encryption key management plugin api

cmake/abi_check.cmake

@@ -44,6 +44,7 @@ IF(CMAKE_COMPILER_IS_GNUCC AND RUN_ABI_CHECK)
     ${CMAKE_SOURCE_DIR}/include/mysql/client_plugin.h
     ${CMAKE_SOURCE_DIR}/include/mysql/plugin_auth.h
     ${CMAKE_SOURCE_DIR}/include/mysql/plugin_password_validation.h
+    ${CMAKE_SOURCE_DIR}/include/mysql/plugin_encryption_key_management.h
   )
 
   ADD_CUSTOM_TARGET(abi_check ALL

include/my_crypt_key_management.h

@@ -1,6 +1,6 @@
 
-#ifndef MYSYS_MY_CRYPT_KEY_MANAGMENT_H_
+#ifndef INCLUDE_MY_CRYPT_KEY_MANAGMENT_INCLUDED
-#define MYSYS_MY_CRYPT_KEY_MANAGMENT_H_
+#define INCLUDE_MY_CRYPT_KEY_MANAGMENT_INCLUDED
 
 #include "my_global.h"
 #include "my_pthread.h"
@@ -18,63 +18,17 @@ extern uint opt_debug_encryption_key_version;
 #endif /* DBUG_OFF */
 
 C_MODE_START
-/**
- * function returning latest key version
- */
-typedef int (* GetLatestCryptoKeyVersionFunc_t)();
-
-/**
- * function returning if the key exists
- */
-typedef unsigned int (* HasKeyVersionFunc_t)(unsigned int version);
-
-/**
- * function returning the key size
- */
-typedef int (* GetKeySizeFunc_t)(unsigned int version);
-
-/**
- * function returning a key for a key version
- */
-typedef int (* GetCryptoKeyFunc_t)(unsigned int version,
-                                   unsigned char* key,
-                                   unsigned keybufsize);
-
-/**
- * function returning an iv for a key version
- */
-typedef int (* GetCryptoIVFunc_t)(unsigned int version,
-                                   unsigned char* iv,
-                                   unsigned ivbufsize);
-
-
-struct CryptoKeyFuncs_t
-{
-  GetLatestCryptoKeyVersionFunc_t getLatestCryptoKeyVersionFunc;
-  HasKeyVersionFunc_t hasCryptoKeyFunc;
-  GetKeySizeFunc_t getCryptoKeySize;
-  GetCryptoKeyFunc_t getCryptoKeyFunc;
-  GetCryptoIVFunc_t getCryptoIVFunc;
-};
-
-/**
- * Install functions to use for key management
- */
-void
-InstallCryptoKeyFunctions(const struct CryptoKeyFuncs_t* cryptoKeyFuncs);
 
 /**
  * Functions to interact with key management
  */
 
-int GetLatestCryptoKeyVersion();
+uint get_latest_encryption_key_version();
-unsigned int HasCryptoKey(unsigned int version);
+uint has_encryption_key(uint version);
-int GetCryptoKeySize(unsigned int version);
+uint get_encryption_key_size(uint version);
-int GetCryptoKey(unsigned int version, unsigned char* key_buffer,
+int get_encryption_key(uint version, uchar* key, uint size);
-                 unsigned int size);
+int get_encryption_iv(uint version, uchar* iv, uint size);
-int GetCryptoIV(unsigned int version, unsigned char* key_buffer,
-                unsigned int size);
 
 C_MODE_END
 
-#endif // MYSYS_MY_CRYPT_KEY_MANAGMENT_H_
+#endif // INCLUDE_MY_CRYPT_KEY_MANAGMENT_INCLUDED

include/mysql/plugin.h

@@ -88,11 +88,11 @@ typedef struct st_mysql_xid MYSQL_XID;
 #define MYSQL_AUDIT_PLUGIN           5
 #define MYSQL_REPLICATION_PLUGIN     6
 #define MYSQL_AUTHENTICATION_PLUGIN  7
-#define MYSQL_KEY_MANAGEMENT_PLUGIN  9
 #define MYSQL_MAX_PLUGIN_TYPE_NUM    10  /* The number of plugin types   */
 
