1berry/MariaDB-server
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

encryption key management plugin api

Browse Source
This commit is contained in:
Sergei Golubchik 2015-01-05 13:36:14 +01:00
parent c8997c39b4
commit cf8bf0b68e
50 changed files with 696 additions and 344 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
cmake/abi_check.cmake
View File

@ -44,6 +44,7 @@ IF(CMAKE_COMPILER_IS_GNUCC AND RUN_ABI_CHECK)
${CMAKE_SOURCE_DIR}/include/mysql/client_plugin.h
${CMAKE_SOURCE_DIR}/include/mysql/plugin_auth.h
${CMAKE_SOURCE_DIR}/include/mysql/plugin_password_validation.h
${CMAKE_SOURCE_DIR}/include/mysql/plugin_encryption_key_management.h
)
ADD_CUSTOM_TARGET(abi_check ALL

62
include/my_crypt_key_management.h
View File

@ -1,6 +1,6 @@
#ifndef MYSYS_MY_CRYPT_KEY_MANAGMENT_H_
#define MYSYS_MY_CRYPT_KEY_MANAGMENT_H_
#ifndef INCLUDE_MY_CRYPT_KEY_MANAGMENT_INCLUDED
#define INCLUDE_MY_CRYPT_KEY_MANAGMENT_INCLUDED
#include "my_global.h"
#include "my_pthread.h"
@ -18,63 +18,17 @@ extern uint opt_debug_encryption_key_version;
#endif /* DBUG_OFF */
C_MODE_START
/**
* function returning latest key version
*/
typedef int (* GetLatestCryptoKeyVersionFunc_t)();
/**
* function returning if the key exists
*/
typedef unsigned int (* HasKeyVersionFunc_t)(unsigned int version);
/**
* function returning the key size
*/
typedef int (* GetKeySizeFunc_t)(unsigned int version);
/**
* function returning a key for a key version
*/
typedef int (* GetCryptoKeyFunc_t)(unsigned int version,
unsigned char* key,
unsigned keybufsize);
/**
* function returning an iv for a key version
*/
typedef int (* GetCryptoIVFunc_t)(unsigned int version,
unsigned char* iv,
unsigned ivbufsize);
struct CryptoKeyFuncs_t
{
GetLatestCryptoKeyVersionFunc_t getLatestCryptoKeyVersionFunc;
HasKeyVersionFunc_t hasCryptoKeyFunc;
GetKeySizeFunc_t getCryptoKeySize;
GetCryptoKeyFunc_t getCryptoKeyFunc;
GetCryptoIVFunc_t getCryptoIVFunc;
};
/**
* Install functions to use for key management
*/
void
InstallCryptoKeyFunctions(const struct CryptoKeyFuncs_t* cryptoKeyFuncs);
/**
* Functions to interact with key management
*/
int GetLatestCryptoKeyVersion();
unsigned int HasCryptoKey(unsigned int version);
int GetCryptoKeySize(unsigned int version);
int GetCryptoKey(unsigned int version, unsigned char* key_buffer,
unsigned int size);
int GetCryptoIV(unsigned int version, unsigned char* key_buffer,
unsigned int size);
uint get_latest_encryption_key_version();
uint has_encryption_key(uint version);
uint get_encryption_key_size(uint version);
int get_encryption_key(uint version, uchar* key, uint size);
int get_encryption_iv(uint version, uchar* iv, uint size);
C_MODE_END
#endif // MYSYS_MY_CRYPT_KEY_MANAGMENT_H_
#endif // INCLUDE_MY_CRYPT_KEY_MANAGMENT_INCLUDED

4
include/mysql/plugin.h
View File

@ -88,11 +88,11 @@ typedef struct st_mysql_xid MYSQL_XID;
#define MYSQL_AUDIT_PLUGIN 5
#define MYSQL_REPLICATION_PLUGIN 6
#define MYSQL_AUTHENTICATION_PLUGIN 7
#define MYSQL_KEY_MANAGEMENT_PLUGIN 9
#define MYSQL_MAX_PLUGIN_TYPE_NUM 10 /* The number of plugin types */
/* MariaDB plugin types */
#define MariaDB_PASSWORD_VALIDATION_PLUGIN 8
#define MariaDB_PASSWORD_VALIDATION_PLUGIN 8
#define MariaDB_ENCRYPTION_KEY_MANAGEMENT_PLUGIN 9
/* We use the following strings to define licenses for plugins */
#define PLUGIN_LICENSE_PROPRIETARY 0

73
include/mysql/plugin_encryption_key_management.h Normal file
View File

@ -0,0 +1,73 @@
#ifndef MYSQL_PLUGIN_ENCRYPTION_KEY_MANAGEMENT_INCLUDED
/* Copyright (C) 2014 Sergei Golubchik and MariaDB
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
/**
@file
Encryption key Management Plugin API.
This file defines the API for server plugins that manage encryption
keys for MariaDB on-disk data encryption.
*/
#define MYSQL_PLUGIN_ENCRYPTION_KEY_MANAGEMENT_INCLUDED
#include <mysql/plugin.h>
#define MariaDB_ENCRYPTION_KEY_MANAGEMENT_INTERFACE_VERSION 0x0100
#define BAD_ENCRYPTION_KEY_VERSION (~0U)
/**
Encryption key management plugin descriptor
*/
struct st_mariadb_encryption_key_management
{
int interface_version; /**< version plugin uses */
/**
function returning latest key version.
@return a version or BAD_ENCRYPTION_KEY_VERSION to indicate an error.
*/
unsigned int (*get_latest_key_version)();
/** function returning if a key of the given version exists */
unsigned int (*has_key_version)(unsigned int version);
/** function returning the key size in bytes */
unsigned int (*get_key_size)(unsigned int version);
/**
function returning a key for a key version
the key is put in 'key' buffer, that has size of 'keybufsize' bytes.
@return 0 on success, non-zero on failure
*/
int (*get_key)(unsigned int version, unsigned char* key, unsigned int keybufsize);
/**
function returning an IV for a key version
the IV is put in 'iv' buffer, that has size of 'ivbufsize' bytes.
@return 0 on success, non-zero on failure
*/
int (*get_iv)(unsigned int version, unsigned char* iv, unsigned int ivbufsize);
};
#endif

