1berry/MariaDB-server
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

just like tempfiles: use key id 2 for temp Aria tables

Browse Source 
introduce ENCRYPTION_KEY_SYSTEM_DATA and
ENCRYPTION_KEY_TEMPORARY_DATA constants; use them everywhere.
This commit is contained in:
Sergei Golubchik 2015-05-27 12:08:13 +02:00
parent d9340d6c8e
commit 432b78c903
5 changed files with 32 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
include/mysql/service_encryption.h
View File

@ -32,6 +32,9 @@ extern "C" {
#define ENCRYPTION_KEY_VERSION_INVALID (~(unsigned int)0) #define ENCRYPTION_KEY_VERSION_INVALID (~(unsigned int)0)
#define ENCRYPTION_KEY_NOT_ENCRYPTED (0) #define ENCRYPTION_KEY_NOT_ENCRYPTED (0)
#define ENCRYPTION_KEY_SYSTEM_DATA 1
#define ENCRYPTION_KEY_TEMPORARY_DATA 2
/* returned from encryption_key_get() */ /* returned from encryption_key_get() */
#define ENCRYPTION_KEY_BUFFER_TOO_SMALL (100) #define ENCRYPTION_KEY_BUFFER_TOO_SMALL (100)

8
sql/mf_iocache_encr.cc
View File

@ -232,9 +232,13 @@ void init_io_cache_encryption()
{ {
if (encrypt_tmp_files) if (encrypt_tmp_files)
{ {
keyver= encryption_key_get_latest_version(keyid= 2); keyid= ENCRYPTION_KEY_TEMPORARY_DATA;
keyver= encryption_key_get_latest_version(keyid);
if (keyver == ENCRYPTION_KEY_VERSION_INVALID) if (keyver == ENCRYPTION_KEY_VERSION_INVALID)
keyver= encryption_key_get_latest_version(keyid= 1); {
keyid= ENCRYPTION_KEY_SYSTEM_DATA;
keyver= encryption_key_get_latest_version(keyid);
}
} }
else else
keyver= ENCRYPTION_KEY_VERSION_INVALID; keyver= ENCRYPTION_KEY_VERSION_INVALID;

2
storage/innobase/include/fil0crypt.h
View File

@ -27,7 +27,7 @@ Created 04/01/2015 Jan Lindström
#define fil0crypt_h #define fil0crypt_h
/* This key will be used if nothing else is given */ /* This key will be used if nothing else is given */
#define FIL_DEFAULT_ENCRYPTION_KEY 1 #define FIL_DEFAULT_ENCRYPTION_KEY ENCRYPTION_KEY_SYSTEM_DATA
/** Enum values for encryption table option */ /** Enum values for encryption table option */
typedef enum { typedef enum {