 /* MariaDB plugin types */
 #define MariaDB_PASSWORD_VALIDATION_PLUGIN  8
+#define MariaDB_ENCRYPTION_KEY_MANAGEMENT_PLUGIN 9
 
 /* We use the following strings to define licenses for plugins */
 #define PLUGIN_LICENSE_PROPRIETARY 0

include/mysql/plugin_encryption_key_management.h

@@ -0,0 +1,73 @@
+#ifndef MYSQL_PLUGIN_ENCRYPTION_KEY_MANAGEMENT_INCLUDED
+/* Copyright (C) 2014 Sergei Golubchik and MariaDB
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 of the License.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA */
+
+/**
+  @file
+
+  Encryption key Management Plugin API.
+
+  This file defines the API for server plugins that manage encryption
+  keys for MariaDB on-disk data encryption.
+*/
+
+#define MYSQL_PLUGIN_ENCRYPTION_KEY_MANAGEMENT_INCLUDED
+
+#include <mysql/plugin.h>
+
+#define MariaDB_ENCRYPTION_KEY_MANAGEMENT_INTERFACE_VERSION 0x0100
+
+#define BAD_ENCRYPTION_KEY_VERSION (~0U)
+
+/**
+  Encryption key management plugin descriptor
+*/
+struct st_mariadb_encryption_key_management
+{
+  int interface_version;                        /**< version plugin uses */
+
+  /**
+    function returning latest key version.
+
+    @return a version or BAD_ENCRYPTION_KEY_VERSION to indicate an error.
+  */
+  unsigned int (*get_latest_key_version)();
+
+  /** function returning if a key of the given version exists */
+  unsigned int (*has_key_version)(unsigned int version);
+
+  /** function returning the key size in bytes */
+  unsigned int (*get_key_size)(unsigned int version);
+
+  /**
+    function returning a key for a key version
+
+    the key is put in 'key' buffer, that has size of 'keybufsize' bytes.
+
+    @return 0 on success, non-zero on failure
+  */
+  int (*get_key)(unsigned int version, unsigned char* key, unsigned int keybufsize);
+
+  /**
+    function returning an IV for a key version
+
+    the IV is put in 'iv' buffer, that has size of 'ivbufsize' bytes.
+
+    @return 0 on success, non-zero on failure
+  */
+  int (*get_iv)(unsigned int version, unsigned char* iv, unsigned int ivbufsize);
+};
+#endif
+