364
include/mysql/plugin_encryption_key_management.h.pp Normal file
View File

@ -0,0 +1,364 @@
#include <mysql/plugin.h>
typedef char my_bool;
typedef void * MYSQL_PLUGIN;
#include <mysql/services.h>
#include <mysql/service_my_snprintf.h>
extern struct my_snprintf_service_st {
size_t (*my_snprintf_type)(char*, size_t, const char*, ...);
size_t (*my_vsnprintf_type)(char *, size_t, const char*, va_list);
} *my_snprintf_service;
size_t my_snprintf(char* to, size_t n, const char* fmt, ...);
size_t my_vsnprintf(char *to, size_t n, const char* fmt, va_list ap);
#include <mysql/service_thd_alloc.h>
struct st_mysql_lex_string
{
char *str;
size_t length;
};
typedef struct st_mysql_lex_string MYSQL_LEX_STRING;
extern struct thd_alloc_service_st {
void *(*thd_alloc_func)(void*, unsigned int);
void *(*thd_calloc_func)(void*, unsigned int);
char *(*thd_strdup_func)(void*, const char *);
char *(*thd_strmake_func)(void*, const char *, unsigned int);
void *(*thd_memdup_func)(void*, const void*, unsigned int);
MYSQL_LEX_STRING *(*thd_make_lex_string_func)(void*, MYSQL_LEX_STRING *,
const char *, unsigned int, int);
} *thd_alloc_service;
void *thd_alloc(void* thd, unsigned int size);
void *thd_calloc(void* thd, unsigned int size);
char *thd_strdup(void* thd, const char *str);
char *thd_strmake(void* thd, const char *str, unsigned int size);
void *thd_memdup(void* thd, const void* str, unsigned int size);
MYSQL_LEX_STRING *thd_make_lex_string(void* thd, MYSQL_LEX_STRING *lex_str,
const char *str, unsigned int size,
int allocate_lex_string);
#include <mysql/service_thd_wait.h>
typedef enum _thd_wait_type_e {
THD_WAIT_SLEEP= 1,
THD_WAIT_DISKIO= 2,
THD_WAIT_ROW_LOCK= 3,
THD_WAIT_GLOBAL_LOCK= 4,
THD_WAIT_META_DATA_LOCK= 5,
THD_WAIT_TABLE_LOCK= 6,
THD_WAIT_USER_LOCK= 7,
THD_WAIT_BINLOG= 8,
THD_WAIT_GROUP_COMMIT= 9,
THD_WAIT_SYNC= 10,
THD_WAIT_NET= 11,
THD_WAIT_LAST= 12
} thd_wait_type;
extern struct thd_wait_service_st {
void (*thd_wait_begin_func)(void*, int);
void (*thd_wait_end_func)(void*);
} *thd_wait_service;
void thd_wait_begin(void* thd, int wait_type);
void thd_wait_end(void* thd);
#include <mysql/service_progress_report.h>
extern struct progress_report_service_st {
void (*thd_progress_init_func)(void* thd, unsigned int max_stage);
void (*thd_progress_report_func)(void* thd,
unsigned long long progress,
unsigned long long max_progress);
void (*thd_progress_next_stage_func)(void* thd);
void (*thd_progress_end_func)(void* thd);
const char *(*set_thd_proc_info_func)(void*, const char *info,
const char *func,
const char *file,
unsigned int line);
} *progress_report_service;
void thd_progress_init(void* thd, unsigned int max_stage);
void thd_progress_report(void* thd,
unsigned long long progress,
unsigned long long max_progress);
void thd_progress_next_stage(void* thd);
void thd_progress_end(void* thd);
const char *set_thd_proc_info(void*, const char * info, const char *func,
const char *file, unsigned int line);
#include <mysql/service_debug_sync.h>
extern void (*debug_sync_C_callback_ptr)(void*, const char *, size_t);
#include <mysql/service_kill_statement.h>
enum thd_kill_levels {
THD_IS_NOT_KILLED=0,
THD_ABORT_SOFTLY=50,
THD_ABORT_ASAP=100,
};
extern struct kill_statement_service_st {
enum thd_kill_levels (*thd_kill_level_func)(const void*);
} *thd_kill_statement_service;
enum thd_kill_levels thd_kill_level(const void*);
#include <mysql/service_thd_timezone.h>
#include "mysql_time.h"
typedef long my_time_t;
enum enum_mysql_timestamp_type
{
MYSQL_TIMESTAMP_NONE= -2, MYSQL_TIMESTAMP_ERROR= -1,
MYSQL_TIMESTAMP_DATE= 0, MYSQL_TIMESTAMP_DATETIME= 1, MYSQL_TIMESTAMP_TIME= 2
};
typedef struct st_mysql_time
{
unsigned int year, month, day, hour, minute, second;
unsigned long second_part;
my_bool neg;
enum enum_mysql_timestamp_type time_type;
} MYSQL_TIME;
extern struct thd_timezone_service_st {
my_time_t (*thd_TIME_to_gmt_sec)(void* thd, const MYSQL_TIME *ltime, unsigned int *errcode);
void (*thd_gmt_sec_to_TIME)(void* thd, MYSQL_TIME *ltime, my_time_t t);
} *thd_timezone_service;
my_time_t thd_TIME_to_gmt_sec(void* thd, const MYSQL_TIME *ltime, unsigned int *errcode);
void thd_gmt_sec_to_TIME(void* thd, MYSQL_TIME *ltime, my_time_t t);
#include <mysql/service_sha1.h>
extern struct my_sha1_service_st {
void (*my_sha1_type)(unsigned char*, const char*, size_t);
void (*my_sha1_multi_type)(unsigned char*, ...);
size_t (*my_sha1_context_size_type)();
void (*my_sha1_init_type)(void *);
void (*my_sha1_input_type)(void *, const unsigned char *, size_t);
void (*my_sha1_result_type)(void *, unsigned char *);
} *my_sha1_service;
void my_sha1(unsigned char*, const char*, size_t);
void my_sha1_multi(unsigned char*, ...);
size_t my_sha1_context_size();
void my_sha1_init(void *context);
void my_sha1_input(void *context, const unsigned char *buf, size_t len);
void my_sha1_result(void *context, unsigned char *digest);
#include <mysql/service_md5.h>
extern struct my_md5_service_st {
void (*my_md5_type)(unsigned char*, const char*, size_t);
void (*my_md5_multi_type)(unsigned char*, ...);
size_t (*my_md5_context_size_type)();
void (*my_md5_init_type)(void *);
void (*my_md5_input_type)(void *, const unsigned char *, size_t);
void (*my_md5_result_type)(void *, unsigned char *);
} *my_md5_service;
void my_md5(unsigned char*, const char*, size_t);
void my_md5_multi(unsigned char*, ...);
size_t my_md5_context_size();
void my_md5_init(void *context);
void my_md5_input(void *context, const unsigned char *buf, size_t len);
void my_md5_result(void *context, unsigned char *digest);
#include <mysql/service_logger.h>
typedef struct logger_handle_st LOGGER_HANDLE;
extern struct logger_service_st {
void (*logger_init_mutexes)();
LOGGER_HANDLE* (*open)(const char *path,
unsigned long long size_limit,
unsigned int rotations);
int (*close)(LOGGER_HANDLE *log);
int (*vprintf)(LOGGER_HANDLE *log, const char *fmt, va_list argptr);
int (*printf)(LOGGER_HANDLE *log, const char *fmt, ...);
int (*write)(LOGGER_HANDLE *log, const char *buffer, size_t size);
int (*rotate)(LOGGER_HANDLE *log);
} *logger_service;
void logger_init_mutexes();
LOGGER_HANDLE *logger_open(const char *path,
unsigned long long size_limit,
unsigned int rotations);
int logger_close(LOGGER_HANDLE *log);
int logger_vprintf(LOGGER_HANDLE *log, const char *fmt, va_list argptr);
int logger_printf(LOGGER_HANDLE *log, const char *fmt, ...);
int logger_write(LOGGER_HANDLE *log, const char *buffer, size_t size);
int logger_rotate(LOGGER_HANDLE *log);
#include <mysql/service_thd_autoinc.h>
extern struct thd_autoinc_service_st {
void (*thd_get_autoinc_func)(const void* thd,
unsigned long* off, unsigned long* inc);
} *thd_autoinc_service;
void thd_get_autoinc(const void* thd,
unsigned long* off, unsigned long* inc);
#include <mysql/service_thd_error_context.h>
extern struct thd_error_context_service_st {
const char *(*thd_get_error_message_func)(const void* thd);
unsigned int (*thd_get_error_number_func)(const void* thd);
unsigned long (*thd_get_error_row_func)(const void* thd);
void (*thd_inc_error_row_func)(void* thd);
char *(*thd_get_error_context_description_func)(void* thd,
char *buffer,
unsigned int length,
unsigned int max_query_length);
} *thd_error_context_service;
const char *thd_get_error_message(const void* thd);
unsigned int thd_get_error_number(const void* thd);
unsigned long thd_get_error_row(const void* thd);
void thd_inc_error_row(void* thd);
char *thd_get_error_context_description(void* thd,
char *buffer, unsigned int length,
unsigned int max_query_length);
#include <mysql/service_thd_specifics.h>
typedef int MYSQL_THD_KEY_T;
extern struct thd_specifics_service_st {
int (*thd_key_create_func)(MYSQL_THD_KEY_T *key);
void (*thd_key_delete_func)(MYSQL_THD_KEY_T *key);
void *(*thd_getspecific_func)(void* thd, MYSQL_THD_KEY_T key);
int (*thd_setspecific_func)(void* thd, MYSQL_THD_KEY_T key, void *value);
} *thd_specifics_service;
int thd_key_create(MYSQL_THD_KEY_T *key);
void thd_key_delete(MYSQL_THD_KEY_T *key);
void* thd_getspecific(void* thd, MYSQL_THD_KEY_T key);
int thd_setspecific(void* thd, MYSQL_THD_KEY_T key, void *value);
struct st_mysql_xid {
long formatID;
long gtrid_length;
long bqual_length;
char data[128];
};
typedef struct st_mysql_xid MYSQL_XID;
enum enum_mysql_show_type
{
SHOW_UNDEF, SHOW_BOOL, SHOW_UINT, SHOW_ULONG,
SHOW_ULONGLONG, SHOW_CHAR, SHOW_CHAR_PTR,
SHOW_ARRAY, SHOW_FUNC, SHOW_DOUBLE,
SHOW_SINT, SHOW_SLONG, SHOW_SLONGLONG, SHOW_SIMPLE_FUNC,
SHOW_always_last
};
enum enum_var_type
{
SHOW_OPT_DEFAULT= 0, SHOW_OPT_SESSION, SHOW_OPT_GLOBAL
};
struct st_mysql_show_var {
const char *name;
char *value;
enum enum_mysql_show_type type;
};
typedef int (*mysql_show_var_func)(void*, struct st_mysql_show_var*, char *, enum enum_var_type);
struct st_mysql_sys_var;
struct st_mysql_value;
typedef int (*mysql_var_check_func)(void* thd,
struct st_mysql_sys_var *var,
void *save, struct st_mysql_value *value);
typedef void (*mysql_var_update_func)(void* thd,
struct st_mysql_sys_var *var,
void *var_ptr, const void *save);
struct st_mysql_plugin
{
int type;
void *info;
const char *name;
const char *author;
const char *descr;
int license;
int (*init)(void *);
int (*deinit)(void *);
unsigned int version;
struct st_mysql_show_var *status_vars;
struct st_mysql_sys_var **system_vars;
void * __reserved1;
unsigned long flags;
};
struct st_maria_plugin
{
int type;
void *info;
const char *name;
const char *author;
const char *descr;
int license;
int (*init)(void *);
int (*deinit)(void *);
unsigned int version;
struct st_mysql_show_var *status_vars;
struct st_mysql_sys_var **system_vars;
const char *version_info;
unsigned int maturity;
};
#include "plugin_ftparser.h"
#include "plugin.h"
enum enum_ftparser_mode
{
MYSQL_FTPARSER_SIMPLE_MODE= 0,
MYSQL_FTPARSER_WITH_STOPWORDS= 1,
MYSQL_FTPARSER_FULL_BOOLEAN_INFO= 2
};
enum enum_ft_token_type
{
FT_TOKEN_EOF= 0,
FT_TOKEN_WORD= 1,
FT_TOKEN_LEFT_PAREN= 2,
FT_TOKEN_RIGHT_PAREN= 3,
FT_TOKEN_STOPWORD= 4
};
typedef struct st_mysql_ftparser_boolean_info
{
enum enum_ft_token_type type;
int yesno;
int weight_adjust;
char wasign;
char trunc;
char prev;
char *quot;
} MYSQL_FTPARSER_BOOLEAN_INFO;
typedef struct st_mysql_ftparser_param
{
int (*mysql_parse)(struct st_mysql_ftparser_param *,
const char *doc, int doc_len);
int (*mysql_add_word)(struct st_mysql_ftparser_param *,
const char *word, int word_len,
MYSQL_FTPARSER_BOOLEAN_INFO *boolean_info);
void *ftparser_state;
void *mysql_ftparam;
const struct charset_info_st *cs;
const char *doc;
int length;
unsigned int flags;
enum enum_ftparser_mode mode;
} MYSQL_FTPARSER_PARAM;
struct st_mysql_ftparser
{
int interface_version;
int (*parse)(MYSQL_FTPARSER_PARAM *param);
int (*init)(MYSQL_FTPARSER_PARAM *param);
int (*deinit)(MYSQL_FTPARSER_PARAM *param);
};
struct st_mysql_daemon
{
int interface_version;
};
struct st_mysql_information_schema
{
int interface_version;
};
struct st_mysql_storage_engine
{
int interface_version;
};
struct handlerton;
struct Mysql_replication {
int interface_version;
};
struct st_mysql_value
{
int (*value_type)(struct st_mysql_value *);
const char *(*val_str)(struct st_mysql_value *, char *buffer, int *length);
int (*val_real)(struct st_mysql_value *, double *realbuf);
int (*val_int)(struct st_mysql_value *, long long *intbuf);
int (*is_unsigned)(struct st_mysql_value *);
};
int thd_in_lock_tables(const void* thd);
int thd_tablespace_op(const void* thd);
long long thd_test_options(const void* thd, long long test_options);
int thd_sql_command(const void* thd);
void **thd_ha_data(const void* thd, const struct handlerton *hton);
void thd_storage_lock_wait(void* thd, long long value);
int thd_tx_isolation(const void* thd);
int thd_tx_is_read_only(const void* thd);
int thd_rpl_is_parallel(const void* thd);
int mysql_tmpfile(const char *prefix);
unsigned long thd_get_thread_id(const void* thd);
void thd_get_xid(const void* thd, MYSQL_XID *xid);
void mysql_query_cache_invalidate4(void* thd,
const char *key, unsigned int key_length,
int using_trx);
void *thd_get_ha_data(const void* thd, const struct handlerton *hton);
void thd_set_ha_data(void* thd, const struct handlerton *hton,
const void *ha_data);
void thd_wakeup_subsequent_commits(void* thd, int wakeup_error);
struct st_mariadb_encryption_key_management
{
int interface_version;
unsigned int (*get_latest_key_version)();
unsigned int (*has_key_version)(unsigned int version);
unsigned int (*get_key_size)(unsigned int version);
int (*get_key)(unsigned int version, unsigned char* key, unsigned int keybufsize);
int (*get_iv)(unsigned int version, unsigned char* iv, unsigned int ivbufsize);
};

