int, unsigned int);
-  unsigned int (*encryption_key_get_func)(unsigned int, unsigned int, unsigned char*, unsigned int*);
-  encrypt_decrypt_func encryption_encrypt_func;
-  encrypt_decrypt_func encryption_decrypt_func;
+  unsigned int (*encryption_key_get_latest_version_func)(unsigned int key_id);
+  unsigned int (*encryption_key_get_func)(unsigned int key_id, unsigned int key_version,
+                                          unsigned char* buffer, unsigned int* length);
+  unsigned int (*encryption_ctx_size_func)(unsigned int key_id, unsigned int key_version);
+  int (*encryption_ctx_init_func)(void *ctx, const unsigned char* key, unsigned int klen,
+                                  const unsigned char* iv, unsigned int ivlen,
+                                  int flags, unsigned int key_id,
+                                  unsigned int key_version);
+  int (*encryption_ctx_update_func)(void *ctx, const unsigned char* src, unsigned int slen,
+                                    unsigned char* dst, unsigned int* dlen);
+  int (*encryption_ctx_finish_func)(void *ctx, unsigned char* dst, unsigned int* dlen);
+  unsigned int (*encryption_encrypted_length_func)(unsigned int slen, unsigned int key_id, unsigned int key_version);
 };
 extern struct encryption_service_st encryption_handler;
+static inline unsigned int encryption_key_id_exists(unsigned int id)
+{
+  return encryption_handler.encryption_key_get_latest_version_func(id) != (~(unsigned int)0);
+}
+static inline unsigned int encryption_key_version_exists(unsigned int id, unsigned int version)
+{
+  unsigned int unused;
+  return encryption_handler.encryption_key_get_func((id),(version),(NULL),(&unused)) != (~(unsigned int)0);
+}
+static inline int encryption_crypt(const unsigned char* src, unsigned int slen,
+                                   unsigned char* dst, unsigned int* dlen,
+                                   const unsigned char* key, unsigned int klen,
+                                   const unsigned char* iv, unsigned int ivlen,
+                                   int flags, unsigned int key_id, unsigned int key_version)
+{
+  void *ctx= alloca(encryption_handler.encryption_ctx_size_func((key_id),(key_version)));
+  int res1, res2;
+  unsigned int d1, d2;
+  if ((res1= encryption_handler.encryption_ctx_init_func((ctx),(key),(klen),(iv),(ivlen),(flags),(key_id),(key_version))))
+    return res1;
+  res1= encryption_handler.encryption_ctx_update_func((ctx),(src),(slen),(dst),(&d1));
+  res2= encryption_handler.encryption_ctx_finish_func((ctx),(dst + d1),(&d2));
+  *dlen= d1 + d2;
+  return res1 ? res1 : res2;
+}
 struct st_encryption_scheme_key {
   unsigned int version;
   unsigned char key[16];
@@ -392,6 +417,13 @@ struct st_mariadb_encryption
   unsigned int (*get_latest_key_version)(unsigned int key_id);
   unsigned int (*get_key)(unsigned int key_id, unsigned int version,
                           unsigned char *key, unsigned int *key_length);
-  encrypt_decrypt_func encrypt;
-  encrypt_decrypt_func decrypt;
+  uint (*crypt_ctx_size)(unsigned int key_id, unsigned int key_version);
+  int (*crypt_ctx_init)(void *ctx, const unsigned char* key, unsigned int klen,
+                        const unsigned char* iv, unsigned int ivlen,
+                        int flags, unsigned int key_id,
+                        unsigned int key_version);
+  int (*crypt_ctx_update)(void *ctx, const unsigned char* src, unsigned int slen,
+                          unsigned char* dst, unsigned int* dlen);
+  int (*crypt_ctx_finish)(void *ctx, unsigned char* dst, unsigned int* dlen);
+  uint (*encrypted_length)(unsigned int slen, unsigned int key_id, unsigned int key_version);
 };

