1berry/MariaDB-server
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

encryption plugin controls the encryption

Browse Source 
* no --encryption-algorithm option anymore
* encrypt/decrypt methods in the encryption plugin
* ecnrypt/decrypt methods in the encryption_km service
* file_km plugin has --file-key-management-encryption-algorithm
* debug_km always uses aes_cbc
* example_km changes between aes_cbc and aes_ecb for different key versions
This commit is contained in:
Sergei Golubchik 2015-03-31 19:32:35 +02:00
parent 9ccafffc29
commit bb1b61b312
36 changed files with 401 additions and 473 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
include/my_aes.h
View File

@ -24,8 +24,6 @@
#include <my_global.h>
typedef int Crypt_result;
#define AES_OK 0
#define AES_BAD_DATA -1
#define AES_BAD_IV -2
@ -49,84 +47,6 @@ typedef int Crypt_result;
C_MODE_START
/**
Crypt buffer with AES dynamic (defined at startup) encryption algorithm.
SYNOPSIS
my_aes_encrypt_dynamic()
@param source [in] Pointer to data for encryption
@param source_length [in] Size of encryption data
@param dest [out] Buffer to place encrypted data (must be large enough)
@param dest_length [out] Pointer to size of encrypted data
@param key [in] Key to be used for encryption
@param key_length [in] Length of the key. 16, 24 or 32
@param iv [in] Iv to be used for encryption
@param iv_length [in] Length of the iv. should be 16.
@param noPadding [in] if set, algorithm specific padding behaviour is used
Method used defined by calling my_aes_init_dynamic_encrypt() at startup.
@return
!= 0 error
0 no error
*/
typedef int (*my_aes_encrypt_dynamic_type)(const uchar* source, uint32 source_length,
uchar* dest, uint32* dest_length,
const uchar* key, uint8 key_length,
const uchar* iv, uint8 iv_length,
uint noPadding);
extern MYSQL_PLUGIN_IMPORT my_aes_encrypt_dynamic_type my_aes_encrypt_dynamic;
/**
AES decryption AES dynamic (defined at startup) encryption algorithm.
SYNOPSIS
my_aes_decrypt_dynamic()
@param source [in] Pointer to data to decrypt
@param source_length [in] Size of data
@param dest [out] Buffer to place decrypted data (must be large enough)
@param dest_length [out] Pointer to size of decrypted data
@param key [in] Key to be used for decryption
@param key_length [in] Length of the key. 16, 24 or 32
@param iv [in] Iv to be used for encryption
@param iv_length [in] Length of the iv. should be 16.
@param noPadding [in] if set, algorithm specific padding behaviour is used
@return
!= 0 error
0 no error
Method used defined by calling my_aes_init_dynamic_encrypt() at startup.
*/
typedef int (*my_aes_decrypt_dynamic_type)(const uchar *source,
uint32 source_length,
uchar *dest, uint32 *dest_length,
const uchar *key, uint8 key_length,
const uchar *iv, uint8 iv_length,
uint noPadding);
extern MYSQL_PLUGIN_IMPORT my_aes_decrypt_dynamic_type my_aes_decrypt_dynamic;
/**
Initialize dynamic crypt functions
*/
enum enum_my_aes_encryption_algorithm
{
MY_AES_ALGORITHM_NONE, MY_AES_ALGORITHM_ECB, MY_AES_ALGORITHM_CBC,
MY_AES_ALGORITHM_CTR
};
my_aes_decrypt_dynamic_type get_aes_decrypt_func(enum enum_my_aes_encryption_algorithm method);
my_aes_encrypt_dynamic_type get_aes_encrypt_func(enum enum_my_aes_encryption_algorithm method);
my_bool my_aes_init_dynamic_encrypt(enum enum_my_aes_encryption_algorithm method);
extern MYSQL_PLUGIN_IMPORT enum enum_my_aes_encryption_algorithm current_aes_dynamic_method;
int my_aes_get_size(int source_length);
C_MODE_END

62
include/my_crypt.h
View File

@ -26,45 +26,45 @@ C_MODE_START
#ifdef HAVE_EncryptAes128Ctr
Crypt_result my_aes_encrypt_ctr(const uchar* source, uint32 source_length,
uchar* dest, uint32* dest_length,
const unsigned char* key, uint8 key_length,
const unsigned char* iv, uint8 iv_length,
uint no_padding);
int my_aes_encrypt_ctr(const uchar* source, uint source_length,
uchar* dest, uint* dest_length,
const unsigned char* key, uint key_length,
const unsigned char* iv, uint iv_length,
int no_padding);
Crypt_result my_aes_decrypt_ctr(const uchar* source, uint32 source_length,
uchar* dest, uint32* dest_length,
const unsigned char* key, uint8 key_length,
const unsigned char* iv, uint8 iv_length,
uint no_padding);
int my_aes_decrypt_ctr(const uchar* source, uint source_length,
uchar* dest, uint* dest_length,
const unsigned char* key, uint key_length,
const unsigned char* iv, uint iv_length,
int no_padding);
#endif
Crypt_result my_aes_encrypt_cbc(const uchar* source, uint32 source_length,
uchar* dest, uint32* dest_length,
const unsigned char* key, uint8 key_length,
const unsigned char* iv, uint8 iv_length,
uint no_padding);
int my_aes_encrypt_cbc(const uchar* source, uint source_length,
uchar* dest, uint* dest_length,
const unsigned char* key, uint key_length,
const unsigned char* iv, uint iv_length,
int no_padding);
Crypt_result my_aes_decrypt_cbc(const uchar* source, uint32 source_length,
uchar* dest, uint32* dest_length,
const unsigned char* key, uint8 key_length,
const unsigned char* iv, uint8 iv_length,
uint no_padding);
int my_aes_decrypt_cbc(const uchar* source, uint source_length,
uchar* dest, uint* dest_length,
const unsigned char* key, uint key_length,
const unsigned char* iv, uint iv_length,
int no_padding);
Crypt_result my_aes_encrypt_ecb(const uchar* source, uint32 source_length,
uchar* dest, uint32* dest_length,
const unsigned char* key, uint8 key_length,
const unsigned char* iv, uint8 iv_length,
uint no_padding);
int my_aes_encrypt_ecb(const uchar* source, uint source_length,
uchar* dest, uint* dest_length,
const unsigned char* key, uint key_length,
const unsigned char* iv, uint iv_length,
int no_padding);
Crypt_result my_aes_decrypt_ecb(const uchar* source, uint32 source_length,
uchar* dest, uint32* dest_length,
const unsigned char* key, uint8 key_length,
const unsigned char* iv, uint8 iv_length,
uint no_padding);
int my_aes_decrypt_ecb(const uchar* source, uint source_length,
uchar* dest, uint* dest_length,
const unsigned char* key, uint key_length,
const unsigned char* iv, uint iv_length,
int no_padding);
Crypt_result my_random_bytes(uchar* buf, int num);
int my_random_bytes(uchar* buf, int num);
C_MODE_END