2
libmysqld/CMakeLists.txt
View File

@ -105,7 +105,7 @@ SET(SQL_EMBEDDED_SOURCES emb_qcache.cc libmysqld.c lib_sql.cc
../sql/compat56.cc
../sql/table_cache.cc
../sql/item_inetfunc.cc
../sql/wsrep_dummy.cc
../sql/wsrep_dummy.cc ../sql/encryption_keys.cc
${GEN_SOURCES}
${MYSYS_LIBWRAP_SOURCE}
)

5
mysql-test/include/have_example_key_management_plugin.inc Normal file
View File

@ -0,0 +1,5 @@
if (`select count(*) = 0 from information_schema.plugins
where plugin_name = 'example_key_management_plugin' and plugin_status='active'`)
{
--skip Needs example_key_management_plugin
}

2
mysql-test/include/have_example_key_management_plugin.opt Normal file
View File

@ -0,0 +1,2 @@
--plugin-load-add=$EXAMPLE_KEY_MANAGEMENT_PLUGIN_SO
--loose-example-key-management-plugin

5
mysql-test/include/have_file_key_management_plugin.inc Normal file
View File

@ -0,0 +1,5 @@
if (`select count(*) = 0 from information_schema.plugins
where plugin_name = 'file_key_management_plugin' and plugin_status='active'`)
{
--skip Needs file_key_management_plugin
}

4
mysql-test/include/have_file_key_management_plugin.opt Normal file
View File

@ -0,0 +1,4 @@
--plugin-load-add=$FILE_KEY_MANAGEMENT_PLUGIN_SO
--loose-file-key-management-plugin
--loose-file-key-management-plugin-filename=$MYSQL_TEST_DIR/std_data/keys.txt
--encryption-algorithm=aes_cbc

0
mysql-test/suite/innodb/include/keys.txt → mysql-test/std_data/keys.txt
View File

4
mysql-test/suite/innodb/t/innodb-page_encryption-32k-master.opt
View File

@ -1,4 +0,0 @@
--default-storage-engine=InnoDB
--encryption-algorithm=aes_cbs
--file-key-management-plugin-filename=$MYSQL_TEST_DIR/suite/innodb/include/keys.txt
--innodb-buffer-pool-size=24M

2
mysql-test/suite/innodb/t/innodb-page_encryption-32k.opt Normal file
View File

@ -0,0 +1,2 @@
--default_storage_engine=InnoDB
--innodb-buffer-pool-size=24M

3
mysql-test/suite/innodb/t/innodb-page_encryption.opt
View File

@ -1,3 +0,0 @@
--enable-file-key-management-plugin
--encryption-algorithm=aes_cbs
--file-key-management-plugin-filename=$MYSQL_TEST_DIR/suite/innodb/include/keys.txt

1
mysql-test/suite/innodb/t/innodb-page_encryption.test
View File

@ -1,4 +1,5 @@
-- source include/have_innodb.inc
-- source include/have_file_key_management_plugin.inc
--disable_query_log
let $innodb_file_format_orig = `SELECT @@innodb_file_format`;

3
mysql-test/suite/innodb/t/innodb-page_encryption_compression.opt
View File

@ -1,3 +0,0 @@
--enable-file-key-management-plugin
--encryption-algorithm=aes_cbs
--file-key-management-plugin-filename=$MYSQL_TEST_DIR/suite/innodb/include/keys.txt

1
mysql-test/suite/innodb/t/innodb-page_encryption_compression.test
View File

@ -1,4 +1,5 @@
-- source include/have_innodb.inc
-- source include/have_file_key_management_plugin.inc
--disable_query_log
let $innodb_compression_algorithm_orig=`SELECT @@innodb_compression_algorithm`;

7
mysql-test/suite/innodb/t/innodb_encryption.opt
View File

@ -1,8 +1,7 @@
--enable-example-key-management-plugin
--encrypt-tmp-disk-tables=ON
--aria-encrypt-tables=ON
--innodb-encryption-threads=4
--innodb-encryption-rotate-key-age=15
--encrypt-tmp-disk-tables=ON
--innodb-encrypt-tables=ON
--innodb-encryption-rotate-key-age=15
--innodb-encryption-threads=4
--innodb-tablespaces-encryption
--encryption-algorithm=aes_ctr