include/mysql/plugin_encryption_key_management.h.pp

@@ -0,0 +1,364 @@
+#include <mysql/plugin.h>
+typedef char my_bool;
+typedef void * MYSQL_PLUGIN;
+#include <mysql/services.h>
+#include <mysql/service_my_snprintf.h>
+extern struct my_snprintf_service_st {
+  size_t (*my_snprintf_type)(char*, size_t, const char*, ...);
+  size_t (*my_vsnprintf_type)(char *, size_t, const char*, va_list);
+} *my_snprintf_service;
+size_t my_snprintf(char* to, size_t n, const char* fmt, ...);
+size_t my_vsnprintf(char *to, size_t n, const char* fmt, va_list ap);
+#include <mysql/service_thd_alloc.h>
+struct st_mysql_lex_string
+{
+  char *str;
+  size_t length;
+};
+typedef struct st_mysql_lex_string MYSQL_LEX_STRING;
+extern struct thd_alloc_service_st {
+  void *(*thd_alloc_func)(void*, unsigned int);
+  void *(*thd_calloc_func)(void*, unsigned int);
+  char *(*thd_strdup_func)(void*, const char *);
+  char *(*thd_strmake_func)(void*, const char *, unsigned int);
+  void *(*thd_memdup_func)(void*, const void*, unsigned int);
+  MYSQL_LEX_STRING *(*thd_make_lex_string_func)(void*, MYSQL_LEX_STRING *,
+                                        const char *, unsigned int, int);
+} *thd_alloc_service;
+void *thd_alloc(void* thd, unsigned int size);
+void *thd_calloc(void* thd, unsigned int size);
+char *thd_strdup(void* thd, const char *str);
+char *thd_strmake(void* thd, const char *str, unsigned int size);
+void *thd_memdup(void* thd, const void* str, unsigned int size);
+MYSQL_LEX_STRING *thd_make_lex_string(void* thd, MYSQL_LEX_STRING *lex_str,
+                                      const char *str, unsigned int size,
+                                      int allocate_lex_string);
+#include <mysql/service_thd_wait.h>
+typedef enum _thd_wait_type_e {
+  THD_WAIT_SLEEP= 1,
+  THD_WAIT_DISKIO= 2,
+  THD_WAIT_ROW_LOCK= 3,
+  THD_WAIT_GLOBAL_LOCK= 4,
+  THD_WAIT_META_DATA_LOCK= 5,
+  THD_WAIT_TABLE_LOCK= 6,
+  THD_WAIT_USER_LOCK= 7,
+  THD_WAIT_BINLOG= 8,
+  THD_WAIT_GROUP_COMMIT= 9,
+  THD_WAIT_SYNC= 10,
+  THD_WAIT_NET= 11,
+  THD_WAIT_LAST= 12
+} thd_wait_type;
+extern struct thd_wait_service_st {
+  void (*thd_wait_begin_func)(void*, int);
+  void (*thd_wait_end_func)(void*);
+} *thd_wait_service;
+void thd_wait_begin(void* thd, int wait_type);
+void thd_wait_end(void* thd);
+#include <mysql/service_progress_report.h>
+extern struct progress_report_service_st {
+  void (*thd_progress_init_func)(void* thd, unsigned int max_stage);
+  void (*thd_progress_report_func)(void* thd,
+                                   unsigned long long progress,
+                                   unsigned long long max_progress);
+  void (*thd_progress_next_stage_func)(void* thd);
+  void (*thd_progress_end_func)(void* thd);
+  const char *(*set_thd_proc_info_func)(void*, const char *info,
+                                        const char *func,
+                                        const char *file,
+                                        unsigned int line);
+} *progress_report_service;
+void thd_progress_init(void* thd, unsigned int max_stage);
+void thd_progress_report(void* thd,
+                         unsigned long long progress,
+                         unsigned long long max_progress);
+void thd_progress_next_stage(void* thd);
+void thd_progress_end(void* thd);
+const char *set_thd_proc_info(void*, const char * info, const char *func,
+                              const char *file, unsigned int line);
+#include <mysql/service_debug_sync.h>