include/mysql/plugin_ftparser.h.pp

@@ -181,21 +181,46 @@ int thd_key_create(MYSQL_THD_KEY_T *key);
 void thd_key_delete(MYSQL_THD_KEY_T *key);
 void* thd_getspecific(void* thd, MYSQL_THD_KEY_T key);
 int thd_setspecific(void* thd, MYSQL_THD_KEY_T key, void *value);
-typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen,
-                                    unsigned char* dst, unsigned int* dlen,
-                                    const unsigned char* key, unsigned int klen,
-                                    const unsigned char* iv, unsigned int ivlen,
-                                    int no_padding, unsigned int key_id,
-                                    unsigned int key_version);
 struct encryption_service_st {
-  unsigned int (*encryption_key_get_latest_version_func)(unsigned int);
-  unsigned int (*encryption_key_id_exists_func)(unsigned int);
-  unsigned int (*encryption_key_version_exists_func)(unsigned int, unsigned int);
-  unsigned int (*encryption_key_get_func)(unsigned int, unsigned int, unsigned char*, unsigned int*);
-  encrypt_decrypt_func encryption_encrypt_func;
-  encrypt_decrypt_func encryption_decrypt_func;
+  unsigned int (*encryption_key_get_latest_version_func)(unsigned int key_id);
+  unsigned int (*encryption_key_get_func)(unsigned int key_id, unsigned int key_version,
+                                          unsigned char* buffer, unsigned int* length);
+  unsigned int (*encryption_ctx_size_func)(unsigned int key_id, unsigned int key_version);
+  int (*encryption_ctx_init_func)(void *ctx, const unsigned char* key, unsigned int klen,
+                                  const unsigned char* iv, unsigned int ivlen,
+                                  int flags, unsigned int key_id,
+                                  unsigned int key_version);
+  int (*encryption_ctx_update_func)(void *ctx, const unsigned char* src, unsigned int slen,
+                                    unsigned char* dst, unsigned int* dlen);
+  int (*encryption_ctx_finish_func)(void *ctx, unsigned char* dst, unsigned int* dlen);
+  unsigned int (*encryption_encrypted_length_func)(unsigned int slen, unsigned int key_id, unsigned int key_version);
 };
 extern struct encryption_service_st encryption_handler;
+static inline unsigned int encryption_key_id_exists(unsigned int id)
+{
+  return encryption_handler.encryption_key_get_latest_version_func(id) != (~(unsigned int)0);
+}
+static inline unsigned int encryption_key_version_exists(unsigned int id, unsigned int version)
+{
+  unsigned int unused;
+  return encryption_handler.encryption_key_get_func((id),(version),(NULL),(&unused)) != (~(unsigned int)0);
+}
+static inline int encryption_crypt(const unsigned char* src, unsigned int slen,
+                                   unsigned char* dst, unsigned int* dlen,
+                                   const unsigned char* key, unsigned int klen,
+                                   const unsigned char* iv, unsigned int ivlen,
+                                   int flags, unsigned int key_id, unsigned int key_version)
+{
+  void *ctx= alloca(encryption_handler.encryption_ctx_size_func((key_id),(key_version)));
+  int res1, res2;
+  unsigned int d1, d2;
+  if ((res1= encryption_handler.encryption_ctx_init_func((ctx),(key),(klen),(iv),(ivlen),(flags),(key_id),(key_version))))
+    return res1;
+  res1= encryption_handler.encryption_ctx_update_func((ctx),(src),(slen),(dst),(&d1));
+  res2= encryption_handler.encryption_ctx_finish_func((ctx),(dst + d1),(&d2));
+  *dlen= d1 + d2;
+  return res1 ? res1 : res2;
+}
 struct st_encryption_scheme_key {
   unsigned int version;
   unsigned char key[16];