1
mysql-test/suite/innodb/t/innodb_encryption.test
View File

@ -2,6 +2,7 @@
#
#
-- source include/have_innodb.inc
-- source include/have_example_key_management_plugin.inc
# embedded does not support restart
-- source include/not_embedded.inc

11
mysql-test/suite/innodb/t/innodb_scrub.opt
View File

@ -1,14 +1,13 @@
--enable-example-key-management-plugin
--aria-encrypt-tables=ON
--encrypt-tmp-disk-tables=ON
--innodb-background-scrub-data-compressed=OFF
--innodb-background-scrub-data-uncompressed=OFF
--innodb-encrypt-tables=0
--innodb-encrypt-tables=ON
--innodb-encryption-rotate-key-age=15
--innodb-encryption-threads=0
--innodb-encryption-threads=4
--innodb-file-format=Barracuda
--innodb-file-per-table=1
--innodb-immediate-scrub-data-uncompressed=ON
--loose-aria-encrypt-tables=ON
--loose-encrypt-tmp-disk-tables=ON
--loose-innodb-encrypt-tables=ON
--loose-innodb-encryption-rotate-key-age=15
--loose-innodb-encryption-threads=4
--loose-innodb-scrub-force-testing=ON

1
mysql-test/suite/innodb/t/innodb_scrub.test
View File

@ -1,5 +1,6 @@
-- source include/have_innodb.inc
-- source include/not_embedded.inc
-- source include/have_example_key_management_plugin.inc
let $MYSQLD_DATADIR=`select @@datadir`;
let ib1_IBD = $MYSQLD_DATADIR/ibdata1;

21
mysql-test/suite/innodb/t/innodb_scrub_background.opt
View File

@ -1,15 +1,14 @@
--enable-example-key-management-plugin
--innodb-background-scrub-data-compressed=ON
--innodb-background-scrub-data-uncompressed=ON
--innodb-file-per-table=1
--innodb-file-format=Barracuda
--innodb-encrypt-tables=0
--innodb-encryption-threads=0
--innodb-file-format=Barracuda
--innodb-file-per-table=1
--innodb-immediate-scrub-data-uncompressed=OFF
--innodb-tablespaces-scrubbing
--loose-aria-encrypt-tables=ON
--loose-encrypt-tmp-disk-tables=ON
--loose-innodb-encrypt-tables=ON
--loose-innodb-encryption-rotate-key-age=15
--loose-innodb-encryption-threads=4
--innodb-background-scrub-data-uncompressed=ON
--innodb-background-scrub-data-compressed=ON
--loose-innodb-scrub-force-testing=ON
--encrypt-tmp-disk-tables=ON
--aria-encrypt-tables=ON
--innodb-encryption-threads=4
--innodb-encryption-rotate-key-age=15
--innodb-encrypt-tables=ON
--innodb-tablespaces-scrubbing

1
mysql-test/suite/innodb/t/innodb_scrub_background.test
View File

@ -1,5 +1,6 @@
-- source include/have_innodb.inc
-- source include/not_embedded.inc
-- source include/have_example_key_management_plugin.inc
let $MYSQLD_DATADIR=`select @@datadir`;
let ib1_IBD = $MYSQLD_DATADIR/ibdata1;

24
mysql-test/suite/innodb/t/innodb_scrub_compressed.opt
View File

@ -1,15 +1,15 @@
--enable-example-key-management-plugin
--innodb-background-scrub-data-compressed=ON
--innodb-background-scrub-data-uncompressed=ON
--innodb-encrypt-tables=off
--innodb-encryption-threads=0
--innodb-file-format=Barracuda
--innodb-file-per-table=1
--innodb-file-format=Barracuda
--innodb-encrypt-tables=off
--innodb-immediate-scrub-data-uncompressed=ON
--innodb-tablespaces-scrubbing
--loose-aria-encrypt-tables=ON
--loose-encrypt-tmp-disk-tables=ON
--loose-innodb-encrypt-tables=ON
--loose-innodb-encryption-rotate-key-age=15
--loose-innodb-encryption-threads=4
--innodb-background-scrub-data-uncompressed=ON
--innodb-background-scrub-data-compressed=ON
--loose-innodb-scrub-force-testing=ON
--innodb-encryption-threads=0
--encrypt-tmp-disk-tables=ON
--aria-encrypt-tables=ON
--innodb-encryption-threads=4
--innodb-encryption-rotate-key-age=15
--innodb-encrypt-tables=ON
--innodb-tablespaces-scrubbing

1
mysql-test/suite/innodb/t/innodb_scrub_compressed.test
View File

@ -1,5 +1,6 @@
-- source include/have_innodb.inc
-- source include/not_embedded.inc
-- source include/have_example_key_management_plugin.inc
let $MYSQLD_DATADIR=`select @@datadir`;
let ib1_IBD = $MYSQLD_DATADIR/ibdata1;

3
mysql-test/suite/plugins/r/show_all_plugins.result
View File

@ -21,11 +21,12 @@ Name Status Type Library License
EXAMPLE NOT INSTALLED STORAGE ENGINE ha_example.so GPL
UNUSABLE NOT INSTALLED DAEMON ha_example.so GPL
daemon_example NOT INSTALLED DAEMON libdaemon_example.so GPL
example_key_management_plugin NOT INSTALLED ENCRYPTION KEY MANAGEMENT example_key_management_plugin.so GPL
three_attempts NOT INSTALLED AUTHENTICATION dialog_examples.so GPL
two_questions NOT INSTALLED AUTHENTICATION dialog_examples.so GPL
show status like '%libraries%';
Variable_name Value
Opened_plugin_libraries 6
Opened_plugin_libraries 7
show plugins soname where library = 'ha_example.so';
Name Status Type Library License
EXAMPLE NOT INSTALLED STORAGE ENGINE ha_example.so GPL

7
mysys/my_thr_init.c
View File

@ -66,10 +66,6 @@ static void my_thread_init_common_mutex(void)
#if !defined(HAVE_LOCALTIME_R) || !defined(HAVE_GMTIME_R)
mysql_mutex_init(key_LOCK_localtime_r, &LOCK_localtime_r, MY_MUTEX_INIT_SLOW);
#endif
#ifndef DBUG_OFF
mysql_rwlock_init(key_LOCK_dbug_encryption_key_version,
&LOCK_dbug_encryption_key_version);
#endif
}
void my_thread_destroy_common_mutex(void)
@ -84,9 +80,6 @@ void my_thread_destroy_common_mutex(void)
#if !defined(HAVE_LOCALTIME_R) || !defined(HAVE_GMTIME_R)
mysql_mutex_destroy(&LOCK_localtime_r);
#endif
#ifndef DBUG_OFF
mysql_rwlock_destroy(&LOCK_dbug_encryption_key_version);
#endif
}

2
mysys_ssl/CMakeLists.txt
View File

@ -40,8 +40,6 @@ SET(MYSYS_SSL_SOURCES
my_md5.cc
my_rnd.cc
my_crypt.cc
my_crypt_key_management.cc
my_crypt_key_management_impl.cc
)
ADD_CONVENIENCE_LIBRARY(mysys_ssl ${MYSYS_SSL_SOURCES})