+extern void (*debug_sync_C_callback_ptr)(void*, const char *, size_t);
+#include <mysql/service_kill_statement.h>
+enum thd_kill_levels {
+  THD_IS_NOT_KILLED=0,
+  THD_ABORT_SOFTLY=50,
+  THD_ABORT_ASAP=100,
+};
+extern struct kill_statement_service_st {
+  enum thd_kill_levels (*thd_kill_level_func)(const void*);
+} *thd_kill_statement_service;
+enum thd_kill_levels thd_kill_level(const void*);
+#include <mysql/service_thd_timezone.h>
+#include "mysql_time.h"
+typedef long my_time_t;
+enum enum_mysql_timestamp_type
+{
+  MYSQL_TIMESTAMP_NONE= -2, MYSQL_TIMESTAMP_ERROR= -1,
+  MYSQL_TIMESTAMP_DATE= 0, MYSQL_TIMESTAMP_DATETIME= 1, MYSQL_TIMESTAMP_TIME= 2
+};
+typedef struct st_mysql_time
+{
+  unsigned int year, month, day, hour, minute, second;
+  unsigned long second_part;
+  my_bool neg;
+  enum enum_mysql_timestamp_type time_type;
+} MYSQL_TIME;
+extern struct thd_timezone_service_st {
+  my_time_t (*thd_TIME_to_gmt_sec)(void* thd, const MYSQL_TIME *ltime, unsigned int *errcode);
+  void (*thd_gmt_sec_to_TIME)(void* thd, MYSQL_TIME *ltime, my_time_t t);
+} *thd_timezone_service;
+my_time_t thd_TIME_to_gmt_sec(void* thd, const MYSQL_TIME *ltime, unsigned int *errcode);
+void thd_gmt_sec_to_TIME(void* thd, MYSQL_TIME *ltime, my_time_t t);
+#include <mysql/service_sha1.h>
+extern struct my_sha1_service_st {
+  void (*my_sha1_type)(unsigned char*, const char*, size_t);
+  void (*my_sha1_multi_type)(unsigned char*, ...);
+  size_t (*my_sha1_context_size_type)();
+  void (*my_sha1_init_type)(void *);
+  void (*my_sha1_input_type)(void *, const unsigned char *, size_t);
+  void (*my_sha1_result_type)(void *, unsigned char *);
+} *my_sha1_service;
+void my_sha1(unsigned char*, const char*, size_t);
+void my_sha1_multi(unsigned char*, ...);
+size_t my_sha1_context_size();
+void my_sha1_init(void *context);
+void my_sha1_input(void *context, const unsigned char *buf, size_t len);
+void my_sha1_result(void *context, unsigned char *digest);
+#include <mysql/service_md5.h>
+extern struct my_md5_service_st {
+  void (*my_md5_type)(unsigned char*, const char*, size_t);
+  void (*my_md5_multi_type)(unsigned char*, ...);
+  size_t (*my_md5_context_size_type)();
+  void (*my_md5_init_type)(void *);
+  void (*my_md5_input_type)(void *, const unsigned char *, size_t);
+  void (*my_md5_result_type)(void *, unsigned char *);
+} *my_md5_service;
+void my_md5(unsigned char*, const char*, size_t);
+void my_md5_multi(unsigned char*, ...);
+size_t my_md5_context_size();
+void my_md5_init(void *context);
+void my_md5_input(void *context, const unsigned char *buf, size_t len);
+void my_md5_result(void *context, unsigned char *digest);
+#include <mysql/service_logger.h>
+typedef struct logger_handle_st LOGGER_HANDLE;
+extern struct logger_service_st {
+  void (*logger_init_mutexes)();
+  LOGGER_HANDLE* (*open)(const char *path,
+                         unsigned long long size_limit,
+                         unsigned int rotations);
+  int (*close)(LOGGER_HANDLE *log);
+  int (*vprintf)(LOGGER_HANDLE *log, const char *fmt, va_list argptr);
+  int (*printf)(LOGGER_HANDLE *log, const char *fmt, ...);
+  int (*write)(LOGGER_HANDLE *log, const char *buffer, size_t size);
+  int (*rotate)(LOGGER_HANDLE *log);
+} *logger_service;
+  void logger_init_mutexes();
+  LOGGER_HANDLE *logger_open(const char *path,
+                             unsigned long long size_limit,
+                             unsigned int rotations);
+  int logger_close(LOGGER_HANDLE *log);
+  int logger_vprintf(LOGGER_HANDLE *log, const char *fmt, va_list argptr);