17
include/mysql/plugin_audit.h.pp
View File

@ -198,14 +198,31 @@ void thd_key_delete(MYSQL_THD_KEY_T *key);
void* thd_getspecific(void* thd, MYSQL_THD_KEY_T key);
int thd_setspecific(void* thd, MYSQL_THD_KEY_T key, void *value);
#include <mysql/service_encryption_keys.h>
typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen,
unsigned char* dst, unsigned int* dlen,
const unsigned char* key, unsigned int klen,
const unsigned char* iv, unsigned int ivlen,
int no_padding, unsigned int key_version);
extern struct encryption_keys_service_st {
unsigned int (*get_latest_encryption_key_version_func)();
unsigned int (*has_encryption_key_func)(unsigned int);
unsigned int (*get_encryption_key_func)(unsigned int, unsigned char*, unsigned int*);
encrypt_decrypt_func encrypt_data_func;
encrypt_decrypt_func decrypt_data_func;
} *encryption_keys_service;
unsigned int get_latest_encryption_key_version();
unsigned int has_encryption_key(unsigned int version);
unsigned int get_encryption_key(unsigned int version, unsigned char* key, unsigned int *keybufsize);
int encrypt_data(const unsigned char* src, unsigned int slen,
unsigned char* dst, unsigned int* dlen,
const unsigned char* key, unsigned int klen,
const unsigned char* iv, unsigned int ivlen,
int no_padding, unsigned int key_version);
int decrypt_data(const unsigned char* src, unsigned int slen,
unsigned char* dst, unsigned int* dlen,
const unsigned char* key, unsigned int klen,
const unsigned char* iv, unsigned int ivlen,
int no_padding, unsigned int key_version);
struct st_mysql_xid {
long formatID;
long gtrid_length;

17
include/mysql/plugin_auth.h.pp
View File

@ -198,14 +198,31 @@ void thd_key_delete(MYSQL_THD_KEY_T *key);
void* thd_getspecific(void* thd, MYSQL_THD_KEY_T key);
int thd_setspecific(void* thd, MYSQL_THD_KEY_T key, void *value);
#include <mysql/service_encryption_keys.h>
typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen,
unsigned char* dst, unsigned int* dlen,
const unsigned char* key, unsigned int klen,
const unsigned char* iv, unsigned int ivlen,
int no_padding, unsigned int key_version);
extern struct encryption_keys_service_st {
unsigned int (*get_latest_encryption_key_version_func)();
unsigned int (*has_encryption_key_func)(unsigned int);
unsigned int (*get_encryption_key_func)(unsigned int, unsigned char*, unsigned int*);
encrypt_decrypt_func encrypt_data_func;
encrypt_decrypt_func decrypt_data_func;
} *encryption_keys_service;
unsigned int get_latest_encryption_key_version();
unsigned int has_encryption_key(unsigned int version);
unsigned int get_encryption_key(unsigned int version, unsigned char* key, unsigned int *keybufsize);
int encrypt_data(const unsigned char* src, unsigned int slen,
unsigned char* dst, unsigned int* dlen,
const unsigned char* key, unsigned int klen,
const unsigned char* iv, unsigned int ivlen,
int no_padding, unsigned int key_version);
int decrypt_data(const unsigned char* src, unsigned int slen,
unsigned char* dst, unsigned int* dlen,
const unsigned char* key, unsigned int klen,
const unsigned char* iv, unsigned int ivlen,
int no_padding, unsigned int key_version);
struct st_mysql_xid {
long formatID;
long gtrid_length;

8
include/mysql/plugin_encryption.h
View File

@ -1,5 +1,5 @@
#ifndef MYSQL_PLUGIN_ENCRYPTION_INCLUDED
/* Copyright (C) 2014 Sergei Golubchik and MariaDB
/* Copyright (C) 2014, 2015 Sergei Golubchik and MariaDB
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -29,9 +29,6 @@
#define MariaDB_ENCRYPTION_INTERFACE_VERSION 0x0200
#define BAD_ENCRYPTION_KEY_VERSION (~(unsigned int)0)
#define KEY_BUFFER_TOO_SMALL (100)
/**
Encryption plugin descriptor
*/
@ -68,6 +65,9 @@ struct st_mariadb_encryption
*/
unsigned int (*get_key)(unsigned int version, unsigned char *key,
unsigned int *key_length);
encrypt_decrypt_func encrypt;
encrypt_decrypt_func decrypt;
};
#endif

19
include/mysql/plugin_encryption.h.pp
View File

@ -198,14 +198,31 @@ void thd_key_delete(MYSQL_THD_KEY_T *key);
void* thd_getspecific(void* thd, MYSQL_THD_KEY_T key);
int thd_setspecific(void* thd, MYSQL_THD_KEY_T key, void *value);
#include <mysql/service_encryption_keys.h>
typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen,
unsigned char* dst, unsigned int* dlen,
const unsigned char* key, unsigned int klen,
const unsigned char* iv, unsigned int ivlen,
int no_padding, unsigned int key_version);
extern struct encryption_keys_service_st {
unsigned int (*get_latest_encryption_key_version_func)();
unsigned int (*has_encryption_key_func)(unsigned int);
unsigned int (*get_encryption_key_func)(unsigned int, unsigned char*, unsigned int*);
encrypt_decrypt_func encrypt_data_func;
encrypt_decrypt_func decrypt_data_func;
} *encryption_keys_service;
unsigned int get_latest_encryption_key_version();
unsigned int has_encryption_key(unsigned int version);
unsigned int get_encryption_key(unsigned int version, unsigned char* key, unsigned int *keybufsize);
int encrypt_data(const unsigned char* src, unsigned int slen,
unsigned char* dst, unsigned int* dlen,
const unsigned char* key, unsigned int klen,
const unsigned char* iv, unsigned int ivlen,
int no_padding, unsigned int key_version);
int decrypt_data(const unsigned char* src, unsigned int slen,
unsigned char* dst, unsigned int* dlen,
const unsigned char* key, unsigned int klen,
const unsigned char* iv, unsigned int ivlen,
int no_padding, unsigned int key_version);
struct st_mysql_xid {
long formatID;
long gtrid_length;
@ -368,4 +385,6 @@ struct st_mariadb_encryption
unsigned int (*get_latest_key_version)();
unsigned int (*get_key)(unsigned int version, unsigned char *key,
unsigned int *key_length);
encrypt_decrypt_func encrypt;
encrypt_decrypt_func decrypt;
};

17
include/mysql/plugin_ftparser.h.pp
View File

@ -198,14 +198,31 @@ void thd_key_delete(MYSQL_THD_KEY_T *key);
void* thd_getspecific(void* thd, MYSQL_THD_KEY_T key);
int thd_setspecific(void* thd, MYSQL_THD_KEY_T key, void *value);
#include <mysql/service_encryption_keys.h>
typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen,
unsigned char* dst, unsigned int* dlen,
const unsigned char* key, unsigned int klen,
const unsigned char* iv, unsigned int ivlen,
int no_padding, unsigned int key_version);
extern struct encryption_keys_service_st {
unsigned int (*get_latest_encryption_key_version_func)();
unsigned int (*has_encryption_key_func)(unsigned int);
unsigned int (*get_encryption_key_func)(unsigned int, unsigned char*, unsigned int*);
encrypt_decrypt_func encrypt_data_func;
encrypt_decrypt_func decrypt_data_func;
} *encryption_keys_service;
unsigned int get_latest_encryption_key_version();
unsigned int has_encryption_key(unsigned int version);
unsigned int get_encryption_key(unsigned int version, unsigned char* key, unsigned int *keybufsize);
int encrypt_data(const unsigned char* src, unsigned int slen,
unsigned char* dst, unsigned int* dlen,
const unsigned char* key, unsigned int klen,
const unsigned char* iv, unsigned int ivlen,
int no_padding, unsigned int key_version);
int decrypt_data(const unsigned char* src, unsigned int slen,
unsigned char* dst, unsigned int* dlen,
const unsigned char* key, unsigned int klen,
const unsigned char* iv, unsigned int ivlen,
int no_padding, unsigned int key_version);
struct st_mysql_xid {
long formatID;
long gtrid_length;