include/mysql/plugin_password_validation.h.pp

@@ -181,21 +181,46 @@ int thd_key_create(MYSQL_THD_KEY_T *key);
 void thd_key_delete(MYSQL_THD_KEY_T *key);
 void* thd_getspecific(void* thd, MYSQL_THD_KEY_T key);
 int thd_setspecific(void* thd, MYSQL_THD_KEY_T key, void *value);
-typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen,
-                                    unsigned char* dst, unsigned int* dlen,
-                                    const unsigned char* key, unsigned int klen,
-                                    const unsigned char* iv, unsigned int ivlen,
-                                    int no_padding, unsigned int key_id,
-                                    unsigned int key_version);
 struct encryption_service_st {
-  unsigned int (*encryption_key_get_latest_version_func)(unsigned int);
-  unsigned int (*encryption_key_id_exists_func)(unsigned int);
-  unsigned int (*encryption_key_version_exists_func)(unsigned int, unsigned int);
-  unsigned int (*encryption_key_get_func)(unsigned int, unsigned int, unsigned char*, unsigned int*);
-  encrypt_decrypt_func encryption_encrypt_func;
-  encrypt_decrypt_func encryption_decrypt_func;
+  unsigned int (*encryption_key_get_latest_version_func)(unsigned int key_id);
+  unsigned int (*encryption_key_get_func)(unsigned int key_id, unsigned int key_version,
+                                          unsigned char* buffer, unsigned int* length);
+  unsigned int (*encryption_ctx_size_func)(unsigned int key_id, unsigned int key_version);
+  int (*encryption_ctx_init_func)(void *ctx, const unsigned char* key, unsigned int klen,
+                                  const unsigned char* iv, unsigned int ivlen,
+                                  int flags, unsigned int key_id,
+                                  unsigned int key_version);
+  int (*encryption_ctx_update_func)(void *ctx, const unsigned char* src, unsigned int slen,
+                                    unsigned char* dst, unsigned int* dlen);
+  int (*encryption_ctx_finish_func)(void *ctx, unsigned char* dst, unsigned int* dlen);
+  unsigned int (*encryption_encrypted_length_func)(unsigned int slen, unsigned int key_id, unsigned int key_version);
 };
 extern struct encryption_service_st encryption_handler;
+static inline unsigned int encryption_key_id_exists(unsigned int id)
+{
+  return encryption_handler.encryption_key_get_latest_version_func(id) != (~(unsigned int)0);
+}
+static inline unsigned int encryption_key_version_exists(unsigned int id, unsigned int version)
+{
+  unsigned int unused;
+  return encryption_handler.encryption_key_get_func((id),(version),(NULL),(&unused)) != (~(unsigned int)0);
+}
+static inline int encryption_crypt(const unsigned char* src, unsigned int slen,
+                                   unsigned char* dst, unsigned int* dlen,
+                                   const unsigned char* key, unsigned int klen,
+                                   const unsigned char* iv, unsigned int ivlen,
+                                   int flags, unsigned int key_id, unsigned int key_version)
+{
+  void *ctx= alloca(encryption_handler.encryption_ctx_size_func((key_id),(key_version)));
+  int res1, res2;
+  unsigned int d1, d2;
+  if ((res1= encryption_handler.encryption_ctx_init_func((ctx),(key),(klen),(iv),(ivlen),(flags),(key_id),(key_version))))
+    return res1;
+  res1= encryption_handler.encryption_ctx_update_func((ctx),(src),(slen),(dst),(&d1));
+  res2= encryption_handler.encryption_ctx_finish_func((ctx),(dst + d1),(&d2));
+  *dlen= d1 + d2;
+  return res1 ? res1 : res2;
+}
 struct st_encryption_scheme_key {
   unsigned int version;
   unsigned char key[16];

include/mysql/service_encryption.h

@@ -20,7 +20,7 @@
 
   Functions to support data encryption and encryption key management.
   They are normally implemented in an encryption plugin, so this service
-  connects encryption *consumers* (storage engines) to the encryption
+  connects encryption *consumers* (e.g. storage engines) to the encryption
   *provider* (encryption plugin).
 */
 