+  int logger_printf(LOGGER_HANDLE *log, const char *fmt, ...);
+  int logger_write(LOGGER_HANDLE *log, const char *buffer, size_t size);
+  int logger_rotate(LOGGER_HANDLE *log);
+#include <mysql/service_thd_autoinc.h>
+extern struct thd_autoinc_service_st {
+  void (*thd_get_autoinc_func)(const void* thd,
+                               unsigned long* off, unsigned long* inc);
+} *thd_autoinc_service;
+void thd_get_autoinc(const void* thd,
+                     unsigned long* off, unsigned long* inc);
+#include <mysql/service_thd_error_context.h>
+extern struct thd_error_context_service_st {
+  const char *(*thd_get_error_message_func)(const void* thd);
+  unsigned int (*thd_get_error_number_func)(const void* thd);
+  unsigned long (*thd_get_error_row_func)(const void* thd);
+  void (*thd_inc_error_row_func)(void* thd);
+  char *(*thd_get_error_context_description_func)(void* thd,
+                                                  char *buffer,
+                                                  unsigned int length,
+                                                  unsigned int max_query_length);
+} *thd_error_context_service;
+const char *thd_get_error_message(const void* thd);
+unsigned int thd_get_error_number(const void* thd);
+unsigned long thd_get_error_row(const void* thd);
+void thd_inc_error_row(void* thd);
+char *thd_get_error_context_description(void* thd,
+                                        char *buffer, unsigned int length,
+                                        unsigned int max_query_length);
+#include <mysql/service_thd_specifics.h>
+typedef int MYSQL_THD_KEY_T;
+extern struct thd_specifics_service_st {
+  int (*thd_key_create_func)(MYSQL_THD_KEY_T *key);
+  void (*thd_key_delete_func)(MYSQL_THD_KEY_T *key);
+  void *(*thd_getspecific_func)(void* thd, MYSQL_THD_KEY_T key);
+  int (*thd_setspecific_func)(void* thd, MYSQL_THD_KEY_T key, void *value);
+} *thd_specifics_service;
+int thd_key_create(MYSQL_THD_KEY_T *key);
+void thd_key_delete(MYSQL_THD_KEY_T *key);
+void* thd_getspecific(void* thd, MYSQL_THD_KEY_T key);
+int thd_setspecific(void* thd, MYSQL_THD_KEY_T key, void *value);
+struct st_mysql_xid {
+  long formatID;
+  long gtrid_length;
+  long bqual_length;
+  char data[128];
+};
+typedef struct st_mysql_xid MYSQL_XID;
+enum enum_mysql_show_type
+{
+  SHOW_UNDEF, SHOW_BOOL, SHOW_UINT, SHOW_ULONG,
+  SHOW_ULONGLONG, SHOW_CHAR, SHOW_CHAR_PTR,
+  SHOW_ARRAY, SHOW_FUNC, SHOW_DOUBLE,
+  SHOW_SINT, SHOW_SLONG, SHOW_SLONGLONG, SHOW_SIMPLE_FUNC,
+  SHOW_always_last
+};
+enum enum_var_type
+{
+  SHOW_OPT_DEFAULT= 0, SHOW_OPT_SESSION, SHOW_OPT_GLOBAL
+};
+struct st_mysql_show_var {
+  const char *name;
+  char *value;
+  enum enum_mysql_show_type type;
+};
+typedef int (*mysql_show_var_func)(void*, struct st_mysql_show_var*, char *, enum enum_var_type);
+struct st_mysql_sys_var;
+struct st_mysql_value;
+typedef int (*mysql_var_check_func)(void* thd,
+                                    struct st_mysql_sys_var *var,
+                                    void *save, struct st_mysql_value *value);
+typedef void (*mysql_var_update_func)(void* thd,
+                                      struct st_mysql_sys_var *var,
+                                      void *var_ptr, const void *save);
+struct st_mysql_plugin
+{
+  int type;
+  void *info;
+  const char *name;
+  const char *author;
+  const char *descr;
+  int license;
+  int (*init)(void *);
+  int (*deinit)(void *);
+  unsigned int version;
+  struct st_mysql_show_var *status_vars;