110
mysys_ssl/my_crypt_key_management.cc
View File

@ -1,110 +0,0 @@
#include <my_global.h>
#include <my_crypt_key_management.h>
#include <cstring>
#ifndef DBUG_OFF
#include <myisampack.h>
my_bool debug_use_static_encryption_keys = 0;
#ifdef HAVE_PSI_INTERFACE
PSI_rwlock_key key_LOCK_dbug_encryption_key_version;
#endif
mysql_rwlock_t LOCK_dbug_encryption_key_version;
unsigned int opt_debug_encryption_key_version = 0;
#endif
/**
* Default functions
*/
int GetLatestCryptoKeyVersionImpl();
unsigned int HasCryptoKeyImpl(unsigned int version);
int GetCryptoKeySizeImpl(unsigned int version);
int GetCryptoKeyImpl(unsigned int version, unsigned char* key_buffer,
unsigned int size);
int GetCryptoIVImpl(unsigned int version, unsigned char* key_buffer,
unsigned int size);
/**
* Function pointers for
* - GetLatestCryptoKeyVersion
* - GetCryptoKey
*/
static
struct CryptoKeyFuncs_t cryptoKeyFuncs = {
GetLatestCryptoKeyVersionImpl,
HasCryptoKeyImpl,
GetCryptoKeySizeImpl,
GetCryptoKeyImpl,
GetCryptoIVImpl
};
extern "C"
int GetLatestCryptoKeyVersion() {
#ifndef DBUG_OFF
if (debug_use_static_encryption_keys) {
mysql_rwlock_rdlock(&LOCK_dbug_encryption_key_version);
unsigned int res = opt_debug_encryption_key_version;
mysql_rwlock_unlock(&LOCK_dbug_encryption_key_version);
return res;
}
#endif
return (* cryptoKeyFuncs.getLatestCryptoKeyVersionFunc)();
}
extern "C"
unsigned int HasCryptoKey(unsigned int version) {
return (* cryptoKeyFuncs.hasCryptoKeyFunc)(version);
}
extern "C"
int GetCryptoKeySize(unsigned int version) {
return (* cryptoKeyFuncs.getCryptoKeySize)(version);
}
extern "C"
int GetCryptoKey(unsigned int version, unsigned char* key, unsigned int size) {
#ifndef DBUG_OFF
if (debug_use_static_encryption_keys) {
memset(key, 0, size);
// Just don't support tiny keys, no point anyway.
if (size < 4) {
return 1;
}
mi_int4store(key, version);
return 0;
}
#endif
return (* cryptoKeyFuncs.getCryptoKeyFunc)(version, key, size);
}
extern "C"
int GetCryptoIV(unsigned int version, unsigned char* key, unsigned int size) {
return (* cryptoKeyFuncs.getCryptoIVFunc)(version, key, size);
}
extern "C"
void
InstallCryptoKeyFunctions(const struct CryptoKeyFuncs_t* _cryptoKeyFuncs)
{
if (_cryptoKeyFuncs == NULL)
{
/* restore defaults wHashhen called with NULL argument */
cryptoKeyFuncs.getLatestCryptoKeyVersionFunc =
GetLatestCryptoKeyVersionImpl;
cryptoKeyFuncs.hasCryptoKeyFunc =
HasCryptoKeyImpl;
cryptoKeyFuncs.getCryptoKeySize =
GetCryptoKeySizeImpl;
cryptoKeyFuncs.getCryptoKeyFunc =
GetCryptoKeyImpl;
cryptoKeyFuncs.getCryptoIVFunc =
GetCryptoIVImpl;
}
else
{
cryptoKeyFuncs = *_cryptoKeyFuncs;
}
}

34
mysys_ssl/my_crypt_key_management_impl.cc
View File

@ -1,34 +0,0 @@
#include <my_global.h>
// TODO Not yet implemented.
int GetLatestCryptoKeyVersionImpl()
{
abort();
return 0; /* Keep compiler happy */
}
unsigned int HasCryptoKeyImpl(unsigned int version)
{
abort();
return 0; /* Keep compiler happy */
}
int GetCryptoKeySizeImpl(unsigned int version)
{
abort();
return 0; /* Keep compiler happy */
}
int GetCryptoKeyImpl(unsigned int version, unsigned char* key,
unsigned int key_size)
{
abort();
return 0; /* Keep compiler happy */
}
int GetCryptoIVImpl(unsigned int version, unsigned char* key,
unsigned int key_size)
{
abort();
return 0; /* Keep compiler happy */
}

3
plugin/example_key_management_plugin/CMakeLists.txt
View File

@ -1 +1,2 @@
MYSQL_ADD_PLUGIN(EXAMPLE_KEY_MANAGEMENT_PLUGIN example_key_management_plugin.cc MANDATORY)
MYSQL_ADD_PLUGIN(EXAMPLE_KEY_MANAGEMENT_PLUGIN example_key_management_plugin.cc
MODULE_ONLY)

31
plugin/example_key_management_plugin/example_key_management_plugin.cc
View File

@ -1,10 +1,9 @@
// Copyright (C) 2014 Google Inc.
#include <mysql_version.h>
#include <my_global.h>
#include <my_pthread.h>
#include <my_aes.h>
#include <my_crypt_key_management.h>
#include <mysql/plugin_encryption_key_management.h>
#include <my_md5.h>
#include <my_rnd.h>
@ -17,8 +16,7 @@ static unsigned int key_version = 0;
static unsigned int next_key_version = 0;
static pthread_mutex_t mutex;
static
int
static unsigned int
get_latest_key_version()
{
uint now = time(0);
@ -34,8 +32,7 @@ get_latest_key_version()
return key_version;
}
static
int
static int
get_key(unsigned int version, unsigned char* dstbuf, unsigned buflen)
{
char *dst = (char*)dstbuf; // md5 function takes char* as argument...
@ -58,7 +55,7 @@ static unsigned int has_key_func(unsigned int keyID)
return true;
}
static int get_key_size(unsigned int keyID)
static unsigned int get_key_size(unsigned int keyID)
{
return 16;
}
@ -87,13 +84,6 @@ static int example_key_management_plugin_init(void *p)
pthread_mutex_init(&mutex, NULL);
struct CryptoKeyFuncs_t func;
func.getLatestCryptoKeyVersionFunc = get_latest_key_version;
func.hasCryptoKeyFunc = has_key_func;
func.getCryptoKeySize = get_key_size;
func.getCryptoKeyFunc = get_key;
func.getCryptoIVFunc = get_iv;
InstallCryptoKeyFunctions(&func);
return 0;
}
@ -103,8 +93,13 @@ static int example_key_management_plugin_deinit(void *p)
return 0;
}
struct st_mysql_daemon example_key_management_plugin= {
MYSQL_DAEMON_INTERFACE_VERSION
struct st_mariadb_encryption_key_management example_key_management_plugin= {
MariaDB_ENCRYPTION_KEY_MANAGEMENT_INTERFACE_VERSION,
get_latest_key_version,
has_key_func,
get_key_size,
get_key,
get_iv
};
/*
@ -112,7 +107,7 @@ struct st_mysql_daemon example_key_management_plugin= {
*/
maria_declare_plugin(example_key_management_plugin)
{
MYSQL_DAEMON_PLUGIN,
MariaDB_ENCRYPTION_KEY_MANAGEMENT_PLUGIN,
&example_key_management_plugin,
"example_key_management_plugin",
"Jonas Oreland",
@ -124,6 +119,6 @@ maria_declare_plugin(example_key_management_plugin)
NULL, /* status variables */
NULL, /* system variables */
"1.0",
MariaDB_PLUGIN_MATURITY_UNKNOWN
MariaDB_PLUGIN_MATURITY_EXPERIMENTAL
}
maria_declare_plugin_end;

2
plugin/file_key_management_plugin/CMakeLists.txt
View File

@ -1,4 +1,4 @@
SET(FILE_KEY_MANAGEMENT_PLUGIN_SOURCES file_key_management_plugin.cc EncKeys.cc KeySingleton.cc)
MYSQL_ADD_PLUGIN(FILE_KEY_MANAGEMENT_PLUGIN ${FILE_KEY_MANAGEMENT_PLUGIN_SOURCES} DEFAULT
MYSQL_ADD_PLUGIN(FILE_KEY_MANAGEMENT_PLUGIN ${FILE_KEY_MANAGEMENT_PLUGIN_SOURCES}
LINK_LIBRARIES pcre)

26
plugin/file_key_management_plugin/file_key_management_plugin.cc
View File

@ -16,6 +16,7 @@
#include <my_global.h>
#include <mysql_version.h>
#include <mysql/plugin_encryption_key_management.h>
#include <my_aes.h>
#include <my_crypt_key_management.h>
#include "sql_class.h"
@ -50,7 +51,7 @@ static struct st_mysql_sys_var* settings[] = {
rotation feature of encrypting log files.
*/
static int get_highest_key_used_in_key_file()
static unsigned int get_highest_key_used_in_key_file()
{
if (KeySingleton::getInstance().hasKey(0))
{
@ -67,7 +68,7 @@ static unsigned int has_key_from_key_file(unsigned int keyID)
return entry != NULL;
}
static int get_key_size_from_key_file(unsigned int keyID)
static unsigned int get_key_size_from_key_file(unsigned int keyID)
{
keyentry* entry = KeySingleton::getInstance().getKeys(keyID);
@ -146,16 +147,6 @@ static int file_key_management_plugin_init(void *p)
return 1;
}
/* Initializing the key provider */
struct CryptoKeyFuncs_t func;
func.getLatestCryptoKeyVersionFunc = get_highest_key_used_in_key_file;
func.hasCryptoKeyFunc = has_key_from_key_file;
func.getCryptoKeySize = get_key_size_from_key_file;
func.getCryptoKeyFunc = get_key_from_key_file;
func.getCryptoIVFunc = get_iv_from_key_file;
InstallCryptoKeyFunctions(&func);
if (filename == NULL || strcmp("", filename) == 0)
{
sql_print_error("Parameter file_key_management_plugin_filename is required");
@ -175,8 +166,13 @@ static int file_key_management_plugin_deinit(void *p)
return 0;
}
struct st_mysql_daemon file_key_management_plugin= {
MYSQL_DAEMON_INTERFACE_VERSION
struct st_mariadb_encryption_key_management file_key_management_plugin= {
MariaDB_ENCRYPTION_KEY_MANAGEMENT_INTERFACE_VERSION,
get_highest_key_used_in_key_file,
has_key_from_key_file,
get_key_size_from_key_file,
get_key_from_key_file,
get_iv_from_key_file
};
/*
@ -184,7 +180,7 @@ struct st_mysql_daemon file_key_management_plugin= {
*/
maria_declare_plugin(file_key_management_plugin)
{
MYSQL_KEY_MANAGEMENT_PLUGIN,
MariaDB_ENCRYPTION_KEY_MANAGEMENT_PLUGIN,
&file_key_management_plugin,
"file_key_management_plugin",
"Denis Endro eperi GmbH",