17
include/mysql/plugin_password_validation.h.pp
View File

@ -198,14 +198,31 @@ void thd_key_delete(MYSQL_THD_KEY_T *key);
void* thd_getspecific(void* thd, MYSQL_THD_KEY_T key);
int thd_setspecific(void* thd, MYSQL_THD_KEY_T key, void *value);
#include <mysql/service_encryption_keys.h>
typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen,
unsigned char* dst, unsigned int* dlen,
const unsigned char* key, unsigned int klen,
const unsigned char* iv, unsigned int ivlen,
int no_padding, unsigned int key_version);
extern struct encryption_keys_service_st {
unsigned int (*get_latest_encryption_key_version_func)();
unsigned int (*has_encryption_key_func)(unsigned int);
unsigned int (*get_encryption_key_func)(unsigned int, unsigned char*, unsigned int*);
encrypt_decrypt_func encrypt_data_func;
encrypt_decrypt_func decrypt_data_func;
} *encryption_keys_service;
unsigned int get_latest_encryption_key_version();
unsigned int has_encryption_key(unsigned int version);
unsigned int get_encryption_key(unsigned int version, unsigned char* key, unsigned int *keybufsize);
int encrypt_data(const unsigned char* src, unsigned int slen,
unsigned char* dst, unsigned int* dlen,
const unsigned char* key, unsigned int klen,
const unsigned char* iv, unsigned int ivlen,
int no_padding, unsigned int key_version);
int decrypt_data(const unsigned char* src, unsigned int slen,
unsigned char* dst, unsigned int* dlen,
const unsigned char* key, unsigned int klen,
const unsigned char* iv, unsigned int ivlen,
int no_padding, unsigned int key_version);
struct st_mysql_xid {
long formatID;
long gtrid_length;

25
include/mysql/service_encryption_keys.h
View File

@ -25,10 +25,21 @@
extern "C" {
#endif
#define BAD_ENCRYPTION_KEY_VERSION (~(unsigned int)0)
#define KEY_BUFFER_TOO_SMALL (100)
typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen,
unsigned char* dst, unsigned int* dlen,
const unsigned char* key, unsigned int klen,
const unsigned char* iv, unsigned int ivlen,
int no_padding, unsigned int key_version);
extern struct encryption_keys_service_st {
unsigned int (*get_latest_encryption_key_version_func)();
unsigned int (*has_encryption_key_func)(unsigned int);
unsigned int (*get_encryption_key_func)(unsigned int, unsigned char*, unsigned int*);
encrypt_decrypt_func encrypt_data_func;
encrypt_decrypt_func decrypt_data_func;
} *encryption_keys_service;
#ifdef MYSQL_DYNAMIC_PLUGIN
@ -36,13 +47,23 @@ extern struct encryption_keys_service_st {
#define get_latest_encryption_key_version() encryption_keys_service->get_latest_encryption_key_version_func()
#define has_encryption_key(V) encryption_keys_service->has_encryption_key_func(V)
#define get_encryption_key(V,K,S) encryption_keys_service->get_encryption_key_func((V), (K), (S))
#define encrypt_data(S,SL,D,DL,K,KL,I,IL,NP,KV) encryption_keys_service->encrypt_data_func(S,SL,D,DL,K,KL,I,IL,NP,KV)
#define decrypt_data(S,SL,D,DL,K,KL,I,IL,NP,KV) encryption_keys_service->decrypt_data_func(S,SL,D,DL,K,KL,I,IL,NP,KV)
#else
unsigned int get_latest_encryption_key_version();
unsigned int has_encryption_key(unsigned int version);
unsigned int get_encryption_key(unsigned int version, unsigned char* key, unsigned int *keybufsize);
int encrypt_data(const unsigned char* src, unsigned int slen,
unsigned char* dst, unsigned int* dlen,
const unsigned char* key, unsigned int klen,
const unsigned char* iv, unsigned int ivlen,
int no_padding, unsigned int key_version);
int decrypt_data(const unsigned char* src, unsigned int slen,
unsigned char* dst, unsigned int* dlen,
const unsigned char* key, unsigned int klen,
const unsigned char* iv, unsigned int ivlen,
int no_padding, unsigned int key_version);
#endif
#ifdef __cplusplus

7
mysql-test/include/encryption_algorithms.combinations
View File

@ -1,8 +1,5 @@
[cbc]
encryption-algorithm=aes_cbc
[ecb]
encryption-algorithm=aes_ecb
file-key-management-encryption-algorithm=aes_cbc
[ctr]
encryption-algorithm=aes_ctr
file-key-management-encryption-algorithm=aes_ctr

2
mysql-test/include/have_example_key_management_plugin.inc
View File

@ -1,5 +1,3 @@
-- source encryption_algorithms.inc
if (!$EXAMPLE_KEY_MANAGEMENT_SO)
{
--skip Needs example_key_management

2
mysql-test/include/have_file_key_management_plugin.inc
View File

@ -1,4 +1,4 @@
-- source encryption_algorithms.inc
--source encryption_algorithms.inc
if (!$FILE_KEY_MANAGEMENT_SO)
{

5
mysql-test/r/mysqld--help.result
View File

@ -165,10 +165,6 @@ The following options may be given as the first argument:
--encrypt-tmp-disk-tables
Encrypt tmp disk tables (created as part of query
execution)
--encryption-algorithm=name
Which encryption algorithm to use for table encryption.
aes_cbc is the recommended one.. One of: none, aes_ecb,
aes_cbc, aes_ctr
--enforce-storage-engine=name
Force the use of a storage engine for new tables
--event-scheduler[=name]
@ -1151,7 +1147,6 @@ delayed-insert-timeout 300
delayed-queue-size 1000
div-precision-increment 4
encrypt-tmp-disk-tables FALSE
encryption-algorithm none
enforce-storage-engine (No default value)
event-scheduler OFF
expensive-subquery-limit 100

1
mysql-test/suite/plugins/t/filekeys_plugin.opt
View File

@ -1,2 +1 @@
--plugin-load-add=$FILE_KEY_MANAGEMENT_SO
--encryption-algorithm=aes_cbc

7
mysql-test/suite/sys_vars/r/encryption_algorithm_basic.result
View File

@ -1,7 +0,0 @@
select @@global.encryption_algorithm;
@@global.encryption_algorithm
none
select @@session.encryption_algorithm;
ERROR HY000: Variable 'encryption_algorithm' is a GLOBAL variable
set global encryption_algorithm="none";
ERROR HY000: Variable 'encryption_algorithm' is a read only variable

14
mysql-test/suite/sys_vars/r/sysvars_server_embedded.result
View File

@ -681,20 +681,6 @@ NUMERIC_BLOCK_SIZE 1
ENUM_VALUE_LIST NULL
READ_ONLY NO
COMMAND_LINE_ARGUMENT REQUIRED
VARIABLE_NAME ENCRYPTION_ALGORITHM
SESSION_VALUE NULL
GLOBAL_VALUE none
GLOBAL_VALUE_ORIGIN COMPILE-TIME
DEFAULT_VALUE none
VARIABLE_SCOPE GLOBAL
VARIABLE_TYPE ENUM
VARIABLE_COMMENT Which encryption algorithm to use for table encryption. aes_cbc is the recommended one.
NUMERIC_MIN_VALUE NULL
NUMERIC_MAX_VALUE NULL
NUMERIC_BLOCK_SIZE NULL
ENUM_VALUE_LIST none,aes_ecb,aes_cbc,aes_ctr
READ_ONLY YES
COMMAND_LINE_ARGUMENT REQUIRED
VARIABLE_NAME ENCRYPT_TMP_DISK_TABLES
SESSION_VALUE NULL
GLOBAL_VALUE OFF