26
storage/maria/ma_crypt.c
View File

@ -20,8 +20,6 @@
#include "ma_blockrec.h" #include "ma_blockrec.h"
#include <my_crypt.h> #include <my_crypt.h>
#define HARD_CODED_ENCRYPTION_KEY_ID 1
#define CRYPT_SCHEME_1 1 #define CRYPT_SCHEME_1 1
#define CRYPT_SCHEME_1_ID_LEN 4 /* 4 bytes for counter-block */ #define CRYPT_SCHEME_1_ID_LEN 4 /* 4 bytes for counter-block */
#define CRYPT_SCHEME_1_IV_LEN 16 #define CRYPT_SCHEME_1_IV_LEN 16
@ -44,6 +42,24 @@ struct st_maria_crypt_data
mysql_mutex_t lock; /* protecting keys */ mysql_mutex_t lock; /* protecting keys */
}; };
/**
determine what key id to use for Aria encryption
Same logic as for tempfiles: if key id 2 exists - use it,
otherwise use key id 1.
Key id 1 is system, it always exists. Key id 2 is optional,
it allows to specify fast low-grade encryption for temporary data.
*/
static uint get_encryption_key_id(MARIA_SHARE *share)
{
if (share->options & HA_OPTION_TMP_TABLE &&
encryption_key_id_exists(ENCRYPTION_KEY_TEMPORARY_DATA))
return ENCRYPTION_KEY_TEMPORARY_DATA;
else
return ENCRYPTION_KEY_SYSTEM_DATA;
}
uint uint
ma_crypt_get_data_page_header_space() ma_crypt_get_data_page_header_space()
{ {
@ -90,7 +106,7 @@ ma_crypt_create(MARIA_SHARE* share)
crypt_data->scheme.type= CRYPT_SCHEME_1; crypt_data->scheme.type= CRYPT_SCHEME_1;
crypt_data->scheme.locker= crypt_data_scheme_locker; crypt_data->scheme.locker= crypt_data_scheme_locker;
mysql_mutex_init(key_CRYPT_DATA_lock, &crypt_data->lock, MY_MUTEX_INIT_FAST); mysql_mutex_init(key_CRYPT_DATA_lock, &crypt_data->lock, MY_MUTEX_INIT_FAST);
crypt_data->scheme.key_id= HARD_CODED_ENCRYPTION_KEY_ID; crypt_data->scheme.key_id= get_encryption_key_id(share);
my_random_bytes(crypt_data->scheme.iv, sizeof(crypt_data->scheme.iv)); my_random_bytes(crypt_data->scheme.iv, sizeof(crypt_data->scheme.iv));
my_random_bytes((uchar*)&crypt_data->space, sizeof(crypt_data->space)); my_random_bytes((uchar*)&crypt_data->space, sizeof(crypt_data->space));
share->crypt_data= crypt_data; share->crypt_data= crypt_data;
@ -156,7 +172,7 @@ ma_crypt_read(MARIA_SHARE* share, uchar *buff)
mysql_mutex_init(key_CRYPT_DATA_lock, &crypt_data->lock, mysql_mutex_init(key_CRYPT_DATA_lock, &crypt_data->lock,
MY_MUTEX_INIT_FAST); MY_MUTEX_INIT_FAST);
crypt_data->scheme.locker= crypt_data_scheme_locker; crypt_data->scheme.locker= crypt_data_scheme_locker;
crypt_data->scheme.key_id= HARD_CODED_ENCRYPTION_KEY_ID; crypt_data->scheme.key_id= get_encryption_key_id(share);
crypt_data->space= uint4korr(buff + 2); crypt_data->space= uint4korr(buff + 2);
memcpy(crypt_data->scheme.iv, buff + 6, sizeof(crypt_data->scheme.iv)); memcpy(crypt_data->scheme.iv, buff + 6, sizeof(crypt_data->scheme.iv));
share->crypt_data= crypt_data; share->crypt_data= crypt_data;
@ -314,7 +330,7 @@ void ma_crypt_set_data_pagecache_callbacks(PAGECACHE_FILE *file,
__attribute__((unused))) __attribute__((unused)))
{ {
/* Only use encryption if we have defined it */ /* Only use encryption if we have defined it */
if (encryption_key_id_exists(HARD_CODED_ENCRYPTION_KEY_ID)) if (encryption_key_id_exists(get_encryption_key_id(share)))
{ {
file->pre_read_hook= ma_crypt_pre_read_hook; file->pre_read_hook= ma_crypt_pre_read_hook;
file->post_read_hook= ma_crypt_data_post_read_hook; file->post_read_hook= ma_crypt_data_post_read_hook;

2
storage/xtradb/include/fil0crypt.h
View File

@ -27,7 +27,7 @@ Created 04/01/2015 Jan Lindström
#define fil0crypt_h #define fil0crypt_h
/* This key will be used if nothing else is given */ /* This key will be used if nothing else is given */
#define FIL_DEFAULT_ENCRYPTION_KEY 1 #define FIL_DEFAULT_ENCRYPTION_KEY ENCRYPTION_KEY_SYSTEM_DATA
/** Enum values for encryption table option */ /** Enum values for encryption table option */
typedef enum { typedef enum {