2
sql/CMakeLists.txt
View File

@ -115,7 +115,7 @@ SET (SQL_SOURCE
my_json_writer.cc my_json_writer.h
rpl_gtid.cc rpl_parallel.cc
${WSREP_SOURCES}
table_cache.cc
table_cache.cc encryption_keys.cc
${CMAKE_CURRENT_BINARY_DIR}/sql_builtin.cc
${GEN_SOURCES}
${MYSYS_LIBWRAP_SOURCE}

110
sql/encryption_keys.cc Normal file
View File

@ -0,0 +1,110 @@
#include <my_global.h>
#include <mysql/plugin_encryption_key_management.h>
#include <my_crypt_key_management.h>
#include "log.h"
#include "sql_plugin.h"
#ifndef DBUG_OFF
my_bool debug_use_static_encryption_keys = 0;
uint opt_debug_encryption_key_version = 0;
#endif
/* there can be only one encryption key management plugin enabled */
static plugin_ref encryption_key_manager= 0;
static struct st_mariadb_encryption_key_management *handle;
uint get_latest_encryption_key_version()
{
#ifndef DBUG_OFF
if (debug_use_static_encryption_keys)
{
//mysql_mutex_lock(&LOCK_global_system_variables);
uint res = opt_debug_encryption_key_version;
//mysql_mutex_unlock(&LOCK_global_system_variables);
return res;
}
#endif
if (encryption_key_manager)
return handle->get_latest_key_version();
return BAD_ENCRYPTION_KEY_VERSION;
}
uint has_encryption_key(uint version)
{
if (encryption_key_manager)
return handle->has_key_version(version);
return 0;
}
uint get_encryption_key_size(uint version)
{
if (encryption_key_manager)
return handle->get_key_size(version);
return 0;
}
int get_encryption_key(uint version, uchar* key, uint size)
{
#ifndef DBUG_OFF
if (debug_use_static_encryption_keys)
{
memset(key, 0, size);
// Just don't support tiny keys, no point anyway.
if (size < 4)
return 1;
mi_int4store(key, version);
return 0;
}
#endif
if (encryption_key_manager)
return handle->get_key(version, key, size);
return 1;
}
int get_encryption_iv(uint version, uchar* iv, uint size)
{
if (encryption_key_manager)
return handle->get_iv(version, iv, size);
return 1;
}
int initialize_encryption_key_management_plugin(st_plugin_int *plugin)
{
if (encryption_key_manager)
return 1;
if (plugin->plugin->init && plugin->plugin->init(plugin))
{
sql_print_error("Plugin '%s' init function returned error.",
plugin->name.str);
return 1;
}
encryption_key_manager= plugin_lock(NULL, plugin_int_to_ref(plugin));
handle= (struct st_mariadb_encryption_key_management*)
plugin->plugin->info;
return 0;
}
int finalize_encryption_key_management_plugin(st_plugin_int *plugin)
{
DBUG_ASSERT(encryption_key_manager);
if (plugin->plugin->deinit && plugin->plugin->deinit(NULL))
{
DBUG_PRINT("warning", ("Plugin '%s' deinit function returned error.",
plugin->name.str));
}
plugin_unlock(NULL, encryption_key_manager);
encryption_key_manager= 0;
return 0;
}

21
sql/sql_plugin.cc
View File

@ -37,6 +37,7 @@
#include "lock.h" // MYSQL_LOCK_IGNORE_TIMEOUT
#include <mysql/plugin_auth.h>
#include <mysql/plugin_password_validation.h>
#include <mysql/plugin_encryption_key_management.h>
#include "sql_plugin_compat.h"
#define REPORT_TO_LOG 1
@ -85,7 +86,8 @@ const LEX_STRING plugin_type_names[MYSQL_MAX_PLUGIN_TYPE_NUM]=
{ C_STRING_WITH_LEN("AUDIT") },
{ C_STRING_WITH_LEN("REPLICATION") },
{ C_STRING_WITH_LEN("AUTHENTICATION") },
{ C_STRING_WITH_LEN("PASSWORD VALIDATION") }
{ C_STRING_WITH_LEN("PASSWORD VALIDATION") },
{ C_STRING_WITH_LEN("ENCRYPTION KEY MANAGEMENT") }
};
extern int initialize_schema_table(st_plugin_int *plugin);
@ -94,6 +96,9 @@ extern int finalize_schema_table(st_plugin_int *plugin);
extern int initialize_audit_plugin(st_plugin_int *plugin);
extern int finalize_audit_plugin(st_plugin_int *plugin);
extern int initialize_encryption_key_management_plugin(st_plugin_int *plugin);
extern int finalize_encryption_key_management_plugin(st_plugin_int *plugin);
/*
The number of elements in both plugin_type_initialize and
plugin_type_deinitialize should equal to the number of plugins
@ -102,13 +107,13 @@ extern int finalize_audit_plugin(st_plugin_int *plugin);
plugin_type_init plugin_type_initialize[MYSQL_MAX_PLUGIN_TYPE_NUM]=
{
0, ha_initialize_handlerton, 0, 0,initialize_schema_table,
initialize_audit_plugin, 0, 0, 0
initialize_audit_plugin, 0, 0, 0, initialize_encryption_key_management_plugin
};
plugin_type_init plugin_type_deinitialize[MYSQL_MAX_PLUGIN_TYPE_NUM]=
{
0, ha_finalize_handlerton, 0, 0, finalize_schema_table,
finalize_audit_plugin, 0, 0, 0
finalize_audit_plugin, 0, 0, 0, finalize_encryption_key_management_plugin
};
/*
@ -119,7 +124,7 @@ plugin_type_init plugin_type_deinitialize[MYSQL_MAX_PLUGIN_TYPE_NUM]=
static int plugin_type_initialization_order[MYSQL_MAX_PLUGIN_TYPE_NUM]=
{
MYSQL_DAEMON_PLUGIN,
MYSQL_KEY_MANAGEMENT_PLUGIN,
MariaDB_ENCRYPTION_KEY_MANAGEMENT_PLUGIN,
MYSQL_STORAGE_ENGINE_PLUGIN,
MYSQL_INFORMATION_SCHEMA_PLUGIN,
MYSQL_FTPARSER_PLUGIN,
@ -160,7 +165,8 @@ static int min_plugin_info_interface_version[MYSQL_MAX_PLUGIN_TYPE_NUM]=
MYSQL_AUDIT_INTERFACE_VERSION,
MYSQL_REPLICATION_INTERFACE_VERSION,
MIN_AUTHENTICATION_INTERFACE_VERSION,
MariaDB_PASSWORD_VALIDATION_INTERFACE_VERSION
MariaDB_PASSWORD_VALIDATION_INTERFACE_VERSION,
MariaDB_ENCRYPTION_KEY_MANAGEMENT_INTERFACE_VERSION
};
static int cur_plugin_info_interface_version[MYSQL_MAX_PLUGIN_TYPE_NUM]=
{
@ -172,7 +178,8 @@ static int cur_plugin_info_interface_version[MYSQL_MAX_PLUGIN_TYPE_NUM]=
MYSQL_AUDIT_INTERFACE_VERSION,
MYSQL_REPLICATION_INTERFACE_VERSION,
MYSQL_AUTHENTICATION_INTERFACE_VERSION,
MariaDB_PASSWORD_VALIDATION_INTERFACE_VERSION
MariaDB_PASSWORD_VALIDATION_INTERFACE_VERSION,
MariaDB_ENCRYPTION_KEY_MANAGEMENT_INTERFACE_VERSION
};
static struct
@ -1954,8 +1961,6 @@ void plugin_shutdown(void)
if (!(plugins[i]->state & (PLUGIN_IS_UNINITIALIZED | PLUGIN_IS_FREED |
PLUGIN_IS_DISABLED)))
{
sql_print_warning("Plugin '%s' will be forced to shutdown",
plugins[i]->name.str);
/*
We are forcing deinit on plugins so we don't want to do a ref_count
check until we have processed all the plugins.