14
mysql-test/suite/sys_vars/r/sysvars_server_notembedded.result
View File

@ -695,20 +695,6 @@ NUMERIC_BLOCK_SIZE 1
ENUM_VALUE_LIST NULL
READ_ONLY NO
COMMAND_LINE_ARGUMENT REQUIRED
VARIABLE_NAME ENCRYPTION_ALGORITHM
SESSION_VALUE NULL
GLOBAL_VALUE none
GLOBAL_VALUE_ORIGIN COMPILE-TIME
DEFAULT_VALUE none
VARIABLE_SCOPE GLOBAL
VARIABLE_TYPE ENUM
VARIABLE_COMMENT Which encryption algorithm to use for table encryption. aes_cbc is the recommended one.
NUMERIC_MIN_VALUE NULL
NUMERIC_MAX_VALUE NULL
NUMERIC_BLOCK_SIZE NULL
ENUM_VALUE_LIST none,aes_ecb,aes_cbc,aes_ctr
READ_ONLY YES
COMMAND_LINE_ARGUMENT REQUIRED
VARIABLE_NAME ENCRYPT_TMP_DISK_TABLES
SESSION_VALUE NULL
GLOBAL_VALUE OFF

13
mysql-test/suite/sys_vars/t/encryption_algorithm_basic.test
View File

@ -1,13 +0,0 @@
# bool global
# exists as global only
#
select @@global.encryption_algorithm;
--error ER_INCORRECT_GLOBAL_LOCAL_VAR
select @@session.encryption_algorithm;
#
# show that it's not writable
#
--error 1238
set global encryption_algorithm="none";

154
mysys_ssl/my_aes.cc
View File

@ -18,164 +18,10 @@
#include <my_aes.h>
#include <my_crypt.h>
/**
Encryption interface that doesn't do anything (for testing)
SYNOPSIS
my_aes_encrypt_none()
@param source [in] Pointer to data for encryption
@param source_length [in] Size of encryption data
@param dest [out] Buffer to place encrypted data (must be large enough)
@param dest_length [out] Pointer to size of encrypted data
@param key [in] Key to be used for encryption
@param key_length [in] Length of the key. 16, 24 or 32
@param iv [in] Iv to be used for encryption
@param iv_length [in] Length of the iv. should be 16.
@param noPadding [in] unused
@return
!= 0 error
0 no error
*/
static int my_aes_encrypt_none(const uchar* source, uint32 source_length,
uchar* dest, uint32* dest_length,
const unsigned char* key, uint8 key_length,
const unsigned char* iv, uint8 iv_length,
uint noPadding)
{
memcpy(dest, source, source_length);
*dest_length= source_length;
return 0;
}
/**
Decryption interface that doesn't do anything (for testing)
SYNOPSIS
my_aes_decrypt_none()
@param source [in] Pointer to data to decrypt
@param source_length [in] Size of data
@param dest [out] Buffer to place decrypted data (must be large enough)
@param dest_length [out] Pointer to size of decrypted data
@param key [in] Key to be used for decryption
@param key_length [in] Length of the key. 16, 24 or 32
@param iv [in] Iv to be used for encryption
@param iv_length [in] Length of the iv. should be 16.
@param noPadding [in] unused
@return
!= 0 error
0 no error
*/
int my_aes_decrypt_none(const uchar* source, uint32 source_length,
uchar* dest, uint32 *dest_length,
const unsigned char* key, uint8 key_length,
const unsigned char* iv, uint8 iv_length,
uint noPadding)
{
memcpy(dest, source, source_length);
*dest_length= source_length;
return 0;
}
/**
Initialize encryption methods
*/
my_aes_decrypt_dynamic_type my_aes_decrypt_dynamic= my_aes_decrypt_none;
my_aes_encrypt_dynamic_type my_aes_encrypt_dynamic= my_aes_encrypt_none;
enum_my_aes_encryption_algorithm current_aes_dynamic_method= MY_AES_ALGORITHM_NONE;
my_bool my_aes_init_dynamic_encrypt(enum_my_aes_encryption_algorithm method)
{
switch (method)
{
/* used for encrypting tables */
case MY_AES_ALGORITHM_ECB:
my_aes_encrypt_dynamic= my_aes_encrypt_ecb;
my_aes_decrypt_dynamic= my_aes_decrypt_ecb;
break;
case MY_AES_ALGORITHM_CBC:
my_aes_encrypt_dynamic= my_aes_encrypt_cbc;
my_aes_decrypt_dynamic= my_aes_decrypt_cbc;
break;
#ifdef HAVE_EncryptAes128Ctr
/* encrypt everything, with a set of keys */
case MY_AES_ALGORITHM_CTR:
my_aes_encrypt_dynamic= my_aes_encrypt_ctr;
my_aes_decrypt_dynamic= my_aes_decrypt_ctr;
break;
#endif
/* Simulate encrypting interface */
case MY_AES_ALGORITHM_NONE:
my_aes_encrypt_dynamic= my_aes_encrypt_none;
my_aes_decrypt_dynamic= my_aes_decrypt_none;
break;
default:
return 1;
}
current_aes_dynamic_method= method;
return 0;
}
my_aes_decrypt_dynamic_type
get_aes_decrypt_func(enum_my_aes_encryption_algorithm method)
{
switch (method)
{
/* used for encrypting tables */
case MY_AES_ALGORITHM_ECB:
return my_aes_decrypt_ecb;
break;
case MY_AES_ALGORITHM_CBC:
return my_aes_decrypt_cbc;
break;
#ifdef HAVE_EncryptAes128Ctr
/* encrypt everything, with a set of keys */
case MY_AES_ALGORITHM_CTR:
return my_aes_decrypt_ctr;
break;
#endif
/* Simulate encrypting interface */
case MY_AES_ALGORITHM_NONE:
return my_aes_decrypt_none;
break;
default:
return NULL;
}
return NULL;
}
my_aes_encrypt_dynamic_type
get_aes_encrypt_func(enum_my_aes_encryption_algorithm method)
{
switch (method)
{
/* used for encrypting tables */
case MY_AES_ALGORITHM_ECB:
return my_aes_encrypt_ecb;
break;
case MY_AES_ALGORITHM_CBC:
return my_aes_encrypt_cbc;
break;
#ifdef HAVE_EncryptAes128Ctr
/* encrypt everything, with a set of keys */
case MY_AES_ALGORITHM_CTR:
return my_aes_encrypt_ctr;
break;
#endif
/* Simulate encrypting interface */
case MY_AES_ALGORITHM_NONE:
return my_aes_encrypt_none;
break;
default:
return NULL;
}
return NULL;
}
/**
Get size of buffer which will be large enough for encrypted data