@@ -28,6 +28,15 @@
 extern "C" {
 #endif
 
+#ifndef MYSQL_ABI_CHECK
+#ifdef _WIN32
+#include <malloc.h>
+#define inline __inline
+#else
+#include <alloca.h>
+#endif
+#endif
+
 /* returned from encryption_key_get_latest_version() */
 #define ENCRYPTION_KEY_VERSION_INVALID        (~(unsigned int)0)
 #define ENCRYPTION_KEY_NOT_ENCRYPTED          (0)
@@ -38,20 +47,23 @@ extern "C" {
 /* returned from encryption_key_get()  */
 #define ENCRYPTION_KEY_BUFFER_TOO_SMALL    (100)
 
-typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen,
-                                    unsigned char* dst, unsigned int* dlen,
-                                    const unsigned char* key, unsigned int klen,
-                                    const unsigned char* iv, unsigned int ivlen,
-                                    int no_padding, unsigned int key_id,
-                                    unsigned int key_version);
+#define ENCRYPTION_FLAG_DECRYPT     0
+#define ENCRYPTION_FLAG_ENCRYPT     1
+#define ENCRYPTION_FLAG_NOPAD       2
 
 struct encryption_service_st {
-  unsigned int (*encryption_key_get_latest_version_func)(unsigned int);
-  unsigned int (*encryption_key_id_exists_func)(unsigned int);
-  unsigned int (*encryption_key_version_exists_func)(unsigned int, unsigned int);
-  unsigned int (*encryption_key_get_func)(unsigned int, unsigned int, unsigned char*, unsigned int*);
-  encrypt_decrypt_func encryption_encrypt_func;
-  encrypt_decrypt_func encryption_decrypt_func;
+  unsigned int (*encryption_key_get_latest_version_func)(unsigned int key_id);
+  unsigned int (*encryption_key_get_func)(unsigned int key_id, unsigned int key_version,
+                                          unsigned char* buffer, unsigned int* length);
+  unsigned int (*encryption_ctx_size_func)(unsigned int key_id, unsigned int key_version);
+  int (*encryption_ctx_init_func)(void *ctx, const unsigned char* key, unsigned int klen,
+                                  const unsigned char* iv, unsigned int ivlen,
+                                  int flags, unsigned int key_id,
+                                  unsigned int key_version);
+  int (*encryption_ctx_update_func)(void *ctx, const unsigned char* src, unsigned int slen,
+                                    unsigned char* dst, unsigned int* dlen);
+  int (*encryption_ctx_finish_func)(void *ctx, unsigned char* dst, unsigned int* dlen);
+  unsigned int (*encryption_encrypted_length_func)(unsigned int slen, unsigned int key_id, unsigned int key_version);
 };
 
 #ifdef MYSQL_DYNAMIC_PLUGIN
@@ -59,23 +71,53 @@ struct encryption_service_st {
 extern struct encryption_service_st *encryption_service;
 
 #define encryption_key_get_latest_version(KI) encryption_service->encryption_key_get_latest_version_func(KI)
-#define encryption_key_id_exists(KI) encryption_service->encryption_key_id_exists_func((KI))
-#define encryption_key_version_exists(KI,KV) encryption_service->encryption_key_version_exists_func((KI),(KV))
 #define encryption_key_get(KI,KV,K,S) encryption_service->encryption_key_get_func((KI),(KV),(K),(S))
-#define encryption_encrypt(S,SL,D,DL,K,KL,I,IL,NP,KI,KV) encryption_service->encryption_encrypt_func((S),(SL),(D),(DL),(K),(KL),(I),(IL),(NP),(KI),(KV))
-#define encryption_decrypt(S,SL,D,DL,K,KL,I,IL,NP,KI,KV) encryption_service->encryption_decrypt_func((S),(SL),(D),(DL),(K),(KL),(I),(IL),(NP),(KI),(KV))
+#define encryption_ctx_size(KI,KV) encryption_service->encryption_ctx_size_func((KI),(KV))
+#define encryption_ctx_init(CTX,K,KL,IV,IVL,F,KI,KV) encryption_service->encryption_ctx_init_func((CTX),(K),(KL),(IV),(IVL),(F),(KI),(KV))
+#define encryption_ctx_update(CTX,S,SL,D,DL) encryption_service->encryption_ctx_update_func((CTX),(S),(SL),(D),(DL))
+#define encryption_ctx_finish(CTX,D,DL) encryption_service->encryption_ctx_finish_func((CTX),(D),(DL))
+#define encryption_encrypted_length(SL,KI,KV) encryption_service->encryption_encrypted_length_func((SL),(KI),(KV))
 #else
 