7
sql/sys_vars.cc
View File

@ -62,7 +62,7 @@
#include "sql_repl.h"
#include "opt_range.h"
#include "rpl_parallel.h"
#include "my_crypt_key_management.h"
#include <my_crypt_key_management.h>
/*
The rule for this file: everything should be 'static'. When a sys_var
@ -1134,15 +1134,12 @@ static Sys_var_mybool Sys_debug_use_static_keys(
READ_ONLY GLOBAL_VAR(debug_use_static_encryption_keys),
CMD_LINE(OPT_ARG), DEFAULT(FALSE));
static PolyLock_rwlock PLock_sys_debug_encryption_key_version(
&LOCK_dbug_encryption_key_version);
static Sys_var_uint Sys_debug_encryption_key_version(
"debug_encryption_key_version",
"Encryption key version. Only to be used in internal testing.",
GLOBAL_VAR(opt_debug_encryption_key_version),
CMD_LINE(REQUIRED_ARG), VALID_RANGE(0,UINT_MAX), DEFAULT(0),
BLOCK_SIZE(1), &PLock_sys_debug_encryption_key_version);
BLOCK_SIZE(1));
#endif
static Sys_var_mybool Sys_trust_function_creators(

20
storage/innobase/fil/fil0crypt.cc
View File

@ -210,7 +210,7 @@ fil_crypt_get_key(byte *dst, uint* key_length,
{
// load iv
int rc = GetCryptoIV(version, (unsigned char*)iv, iv_len);
int rc = get_encryption_iv(version, (unsigned char*)iv, iv_len);
if (rc != CRYPT_KEY_OK) {
ib_logf(IB_LOG_LEVEL_FATAL,
@ -219,10 +219,10 @@ fil_crypt_get_key(byte *dst, uint* key_length,
}
}
if (HasCryptoKey(version)) {
*key_length = GetCryptoKeySize(version);
if (has_encryption_key(version)) {
*key_length = get_encryption_key_size(version);
int rc = GetCryptoKey(version, (unsigned char*)keybuf, *key_length);
int rc = get_encryption_key(version, (unsigned char*)keybuf, *key_length);
if (rc != CRYPT_KEY_OK) {
ib_logf(IB_LOG_LEVEL_FATAL,
@ -295,7 +295,7 @@ fil_crypt_get_latest_key(byte *dst, uint* key_length,
{
if (srv_encrypt_tables) {
// used for key rotation - get the next key id from the key provider
int rc = GetLatestCryptoKeyVersion();
int rc = get_latest_encryption_key_version();
// if no new key was created use the last one
if (rc >= 0)
@ -325,7 +325,7 @@ fil_space_create_crypt_data()
crypt_data->min_key_version = 0;
} else {
crypt_data->type = CRYPT_SCHEME_1;
crypt_data->min_key_version = GetLatestCryptoKeyVersion();
crypt_data->min_key_version = get_latest_encryption_key_version();
}
mutex_create(fil_crypt_data_mutex_key,
@ -652,7 +652,7 @@ fil_space_encrypt(ulint space, ulint offset, lsn_t lsn,
{
// take the iv from the key provider
int load_iv_rc = GetCryptoIV(key_version, (uchar *) iv, sizeof(iv));
int load_iv_rc = get_encryption_iv(key_version, (uchar *) iv, sizeof(iv));
// if the iv can not be loaded the whole page can not be encrypted
if (load_iv_rc != CRYPT_KEY_OK)
@ -869,7 +869,7 @@ fil_space_decrypt(fil_space_crypt_t* crypt_data,
{
// take the iv from the key provider
int load_iv_rc = GetCryptoIV(key_version, (uchar *) iv, sizeof(iv));
int load_iv_rc = get_encryption_iv(key_version, (uchar *) iv, sizeof(iv));
// if the iv can not be loaded the whole page can not be decrypted
if (load_iv_rc != CRYPT_KEY_OK)
@ -1049,7 +1049,7 @@ fil_crypt_get_key_state(
key_state_t *new_state)
{
if (srv_encrypt_tables == TRUE) {
new_state->key_version = GetLatestCryptoKeyVersion();
new_state->key_version = get_latest_encryption_key_version();
new_state->rotate_key_age = srv_fil_crypt_rotate_key_age;
ut_a(new_state->key_version > 0);
} else {
@ -2375,7 +2375,7 @@ fil_space_crypt_get_status(
}
if (srv_encrypt_tables == TRUE) {
status->current_key_version = GetLatestCryptoKeyVersion();
status->current_key_version = get_latest_encryption_key_version();
} else {
status->current_key_version = 0;
}

2
storage/innobase/fil/fil0fil.cc
View File

@ -1153,7 +1153,7 @@ fil_space_create(
ut_a(fil_system);
if (fsp_flags_is_page_encrypted(flags)) {
if (!HasCryptoKey(fsp_flags_get_page_encryption_key(flags))) {
if (!has_encryption_key(fsp_flags_get_page_encryption_key(flags))) {
/* by returning here it should be avoided that
* the server crashes, if someone tries to access an
* encrypted table and the encryption key is not available.

2
storage/innobase/handler/ha_innodb.cc
View File

@ -11370,7 +11370,7 @@ ha_innobase::check_table_options(
return "PAGE_ENCRYPTION_KEY";
}
if (!HasCryptoKey(options->page_encryption_key)) {
if (!has_encryption_key(options->page_encryption_key)) {
push_warning_printf(
thd, Sql_condition::WARN_LEVEL_WARN,
HA_WRONG_CREATE_OPTION,

6
storage/innobase/include/fsp0pageencryption.ic
View File

@ -147,9 +147,9 @@ fil_page_encryption_status(
if (page_type == FIL_PAGE_TYPE_FSP_HDR) {
ulint flags = mach_read_from_4(FSP_HEADER_OFFSET + FSP_SPACE_FLAGS + buf);
if (fsp_flags_is_page_encrypted(flags)) {
if (!HasCryptoKey(fsp_flags_get_page_encryption_key(flags))) {
if (!has_encryption_key(fsp_flags_get_page_encryption_key(flags))) {
/* accessing table would surely fail, because no key or no key provider available */
if (!HasCryptoKey(fsp_flags_get_page_encryption_key(flags))) {
if (!has_encryption_key(fsp_flags_get_page_encryption_key(flags))) {
return PAGE_ENCRYPTION_KEY_MISSING;
}
return PAGE_ENCRYPTION_ERROR;
@ -159,7 +159,7 @@ fil_page_encryption_status(
if(page_type == FIL_PAGE_PAGE_COMPRESSED_ENCRYPTED) {
ulint key = mach_read_from_4(buf + FIL_PAGE_FILE_FLUSH_LSN_OR_KEY_VERSION);
if (!HasCryptoKey(key)) {
if (!has_encryption_key(key)) {
return PAGE_ENCRYPTION_KEY_MISSING;
}
return PAGE_ENCRYPTION_ERROR;

2
storage/innobase/include/log0crypt.h
View File

@ -12,7 +12,7 @@ Created 11/25/2013 Minli Zhu
#include "ut0lst.h"
#include "ut0rnd.h"
#include "my_aes.h"
#include "my_crypt_key_management.h" // for key version and key
#include <my_crypt_key_management.h>
#define PURPOSE_BYTE_LEN MY_AES_BLOCK_SIZE - 1
#define PURPOSE_BYTE_OFFSET 0