78
mysys_ssl/my_crypt.cc
View File

@ -26,8 +26,8 @@ static const Dir CRYPT_ENCRYPT = TaoCrypt::ENCRYPTION;
static const Dir CRYPT_DECRYPT = TaoCrypt::DECRYPTION;
typedef TaoCrypt::Mode CipherMode;
static inline CipherMode aes_ecb(uint8) { return TaoCrypt::ECB; }
static inline CipherMode aes_cbc(uint8) { return TaoCrypt::CBC; }
static inline CipherMode aes_ecb(uint) { return TaoCrypt::ECB; }
static inline CipherMode aes_cbc(uint) { return TaoCrypt::CBC; }
typedef TaoCrypt::byte KeyByte;
@ -42,7 +42,7 @@ static const Dir CRYPT_DECRYPT = 0;
typedef const EVP_CIPHER *CipherMode;
#define make_aes_dispatcher(mode) \
static inline CipherMode aes_ ## mode(uint8 key_length) \
static inline CipherMode aes_ ## mode(uint key_length) \
{ \
switch (key_length) { \
case 16: return EVP_aes_128_ ## mode(); \
@ -67,10 +67,10 @@ struct MyCTX : EVP_CIPHER_CTX {
#endif
static int do_crypt(CipherMode cipher, Dir dir,
const uchar* source, uint32 source_length,
uchar* dest, uint32* dest_length,
const KeyByte *key, uint8 key_length,
const KeyByte *iv, uint8 iv_length, int no_padding)
const uchar* source, uint source_length,
uchar* dest, uint* dest_length,
const KeyByte *key, uint key_length,
const KeyByte *iv, uint iv_length, int no_padding)
{
int tail= source_length % MY_AES_BLOCK_SIZE;
@ -123,8 +123,8 @@ static int do_crypt(CipherMode cipher, Dir dir,
EVP_CIPHER_CTX_set_padding(&ctx, !no_padding);
DBUG_ASSERT(EVP_CIPHER_CTX_key_length(&ctx) == key_length);
DBUG_ASSERT(EVP_CIPHER_CTX_iv_length(&ctx) == iv_length);
DBUG_ASSERT(EVP_CIPHER_CTX_key_length(&ctx) == (int)key_length);
DBUG_ASSERT(EVP_CIPHER_CTX_iv_length(&ctx) == (int)iv_length);
DBUG_ASSERT(EVP_CIPHER_CTX_block_size(&ctx) == MY_AES_BLOCK_SIZE || !no_padding);
/* use built-in OpenSSL padding, if possible */
@ -164,11 +164,11 @@ C_MODE_START
#ifdef HAVE_EncryptAes128Ctr
int my_aes_encrypt_ctr(const uchar* source, uint32 source_length,
uchar* dest, uint32* dest_length,
const uchar* key, uint8 key_length,
const uchar* iv, uint8 iv_length,
uint no_padding)
int my_aes_encrypt_ctr(const uchar* source, uint source_length,
uchar* dest, uint* dest_length,
const uchar* key, uint key_length,
const uchar* iv, uint iv_length,
int no_padding)
{
/* CTR is a stream cipher mode, it needs no special padding code */
return do_crypt(aes_ctr(key_length), CRYPT_ENCRYPT, source, source_length,
@ -176,11 +176,11 @@ int my_aes_encrypt_ctr(const uchar* source, uint32 source_length,
}
int my_aes_decrypt_ctr(const uchar* source, uint32 source_length,
uchar* dest, uint32* dest_length,
const uchar* key, uint8 key_length,
const uchar* iv, uint8 iv_length,
uint no_padding)
int my_aes_decrypt_ctr(const uchar* source, uint source_length,
uchar* dest, uint* dest_length,
const uchar* key, uint key_length,
const uchar* iv, uint iv_length,
int no_padding)
{
return do_crypt(aes_ctr(key_length), CRYPT_DECRYPT, source, source_length,
dest, dest_length, key, key_length, iv, iv_length, 0);
@ -188,41 +188,41 @@ int my_aes_decrypt_ctr(const uchar* source, uint32 source_length,
#endif /* HAVE_EncryptAes128Ctr */
int my_aes_encrypt_ecb(const uchar* source, uint32 source_length,
uchar* dest, uint32* dest_length,
const uchar* key, uint8 key_length,
const uchar* iv, uint8 iv_length,
uint no_padding)
int my_aes_encrypt_ecb(const uchar* source, uint source_length,
uchar* dest, uint* dest_length,
const uchar* key, uint key_length,
const uchar* iv, uint iv_length,
int no_padding)
{
return do_crypt(aes_ecb(key_length), CRYPT_ENCRYPT, source, source_length,
dest, dest_length, key, key_length, 0, 0, no_padding);
}
int my_aes_decrypt_ecb(const uchar* source, uint32 source_length,
uchar* dest, uint32* dest_length,
const uchar* key, uint8 key_length,
const uchar* iv, uint8 iv_length,
uint no_padding)
int my_aes_decrypt_ecb(const uchar* source, uint source_length,
uchar* dest, uint* dest_length,
const uchar* key, uint key_length,
const uchar* iv, uint iv_length,
int no_padding)
{
return do_crypt(aes_ecb(key_length), CRYPT_DECRYPT, source, source_length,
dest, dest_length, key, key_length, 0, 0, no_padding);
}
int my_aes_encrypt_cbc(const uchar* source, uint32 source_length,
uchar* dest, uint32* dest_length,
const uchar* key, uint8 key_length,
const uchar* iv, uint8 iv_length,
uint no_padding)
int my_aes_encrypt_cbc(const uchar* source, uint source_length,
uchar* dest, uint* dest_length,
const uchar* key, uint key_length,
const uchar* iv, uint iv_length,
int no_padding)
{
return do_crypt(aes_cbc(key_length), CRYPT_ENCRYPT, source, source_length,
dest, dest_length, key, key_length, iv, iv_length, no_padding);
}
int my_aes_decrypt_cbc(const uchar* source, uint32 source_length,
uchar* dest, uint32* dest_length,
const uchar* key, uint8 key_length,
const uchar* iv, uint8 iv_length,
uint no_padding)
int my_aes_decrypt_cbc(const uchar* source, uint source_length,
uchar* dest, uint* dest_length,
const uchar* key, uint key_length,
const uchar* iv, uint iv_length,
int no_padding)
{
return do_crypt(aes_cbc(key_length), CRYPT_DECRYPT, source, source_length,
dest, dest_length, key, key_length, iv, iv_length, no_padding);

3
plugin/debug_key_management/debug_key_management_plugin.cc
View File

@ -64,7 +64,8 @@ static unsigned int get_key(unsigned int version, unsigned char* dstbuf, unsigne
struct st_mariadb_encryption debug_key_management_plugin= {
MariaDB_ENCRYPTION_INTERFACE_VERSION,
get_latest_key_version,
get_key
get_key,
0, 0 // use default encrypt/decrypt functions
};
/*