 extern struct encryption_service_st encryption_handler;
 
 #define encryption_key_get_latest_version(KI) encryption_handler.encryption_key_get_latest_version_func(KI)
-#define encryption_key_id_exists(KI) encryption_handler.encryption_key_id_exists_func((KI))
-#define encryption_key_version_exists(KI,KV) encryption_handler.encryption_key_version_exists_func((KI),(KV))
 #define encryption_key_get(KI,KV,K,S) encryption_handler.encryption_key_get_func((KI),(KV),(K),(S))
-#define encryption_encrypt(S,SL,D,DL,K,KL,I,IL,NP,KI,KV) encryption_handler.encryption_encrypt_func((S),(SL),(D),(DL),(K),(KL),(I),(IL),(NP),(KI),(KV))
-#define encryption_decrypt(S,SL,D,DL,K,KL,I,IL,NP,KI,KV) encryption_handler.encryption_decrypt_func((S),(SL),(D),(DL),(K),(KL),(I),(IL),(NP),(KI),(KV))
+#define encryption_ctx_size(KI,KV) encryption_handler.encryption_ctx_size_func((KI),(KV))
+#define encryption_ctx_init(CTX,K,KL,IV,IVL,F,KI,KV) encryption_handler.encryption_ctx_init_func((CTX),(K),(KL),(IV),(IVL),(F),(KI),(KV))
+#define encryption_ctx_update(CTX,S,SL,D,DL) encryption_handler.encryption_ctx_update_func((CTX),(S),(SL),(D),(DL))
+#define encryption_ctx_finish(CTX,D,DL) encryption_handler.encryption_ctx_finish_func((CTX),(D),(DL))
+#define encryption_encrypted_length(SL,KI,KV) encryption_handler.encryption_encrypted_length_func((SL),(KI),(KV))
 #endif
 
+static inline unsigned int encryption_key_id_exists(unsigned int id)
+{
+  return encryption_key_get_latest_version(id) != ENCRYPTION_KEY_VERSION_INVALID;
+}
+
+static inline unsigned int encryption_key_version_exists(unsigned int id, unsigned int version)
+{
+  unsigned int unused;
+  return encryption_key_get(id, version, NULL, &unused) != ENCRYPTION_KEY_VERSION_INVALID;
+}
+
+static inline int encryption_crypt(const unsigned char* src, unsigned int slen,
+                                   unsigned char* dst, unsigned int* dlen,
+                                   const unsigned char* key, unsigned int klen,
+                                   const unsigned char* iv, unsigned int ivlen,
+                                   int flags, unsigned int key_id, unsigned int key_version)
+{
+  void *ctx= alloca(encryption_ctx_size(key_id, key_version));
+  int res1, res2;
+  unsigned int d1, d2;
+  if ((res1= encryption_ctx_init(ctx, key, klen, iv, ivlen, flags, key_id, key_version)))
+    return res1;
+  res1= encryption_ctx_update(ctx, src, slen, dst, &d1);
+  res2= encryption_ctx_finish(ctx, dst + d1, &d2);
+  *dlen= d1 + d2;
+  return res1 ? res1 : res2;
+}
+
 #ifdef __cplusplus
 }
 #endif