6
storage/innobase/log/log0crypt.cc
View File

@ -37,7 +37,7 @@ Note:
We should not use flags and conditions such as:
(srv_encrypt_log &&
debug_use_static_keys &&
GetLatestCryptoKeyVersion() == UNENCRYPTED_KEY_VER)
get_latest_encryption_key_version() == UNENCRYPTED_KEY_VER)
because they haven't been read and set yet in the situation of resetting
redo logs.
*/
@ -93,7 +93,7 @@ log_init_crypt_key(
}
byte mysqld_key[MY_AES_BLOCK_SIZE] = {0};
if (GetCryptoKey(crypt_ver, mysqld_key, MY_AES_BLOCK_SIZE))
if (get_encryption_key(crypt_ver, mysqld_key, MY_AES_BLOCK_SIZE))
{
fprintf(stderr,
"\nInnodb redo log crypto: getting mysqld crypto key "
@ -234,7 +234,7 @@ log_crypt_set_ver_and_key(
byte* crypt_key) /*!< out: crypto key */
{
if (!srv_encrypt_log ||
(key_ver = GetLatestCryptoKeyVersion()) == UNENCRYPTED_KEY_VER)
(key_ver = get_latest_encryption_key_version()) == UNENCRYPTED_KEY_VER)
{
key_ver = UNENCRYPTED_KEY_VER;
memset(crypt_key, 0, MY_AES_BLOCK_SIZE);

20
storage/xtradb/fil/fil0crypt.cc
View File

@ -210,7 +210,7 @@ fil_crypt_get_key(byte *dst, uint* key_length,
{
// load iv
int rc = GetCryptoIV(version, (unsigned char*)iv, iv_len);
int rc = get_encryption_iv(version, (unsigned char*)iv, iv_len);
if (rc != CRYPT_KEY_OK) {
ib_logf(IB_LOG_LEVEL_FATAL,
@ -219,10 +219,10 @@ fil_crypt_get_key(byte *dst, uint* key_length,
}
}
if (HasCryptoKey(version)) {
*key_length = GetCryptoKeySize(version);
if (has_encryption_key(version)) {
*key_length = get_encryption_key_size(version);
int rc = GetCryptoKey(version, (unsigned char*)keybuf, *key_length);
int rc = get_encryption_key(version, (unsigned char*)keybuf, *key_length);
if (rc != CRYPT_KEY_OK) {
ib_logf(IB_LOG_LEVEL_FATAL,
@ -295,7 +295,7 @@ fil_crypt_get_latest_key(byte *dst, uint* key_length,
{
if (srv_encrypt_tables) {
// used for key rotation - get the next key id from the key provider
int rc = GetLatestCryptoKeyVersion();
int rc = get_latest_encryption_key_version();
// if no new key was created use the last one
if (rc >= 0)
@ -326,7 +326,7 @@ fil_space_create_crypt_data()
crypt_data->min_key_version = 0;
} else {
crypt_data->type = CRYPT_SCHEME_1;
crypt_data->min_key_version = GetLatestCryptoKeyVersion();
crypt_data->min_key_version = get_latest_encryption_key_version();
}
mutex_create(fil_crypt_data_mutex_key,
@ -653,7 +653,7 @@ fil_space_encrypt(ulint space, ulint offset, lsn_t lsn,
{
// take the iv from the key provider
int load_iv_rc = GetCryptoIV(key_version, (uchar *) iv, sizeof(iv));
int load_iv_rc = get_encryption_iv(key_version, (uchar *) iv, sizeof(iv));
// if the iv can not be loaded the whole page can not be encrypted
if (load_iv_rc != CRYPT_KEY_OK)
@ -869,7 +869,7 @@ fil_space_decrypt(fil_space_crypt_t* crypt_data,
{
// take the iv from the key provider
int load_iv_rc = GetCryptoIV(key_version, (uchar *) iv, sizeof(iv));
int load_iv_rc = get_encryption_iv(key_version, (uchar *) iv, sizeof(iv));
// if the iv can not be loaded the whole page can not be decrypted
if (load_iv_rc != CRYPT_KEY_OK)
@ -1049,7 +1049,7 @@ fil_crypt_get_key_state(
key_state_t *new_state)
{
if (srv_encrypt_tables == TRUE) {
new_state->key_version = GetLatestCryptoKeyVersion();
new_state->key_version = get_latest_encryption_key_version();
new_state->rotate_key_age = srv_fil_crypt_rotate_key_age;
ut_a(new_state->key_version > 0);
} else {
@ -2375,7 +2375,7 @@ fil_space_crypt_get_status(
}
if (srv_encrypt_tables == TRUE) {
status->current_key_version = GetLatestCryptoKeyVersion();
status->current_key_version = get_latest_encryption_key_version();
} else {
status->current_key_version = 0;
}

2
storage/xtradb/fil/fil0fil.cc
View File

@ -1188,7 +1188,7 @@ fil_space_create(
ut_a(fil_system);
if (fsp_flags_is_page_encrypted(flags)) {
if (!HasCryptoKey(fsp_flags_get_page_encryption_key(flags))) {
if (!has_encryption_key(fsp_flags_get_page_encryption_key(flags))) {
/* by returning here it should be avoided that
* the server crashes, if someone tries to access an
* encrypted table and the encryption key is not available.

2
storage/xtradb/handler/ha_innodb.cc
View File

@ -11887,7 +11887,7 @@ ha_innobase::check_table_options(
return "PAGE_ENCRYPTION_KEY";
}
if (!HasCryptoKey(options->page_encryption_key)) {
if (!has_encryption_key(options->page_encryption_key)) {
push_warning_printf(
thd, Sql_condition::WARN_LEVEL_WARN,
HA_WRONG_CREATE_OPTION,

9
storage/xtradb/include/fsp0pageencryption.ic
View File

@ -27,9 +27,6 @@ Created 08/28/2014
#include "fil0pageencryption.h"
#include <my_crypt_key_management.h>
/********************************************************************//**
Determine if the tablespace is page encrypted from dict_table_t::flags.
@return TRUE if page encrypted, FALSE if not page encrypted */
@ -151,9 +148,9 @@ fil_page_encryption_status(
if (page_type == FIL_PAGE_TYPE_FSP_HDR) {
ulint flags = mach_read_from_4(FSP_HEADER_OFFSET + FSP_SPACE_FLAGS + buf);
if (fsp_flags_is_page_encrypted(flags)) {
if (!HasCryptoKey(fsp_flags_get_page_encryption_key(flags))) {
if (!has_encryption_key(fsp_flags_get_page_encryption_key(flags))) {
/* accessing table would surely fail, because no key or no key provider available */
if (!HasCryptoKey(fsp_flags_get_page_encryption_key(flags))) {
if (!has_encryption_key(fsp_flags_get_page_encryption_key(flags))) {
return PAGE_ENCRYPTION_KEY_MISSING;
}
return PAGE_ENCRYPTION_ERROR;
@ -163,7 +160,7 @@ fil_page_encryption_status(
if(page_type == FIL_PAGE_PAGE_COMPRESSED_ENCRYPTED) {
ulint key = mach_read_from_4(buf + FIL_PAGE_FILE_FLUSH_LSN_OR_KEY_VERSION);
if (!HasCryptoKey(key)) {
if (!has_encryption_key(key)) {
return PAGE_ENCRYPTION_KEY_MISSING;
}
return PAGE_ENCRYPTION_ERROR;

2
storage/xtradb/include/log0crypt.h
View File

@ -12,7 +12,7 @@ Created 11/25/2013 Minli Zhu
#include "ut0lst.h"
#include "ut0rnd.h"
#include "my_aes.h"
#include "my_crypt_key_management.h" // for key version and key
#include <my_crypt_key_management.h>
#define PURPOSE_BYTE_LEN MY_AES_BLOCK_SIZE - 1
#define PURPOSE_BYTE_OFFSET 0

6
storage/xtradb/log/log0crypt.cc
View File

@ -37,7 +37,7 @@ Note:
We should not use flags and conditions such as:
(srv_encrypt_log &&
debug_use_static_keys &&
GetLatestCryptoKeyVersion() == UNENCRYPTED_KEY_VER)
get_latest_encryption_key_version() == UNENCRYPTED_KEY_VER)
because they haven't been read and set yet in the situation of resetting
redo logs.
*/
@ -93,7 +93,7 @@ log_init_crypt_key(
}
byte mysqld_key[MY_AES_BLOCK_SIZE] = {0};
if (GetCryptoKey(crypt_ver, mysqld_key, MY_AES_BLOCK_SIZE))
if (get_encryption_key(crypt_ver, mysqld_key, MY_AES_BLOCK_SIZE))
{
fprintf(stderr,
"\nInnodb redo log crypto: getting mysqld crypto key "
@ -234,7 +234,7 @@ log_crypt_set_ver_and_key(
byte* crypt_key) /*!< out: crypto key */
{
if (!srv_encrypt_log ||
(key_ver = GetLatestCryptoKeyVersion()) == UNENCRYPTED_KEY_VER)
(key_ver = get_latest_encryption_key_version()) == UNENCRYPTED_KEY_VER)
{
key_ver = UNENCRYPTED_KEY_VER;
memset(crypt_key, 0, MY_AES_BLOCK_SIZE);