48
plugin/example_key_management/example_key_management_plugin.cc
View File

@ -27,11 +27,9 @@
#include <my_global.h>
#include <my_pthread.h>
#include <my_aes.h>
#include <mysql/plugin_encryption.h>
#include <my_md5.h>
#include <my_rnd.h>
#include "sql_class.h"
#include <my_crypt.h>
/* rotate key randomly between 45 and 90 seconds */
#define KEY_ROTATION_MIN 45
@ -61,12 +59,12 @@ get_latest_key_version()
static unsigned int
get_key(unsigned int version, unsigned char* dstbuf, unsigned *buflen)
{
if (*buflen < MD5_HASH_SIZE)
if (*buflen < MY_MD5_HASH_SIZE)
{
*buflen= MD5_HASH_SIZE;
*buflen= MY_MD5_HASH_SIZE;
return KEY_BUFFER_TOO_SMALL;
}
*buflen= MD5_HASH_SIZE;
*buflen= MY_MD5_HASH_SIZE;
if (!dstbuf)
return 0;
@ -75,21 +73,35 @@ get_key(unsigned int version, unsigned char* dstbuf, unsigned *buflen)
return 0;
}
/*
for the sake of an example, let's use different encryption algorithms/modes
for different keys.
*/
int encrypt(const unsigned char* src, unsigned int slen,
unsigned char* dst, unsigned int* dlen,
const unsigned char* key, unsigned int klen,
const unsigned char* iv, unsigned int ivlen,
int no_padding, unsigned int key_version)
{
return ((key_version & 1) ? my_aes_encrypt_cbc : my_aes_encrypt_ecb)
(src, slen, dst, dlen, key, klen, iv, ivlen, no_padding);
}
int decrypt(const unsigned char* src, unsigned int slen,
unsigned char* dst, unsigned int* dlen,
const unsigned char* key, unsigned int klen,
const unsigned char* iv, unsigned int ivlen,
int no_padding, unsigned int key_version)
{
return ((key_version & 1) ? my_aes_decrypt_cbc : my_aes_decrypt_ecb)
(src, slen, dst, dlen, key, klen, iv, ivlen, no_padding);
}
static int example_key_management_plugin_init(void *p)
{
/* init */
my_rnd_init(&seed, time(0), 0);
get_latest_key_version();
if (current_aes_dynamic_method == MY_AES_ALGORITHM_NONE)
{
sql_print_error("No encryption method choosen with --encryption-algorithm. "
"example_key_management_plugin disabled");
return 1;
}
my_aes_init_dynamic_encrypt(current_aes_dynamic_method);
pthread_mutex_init(&mutex, NULL);
return 0;
@ -104,7 +116,9 @@ static int example_key_management_plugin_deinit(void *p)
struct st_mariadb_encryption example_key_management_plugin= {
MariaDB_ENCRYPTION_INTERFACE_VERSION,
get_latest_key_version,
get_key
get_key,
encrypt,
decrypt
};
/*

57
plugin/file_key_management/file_key_management_plugin.cc
View File

@ -15,12 +15,28 @@
#include "parser.h"
#include <mysql_version.h>
#include <mysql/plugin_encryption.h>
#include <string.h>
static char* filename;
static char* filekey;
static unsigned long encryption_algorithm;
static const char *encryption_algorithm_names[]=
{
"aes_cbc",
#ifdef HAVE_EncryptAes128Ctr
"aes_ctr",
#endif
0
};
static TYPELIB encryption_algorithm_typelib=
{
array_elements(encryption_algorithm_names)-1,"",
encryption_algorithm_names, NULL
};
static MYSQL_SYSVAR_STR(filename, filename,
PLUGIN_VAR_RQCMDARG | PLUGIN_VAR_READONLY,
@ -32,9 +48,15 @@ static MYSQL_SYSVAR_STR(filekey, filekey,
"Key to encrypt / decrypt the keyfile.",
NULL, NULL, "");
static MYSQL_SYSVAR_ENUM(encryption_algorithm, encryption_algorithm,
PLUGIN_VAR_RQCMDARG | PLUGIN_VAR_READONLY,
"Encryption algorithm to use.",
NULL, NULL, 0, &encryption_algorithm_typelib);
static struct st_mysql_sys_var* settings[] = {
MYSQL_SYSVAR(filename),
MYSQL_SYSVAR(filekey),
MYSQL_SYSVAR(encryption_algorithm),
NULL
};
@ -88,18 +110,37 @@ static unsigned int get_key_from_key_file(unsigned int key_id,
return 0;
}
static int file_key_management_plugin_init(void *p)
{
Parser parser(filename, filekey);
return parser.parse(&keys);
}
struct st_mariadb_encryption file_key_management_plugin= {
MariaDB_ENCRYPTION_INTERFACE_VERSION,
get_highest_key_used_in_key_file,
get_key_from_key_file
get_key_from_key_file,
0,0
};
static int file_key_management_plugin_init(void *p)
{
Parser parser(filename, filekey);
switch (encryption_algorithm) {
case 0: // AES_CBC
file_key_management_plugin.encrypt=
(encrypt_decrypt_func)my_aes_encrypt_cbc;
file_key_management_plugin.decrypt=
(encrypt_decrypt_func)my_aes_decrypt_cbc;
break;
#ifdef HAVE_EncryptAes128Ctr
case 1: // AES_CTR
file_key_management_plugin.encrypt=
(encrypt_decrypt_func)my_aes_encrypt_ctr;
file_key_management_plugin.decrypt=
(encrypt_decrypt_func)my_aes_decrypt_ctr;
break;
#endif
default:
return 1; // cannot happen
}
return parser.parse(&keys);
}
/*
Plugin library descriptor
*/

51
sql/encryption_keys.cc
View File

@ -1,7 +1,23 @@
/* Copyright (C) 2015 MariaDB
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
#include <my_global.h>
#include <mysql/plugin_encryption.h>
#include "log.h"
#include "sql_plugin.h"
#include <my_crypt.h>
/* there can be only one encryption plugin enabled */
static plugin_ref encryption_key_manager= 0;
@ -34,6 +50,34 @@ uint get_encryption_key(uint version, uchar* key, uint *size)
return BAD_ENCRYPTION_KEY_VERSION;
}
int encrypt_data(const uchar* source, uint source_length,
uchar* dest, uint* dest_length,
const uchar* key, uint key_length,
const uchar* iv, uint iv_length,
int no_padding, uint key_version)
{
if (encryption_key_manager)
return handle->encrypt(source, source_length,
dest, dest_length, key, key_length,
iv, iv_length, no_padding, key_version);
return 1;
}
int decrypt_data(const uchar* source, uint source_length,
uchar* dest, uint* dest_length,
const uchar* key, uint key_length,
const uchar* iv, uint iv_length,
int no_padding, uint key_version)
{
if (encryption_key_manager)
return handle->decrypt(source, source_length,
dest, dest_length, key, key_length,
iv, iv_length, no_padding, key_version);
return 1;
}
int initialize_encryption_plugin(st_plugin_int *plugin)
{
if (encryption_key_manager)
@ -49,6 +93,13 @@ int initialize_encryption_plugin(st_plugin_int *plugin)
encryption_key_manager= plugin_lock(NULL, plugin_int_to_ref(plugin));
handle= (struct st_mariadb_encryption*)
plugin->plugin->info;
/* default encryption algorithm */
if (!handle->encrypt)
handle->encrypt= (encrypt_decrypt_func)my_aes_encrypt_cbc;
if (!handle->decrypt)
handle->decrypt= (encrypt_decrypt_func)my_aes_decrypt_cbc;
return 0;
}

4
sql/item_strfunc.h
View File

@ -142,7 +142,9 @@ class Item_aes_crypt :public Item_str_func
void create_key(String *user_key, uchar* key);
protected:
my_aes_encrypt_dynamic_type crypt;
int (*crypt)(const uchar* src, uint slen, uchar* dst, uint* dlen,
const uchar* key, uint klen, const uchar* iv, uint ivlen,
int no_padding);
public:
Item_aes_crypt(Item *a, Item *b) :Item_str_func(a,b) {}

