From 432b78c90376aac4fda94317fd20eced33d08230 Mon Sep 17 00:00:00 2001
From: Sergei Golubchik <serg@mariadb.org>
Date: Wed, 27 May 2015 12:08:13 +0200
Subject: [PATCH] just like tempfiles: use key id 2 for temp Aria tables

introduce ENCRYPTION_KEY_SYSTEM_DATA and
ENCRYPTION_KEY_TEMPORARY_DATA constants; use them everywhere.
---
 include/mysql/service_encryption.h   |  3 +++
 sql/mf_iocache_encr.cc               |  8 ++++++--
 storage/innobase/include/fil0crypt.h |  2 +-
 storage/maria/ma_crypt.c             | 26 +++++++++++++++++++++-----
 storage/xtradb/include/fil0crypt.h   |  2 +-
 5 files changed, 32 insertions(+), 9 deletions(-)

diff --git a/include/mysql/service_encryption.h b/include/mysql/service_encryption.h
index 2ed29d594a6..2b79e00fa40 100644
--- a/include/mysql/service_encryption.h
+++ b/include/mysql/service_encryption.h
@@ -32,6 +32,9 @@ extern "C" {
 #define ENCRYPTION_KEY_VERSION_INVALID        (~(unsigned int)0)
 #define ENCRYPTION_KEY_NOT_ENCRYPTED          (0)
 
+#define ENCRYPTION_KEY_SYSTEM_DATA             1
+#define ENCRYPTION_KEY_TEMPORARY_DATA          2
+
 /* returned from encryption_key_get()  */
 #define ENCRYPTION_KEY_BUFFER_TOO_SMALL    (100)
 
diff --git a/sql/mf_iocache_encr.cc b/sql/mf_iocache_encr.cc
index 0a72492d743..8d1f609a1de 100644
--- a/sql/mf_iocache_encr.cc
+++ b/sql/mf_iocache_encr.cc
@@ -232,9 +232,13 @@ void init_io_cache_encryption()
 {
   if (encrypt_tmp_files)
   {
-    keyver= encryption_key_get_latest_version(keyid= 2);
+    keyid= ENCRYPTION_KEY_TEMPORARY_DATA;
+    keyver= encryption_key_get_latest_version(keyid);
     if (keyver == ENCRYPTION_KEY_VERSION_INVALID)
-      keyver= encryption_key_get_latest_version(keyid= 1);
+    {
+      keyid= ENCRYPTION_KEY_SYSTEM_DATA;
+      keyver= encryption_key_get_latest_version(keyid);
+    }
   }
   else
     keyver= ENCRYPTION_KEY_VERSION_INVALID;
diff --git a/storage/innobase/include/fil0crypt.h b/storage/innobase/include/fil0crypt.h
index f9f481111ca..df69ec28932 100644
--- a/storage/innobase/include/fil0crypt.h
+++ b/storage/innobase/include/fil0crypt.h
@@ -27,7 +27,7 @@ Created 04/01/2015 Jan Lindström
 #define fil0crypt_h
 
 /* This key will be used if nothing else is given */
-#define FIL_DEFAULT_ENCRYPTION_KEY 1
+#define FIL_DEFAULT_ENCRYPTION_KEY ENCRYPTION_KEY_SYSTEM_DATA
 
 /** Enum values for encryption table option */
 typedef enum {
diff --git a/storage/maria/ma_crypt.c b/storage/maria/ma_crypt.c
index b327d528678..5e0e8190a52 100644
--- a/storage/maria/ma_crypt.c
+++ b/storage/maria/ma_crypt.c
@@ -20,8 +20,6 @@
 #include "ma_blockrec.h"
 #include <my_crypt.h>
 
-#define HARD_CODED_ENCRYPTION_KEY_ID 1
-
 #define CRYPT_SCHEME_1         1
 #define CRYPT_SCHEME_1_ID_LEN  4 /* 4 bytes for counter-block */
 #define CRYPT_SCHEME_1_IV_LEN           16
@@ -44,6 +42,24 @@ struct st_maria_crypt_data
   mysql_mutex_t lock;          /* protecting keys */
 };
 
+/**
+  determine what key id to use for Aria encryption
+
+  Same logic as for tempfiles: if key id 2 exists - use it,
+  otherwise use key id 1.
+
+  Key id 1 is system, it always exists. Key id 2 is optional,
+  it allows to specify fast low-grade encryption for temporary data.
+*/
+static uint get_encryption_key_id(MARIA_SHARE *share)
+{
+  if (share->options & HA_OPTION_TMP_TABLE &&
+      encryption_key_id_exists(ENCRYPTION_KEY_TEMPORARY_DATA))
+    return ENCRYPTION_KEY_TEMPORARY_DATA;
+  else
+    return ENCRYPTION_KEY_SYSTEM_DATA;
+}
+
 uint
 ma_crypt_get_data_page_header_space()
 {
@@ -90,7 +106,7 @@ ma_crypt_create(MARIA_SHARE* share)
   crypt_data->scheme.type= CRYPT_SCHEME_1;
   crypt_data->scheme.locker= crypt_data_scheme_locker;
   mysql_mutex_init(key_CRYPT_DATA_lock, &crypt_data->lock, MY_MUTEX_INIT_FAST);
-  crypt_data->scheme.key_id= HARD_CODED_ENCRYPTION_KEY_ID;
+  crypt_data->scheme.key_id= get_encryption_key_id(share);
   my_random_bytes(crypt_data->scheme.iv, sizeof(crypt_data->scheme.iv));
   my_random_bytes((uchar*)&crypt_data->space, sizeof(crypt_data->space));
   share->crypt_data= crypt_data;
@@ -156,7 +172,7 @@ ma_crypt_read(MARIA_SHARE* share, uchar *buff)
     mysql_mutex_init(key_CRYPT_DATA_lock, &crypt_data->lock,
                      MY_MUTEX_INIT_FAST);
     crypt_data->scheme.locker= crypt_data_scheme_locker;
-    crypt_data->scheme.key_id= HARD_CODED_ENCRYPTION_KEY_ID;
+    crypt_data->scheme.key_id= get_encryption_key_id(share);
     crypt_data->space= uint4korr(buff + 2);
     memcpy(crypt_data->scheme.iv, buff + 6, sizeof(crypt_data->scheme.iv));
     share->crypt_data= crypt_data;
@@ -314,7 +330,7 @@ void ma_crypt_set_data_pagecache_callbacks(PAGECACHE_FILE *file,
                                            __attribute__((unused)))
 {
   /* Only use encryption if we have defined it */
-  if (encryption_key_id_exists(HARD_CODED_ENCRYPTION_KEY_ID))
+  if (encryption_key_id_exists(get_encryption_key_id(share)))
   {
     file->pre_read_hook= ma_crypt_pre_read_hook;
     file->post_read_hook= ma_crypt_data_post_read_hook;
diff --git a/storage/xtradb/include/fil0crypt.h b/storage/xtradb/include/fil0crypt.h
index 5183d556b99..d36cb14b8cc 100644
--- a/storage/xtradb/include/fil0crypt.h
+++ b/storage/xtradb/include/fil0crypt.h
@@ -27,7 +27,7 @@ Created 04/01/2015 Jan Lindström
 #define fil0crypt_h
 
 /* This key will be used if nothing else is given */
-#define FIL_DEFAULT_ENCRYPTION_KEY 1
+#define FIL_DEFAULT_ENCRYPTION_KEY ENCRYPTION_KEY_SYSTEM_DATA
 
 /** Enum values for encryption table option */
 typedef enum {