8
sql/mysqld.cc
View File

@ -630,7 +630,6 @@ char *mysqld_unix_port, *opt_mysql_tmpdir;
ulong thread_handling;
my_bool encrypt_tmp_disk_tables;
ulong encryption_algorithm;
/** name of reference on left expression in rewritten IN subquery */
const char *in_left_expr_name= "<left expr>";
@ -4804,13 +4803,6 @@ static int init_server_components()
my_rnd_init(&sql_rand,(ulong) server_start_time,(ulong) server_start_time/2);
setup_fpu();
init_thr_lock();
if (my_aes_init_dynamic_encrypt((enum_my_aes_encryption_algorithm)
encryption_algorithm))
{
fprintf(stderr, "Can't initialize encryption algorithm to \"%s\".\nCheck that the program is linked with the right library (openssl?)\n",
encryption_algorithm_names[encryption_algorithm]);
unireg_abort(1);
}
#ifndef EMBEDDED_LIBRARY
if (init_thr_timer(thread_scheduler->max_threads + extra_max_connections))

4
sql/sql_plugin_services.h
View File

@ -143,7 +143,9 @@ static struct encryption_keys_service_st encryption_keys_handler=
{
get_latest_encryption_key_version,
has_encryption_key,
get_encryption_key
get_encryption_key,
encrypt_data,
decrypt_data
};
static struct thd_specifics_service_st thd_specifics_handler=

8
sql/sys_vars.cc
View File

@ -5168,14 +5168,6 @@ static Sys_var_mybool Sys_encrypt_tmp_disk_tables(
GLOBAL_VAR(encrypt_tmp_disk_tables),
CMD_LINE(OPT_ARG), DEFAULT(FALSE));
const char *encryption_algorithm_names[]=
{ "none", "aes_ecb", "aes_cbc", "aes_ctr", 0 };
static Sys_var_enum Sys_encryption_algorithm(
"encryption_algorithm",
"Which encryption algorithm to use for table encryption. aes_cbc is the recommended one.",
READ_ONLY GLOBAL_VAR(encryption_algorithm),CMD_LINE(REQUIRED_ARG),
encryption_algorithm_names, DEFAULT(0));
static bool check_pseudo_slave_mode(sys_var *self, THD *thd, set_var *var)
{
longlong previous_val= thd->variables.pseudo_slave_mode;

16
storage/innobase/fil/fil0crypt.cc
View File

@ -693,11 +693,9 @@ fil_space_encrypt(ulint space, ulint offset, lsn_t lsn,
srclen = page_size - FIL_PAGE_DATA;
}
int rc = (* my_aes_encrypt_dynamic)(src, srclen,
dst, &dstlen,
(unsigned char*)key, key_length,
(unsigned char*)iv, sizeof(iv),
1);
int rc = encrypt_data(src, srclen, dst, &dstlen,
(unsigned char*)key, key_length,
(unsigned char*)iv, sizeof(iv), 1, key_version);
if (! ((rc == AES_OK) && ((ulint) dstlen == srclen))) {
ib_logf(IB_LOG_LEVEL_FATAL,
@ -867,11 +865,9 @@ fil_space_decrypt(fil_space_crypt_t* crypt_data,
srclen = pow((double)2, (double)((int)compressed_len)) - FIL_PAGE_DATA;
}
int rc = (* my_aes_decrypt_dynamic)(src, srclen,
dst, &dstlen,
(unsigned char*)key, key_length,
(unsigned char*)iv, sizeof(iv),
1);
int rc = decrypt_data(src, srclen, dst, &dstlen,
(unsigned char*)key, key_length,
(unsigned char*)iv, sizeof(iv), 1, key_version);
if (! ((rc == AES_OK) && ((ulint) dstlen == srclen))) {
ib_logf(IB_LOG_LEVEL_FATAL,

2
storage/innobase/include/log0crypt.h
View File

@ -17,6 +17,8 @@ Created 11/25/2013 Minli Zhu
#define PURPOSE_BYTE_OFFSET 0
#define UNENCRYPTED_KEY_VER 0
typedef int Crypt_result;
/* If true, enable redo log encryption. */
extern my_bool srv_encrypt_log;
/* Plain text used by AES_ECB to generate redo log crypt key. */

20
storage/innobase/log/log0crypt.cc
View File

@ -32,7 +32,6 @@ Modified Jan Lindström jan.lindstrom@mariadb.com
#include "srv0start.h" // for srv_start_lsn
#include "log0recv.h" // for recv_sys
#include "mysql/plugin_encryption.h" // for BAD_ENCRYPTION_KEY_VERSION
#include "ha_prototypes.h" // IB_LOG_
/* If true, enable redo log encryption. */
@ -127,12 +126,10 @@ log_init_crypt_key(
}
uint32 dst_len;
my_aes_encrypt_dynamic_type func= get_aes_encrypt_func(MY_AES_ALGORITHM_ECB);
int rc= (*func)(crypt_msg, MY_AES_BLOCK_SIZE, //src, srclen
int rc= my_aes_encrypt_ecb(crypt_msg, MY_AES_BLOCK_SIZE, //src, srclen
key, &dst_len, //dst, &dstlen
(unsigned char*)&mysqld_key, sizeof(mysqld_key),
NULL, 0,
1);
NULL, 0, 1);
if (rc != AES_OK || dst_len != MY_AES_BLOCK_SIZE)
{
@ -207,11 +204,11 @@ log_blocks_crypt(
mach_write_to_4(aes_ctr_counter + 11, log_block_no);
bzero(aes_ctr_counter + 15, 1);
int rc = (* my_aes_encrypt_dynamic)(log_block + LOG_BLOCK_HDR_SIZE, src_len,
dst_block + LOG_BLOCK_HDR_SIZE, &dst_len,
(unsigned char*)key, 16,
aes_ctr_counter, MY_AES_BLOCK_SIZE,
1);
int rc = encrypt_data(log_block + LOG_BLOCK_HDR_SIZE, src_len,
dst_block + LOG_BLOCK_HDR_SIZE, &dst_len,
(unsigned char*)key, 16,
aes_ctr_counter, MY_AES_BLOCK_SIZE, 1,
recv_sys->recv_log_crypt_ver);
ut_a(rc == AES_OK);
ut_a(dst_len == src_len);
@ -266,8 +263,7 @@ log_crypt_set_ver_and_key(
encrypted = true;
if (vkey == UNENCRYPTED_KEY_VER ||
vkey == BAD_ENCRYPTION_KEY_VERSION ||
vkey == (unsigned int)CRYPT_KEY_UNKNOWN) {
vkey == BAD_ENCRYPTION_KEY_VERSION) {
encrypted = false;
ib_logf(IB_LOG_LEVEL_WARN,

35
storage/maria/ma_check_standalone.h
View File

@ -23,6 +23,40 @@ void _mi_report_crashed(void *file __attribute__((unused)),
{
}
unsigned int get_latest_encryption_key_version()
{
return BAD_ENCRYPTION_KEY_VERSION;
}
int encrypt_data(const uchar* source __attribute__((unused)),
uint source_length __attribute__((unused)),
uchar* dest __attribute__((unused)),
uint* dest_length __attribute__((unused)),
const uchar* key __attribute__((unused)),
uint key_length __attribute__((unused)),
const uchar* iv __attribute__((unused)),
uint iv_length __attribute__((unused)),
int no_padding __attribute__((unused)),
uint key_version __attribute__((unused)))
{
return 1;
}
int decrypt_data(const uchar* source __attribute__((unused)),
uint source_length __attribute__((unused)),
uchar* dest __attribute__((unused)),
uint* dest_length __attribute__((unused)),
const uchar* key __attribute__((unused)),
uint key_length __attribute__((unused)),
const uchar* iv __attribute__((unused)),
uint iv_length __attribute__((unused)),
int no_padding __attribute__((unused)),
uint key_version __attribute__((unused)))
{
return 1;
}
/* only those that included myisamchk.h may need and can use the below */
#ifdef _myisamchk_h
/*
@ -121,5 +155,6 @@ void _ma_check_print_error(HA_CHECK *param, const char *fmt,...)
va_end(args);
DBUG_VOID_RETURN;
}
#endif

21
storage/maria/ma_crypt.c
View File

@ -16,7 +16,6 @@
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
#include <my_global.h>
#include "ma_crypt.h"
#include "maria_def.h"
#include "ma_blockrec.h"
#include <my_crypt.h>
@ -291,7 +290,7 @@ void ma_crypt_set_data_pagecache_callbacks(PAGECACHE_FILE *file,
__attribute__((unused)))
{
/* Only use encryption if we have defined it */
if (likely(current_aes_dynamic_method != MY_AES_ALGORITHM_NONE))
if (get_latest_encryption_key_version() != BAD_ENCRYPTION_KEY_VERSION)
{
file->pre_read_hook= ma_crypt_pre_read_hook;
file->post_read_hook= ma_crypt_data_post_read_hook;
@ -411,17 +410,16 @@ static int ma_encrypt(MARIA_CRYPT_DATA *crypt_data,
int rc;
uint32 dstlen;
uchar counter[COUNTER_LEN];
*key_version= 1;
// create counter block
memcpy(counter + 0, crypt_data->iv + CRYPT_SCHEME_1_IV_LEN, 4);
int4store(counter + 4, pageno);
int8store(counter + 8, lsn);
rc = my_aes_encrypt_dynamic(src, size,
dst, &dstlen,
crypt_data->iv, CRYPT_SCHEME_1_IV_LEN,
counter, sizeof(counter),
1);
rc = encrypt_data(src, size, dst, &dstlen,
crypt_data->iv, CRYPT_SCHEME_1_IV_LEN,
counter, sizeof(counter), 1, *key_version);
DBUG_ASSERT(rc == AES_OK);
DBUG_ASSERT(dstlen == size);
@ -434,7 +432,6 @@ static int ma_encrypt(MARIA_CRYPT_DATA *crypt_data,
return 1;
}
*key_version= 1;
return 0;
}
@ -452,11 +449,9 @@ static int ma_decrypt(MARIA_CRYPT_DATA *crypt_data,
int4store(counter + 4, pageno);
int8store(counter + 8, lsn);
rc = my_aes_decrypt_dynamic(src, size,
dst, &dstlen,
crypt_data->iv, CRYPT_SCHEME_1_IV_LEN,
counter, sizeof(counter),
1);
rc =decrypt_data(src, size, dst, &dstlen,
crypt_data->iv, CRYPT_SCHEME_1_IV_LEN,
counter, sizeof(counter), 1, key_version);
DBUG_ASSERT(rc == AES_OK);
DBUG_ASSERT(dstlen == size);

16
storage/xtradb/fil/fil0crypt.cc
View File

@ -693,11 +693,9 @@ fil_space_encrypt(ulint space, ulint offset, lsn_t lsn,
srclen = page_size - FIL_PAGE_DATA;
}
int rc = (* my_aes_encrypt_dynamic)(src, srclen,
dst, &dstlen,
(unsigned char*)key, key_length,
(unsigned char*)iv, sizeof(iv),
1);
int rc = encrypt_data(src, srclen, dst, &dstlen,
(unsigned char*)key, key_length,
(unsigned char*)iv, sizeof(iv), 1, key_version);
if (! ((rc == AES_OK) && ((ulint) dstlen == srclen))) {
ib_logf(IB_LOG_LEVEL_FATAL,
@ -867,11 +865,9 @@ fil_space_decrypt(fil_space_crypt_t* crypt_data,
srclen = pow((double)2, (double)((int)compressed_len)) - FIL_PAGE_DATA;
}
int rc = (* my_aes_decrypt_dynamic)(src, srclen,
dst, &dstlen,
(unsigned char*)key, key_length,
(unsigned char*)iv, sizeof(iv),
1);
int rc = decrypt_data(src, srclen, dst, &dstlen,
(unsigned char*)key, key_length,
(unsigned char*)iv, sizeof(iv), 1, key_version);
if (! ((rc == AES_OK) && ((ulint) dstlen == srclen))) {
ib_logf(IB_LOG_LEVEL_FATAL,

2
storage/xtradb/include/log0crypt.h
View File

@ -17,6 +17,8 @@ Created 11/25/2013 Minli Zhu
#define PURPOSE_BYTE_OFFSET 0
#define UNENCRYPTED_KEY_VER 0
typedef int Crypt_result;
/* If true, enable redo log encryption. */
extern my_bool srv_encrypt_log;
/* Plain text used by AES_ECB to generate redo log crypt key. */

20
storage/xtradb/log/log0crypt.cc
View File

@ -32,7 +32,6 @@ Modified Jan Lindström jan.lindstrom@mariadb.com
#include "srv0start.h" // for srv_start_lsn
#include "log0recv.h" // for recv_sys
#include "mysql/plugin_encryption.h" // for BAD_ENCRYPTION_KEY_VERSION
#include "ha_prototypes.h" // IB_LOG_
/* If true, enable redo log encryption. */
@ -127,12 +126,10 @@ log_init_crypt_key(
}
uint32 dst_len;
my_aes_encrypt_dynamic_type func= get_aes_encrypt_func(MY_AES_ALGORITHM_ECB);
int rc= (*func)(crypt_msg, MY_AES_BLOCK_SIZE, //src, srclen
int rc= my_aes_encrypt_ecb(crypt_msg, MY_AES_BLOCK_SIZE, //src, srclen
key, &dst_len, //dst, &dstlen
(unsigned char*)&mysqld_key, sizeof(mysqld_key),
NULL, 0,
1);
NULL, 0, 1);
if (rc != AES_OK || dst_len != MY_AES_BLOCK_SIZE)
{
@ -207,11 +204,11 @@ log_blocks_crypt(
mach_write_to_4(aes_ctr_counter + 11, log_block_no);
bzero(aes_ctr_counter + 15, 1);
int rc = (* my_aes_encrypt_dynamic)(log_block + LOG_BLOCK_HDR_SIZE, src_len,
dst_block + LOG_BLOCK_HDR_SIZE, &dst_len,
(unsigned char*)key, 16,
aes_ctr_counter, MY_AES_BLOCK_SIZE,
1);
int rc = encrypt_data(log_block + LOG_BLOCK_HDR_SIZE, src_len,
dst_block + LOG_BLOCK_HDR_SIZE, &dst_len,
(unsigned char*)key, 16,
aes_ctr_counter, MY_AES_BLOCK_SIZE, 1,
log_sys->redo_log_crypt_ver);
ut_a(rc == AES_OK);
ut_a(dst_len == src_len);
@ -266,8 +263,7 @@ log_crypt_set_ver_and_key(
encrypted = true;
if (vkey == UNENCRYPTED_KEY_VER ||
vkey == BAD_ENCRYPTION_KEY_VERSION ||
vkey == (unsigned int)CRYPT_KEY_UNKNOWN) {
vkey == BAD_ENCRYPTION_KEY_VERSION) {
encrypted = false;
ib_logf(IB_LOG_LEVEL_WARN,