+  struct st_mysql_sys_var **system_vars;
+  void * __reserved1;
+  unsigned long flags;
+};
+struct st_maria_plugin
+{
+  int type;
+  void *info;
+  const char *name;
+  const char *author;
+  const char *descr;
+  int license;
+  int (*init)(void *);
+  int (*deinit)(void *);
+  unsigned int version;
+  struct st_mysql_show_var *status_vars;
+  struct st_mysql_sys_var **system_vars;
+  const char *version_info;
+  unsigned int maturity;
+};
+#include "plugin_ftparser.h"
+#include "plugin.h"
+enum enum_ftparser_mode
+{
+  MYSQL_FTPARSER_SIMPLE_MODE= 0,
+  MYSQL_FTPARSER_WITH_STOPWORDS= 1,
+  MYSQL_FTPARSER_FULL_BOOLEAN_INFO= 2
+};
+enum enum_ft_token_type
+{
+  FT_TOKEN_EOF= 0,
+  FT_TOKEN_WORD= 1,
+  FT_TOKEN_LEFT_PAREN= 2,
+  FT_TOKEN_RIGHT_PAREN= 3,
+  FT_TOKEN_STOPWORD= 4
+};
+typedef struct st_mysql_ftparser_boolean_info
+{
+  enum enum_ft_token_type type;
+  int yesno;
+  int weight_adjust;
+  char wasign;
+  char trunc;
+  char prev;
+  char *quot;
+} MYSQL_FTPARSER_BOOLEAN_INFO;
+typedef struct st_mysql_ftparser_param
+{
+  int (*mysql_parse)(struct st_mysql_ftparser_param *,
+                     const char *doc, int doc_len);
+  int (*mysql_add_word)(struct st_mysql_ftparser_param *,
+                        const char *word, int word_len,
+                        MYSQL_FTPARSER_BOOLEAN_INFO *boolean_info);
+  void *ftparser_state;
+  void *mysql_ftparam;
+  const struct charset_info_st *cs;
+  const char *doc;
+  int length;
+  unsigned int flags;
+  enum enum_ftparser_mode mode;
+} MYSQL_FTPARSER_PARAM;
+struct st_mysql_ftparser
+{
+  int interface_version;
+  int (*parse)(MYSQL_FTPARSER_PARAM *param);
+  int (*init)(MYSQL_FTPARSER_PARAM *param);
+  int (*deinit)(MYSQL_FTPARSER_PARAM *param);
+};
+struct st_mysql_daemon
+{
+  int interface_version;
+};
+struct st_mysql_information_schema
+{
+  int interface_version;
+};
+struct st_mysql_storage_engine
+{
+  int interface_version;
+};
+struct handlerton;
+ struct Mysql_replication {
+   int interface_version;
+ };
+struct st_mysql_value
+{
+  int (*value_type)(struct st_mysql_value *);
+  const char *(*val_str)(struct st_mysql_value *, char *buffer, int *length);
+  int (*val_real)(struct st_mysql_value *, double *realbuf);
+  int (*val_int)(struct st_mysql_value *, long long *intbuf);
+  int (*is_unsigned)(struct st_mysql_value *);
+};
+int thd_in_lock_tables(const void* thd);
+int thd_tablespace_op(const void* thd);
+long long thd_test_options(const void* thd, long long test_options);
+int thd_sql_command(const void* thd);
+void **thd_ha_data(const void* thd, const struct handlerton *hton);
+void thd_storage_lock_wait(void* thd, long long value);
+int thd_tx_isolation(const void* thd);
+int thd_tx_is_read_only(const void* thd);
+int thd_rpl_is_parallel(const void* thd);
+int mysql_tmpfile(const char *prefix);
+unsigned long thd_get_thread_id(const void* thd);
+void thd_get_xid(const void* thd, MYSQL_XID *xid);
+void mysql_query_cache_invalidate4(void* thd,
+                                   const char *key, unsigned int key_length,
+                                   int using_trx);
+void *thd_get_ha_data(const void* thd, const struct handlerton *hton);
+void thd_set_ha_data(void* thd, const struct handlerton *hton,
+                     const void *ha_data);
+void thd_wakeup_subsequent_commits(void* thd, int wakeup_error);
+struct st_mariadb_encryption_key_management
+{
+  int interface_version;
+  unsigned int (*get_latest_key_version)();
+  unsigned int (*has_key_version)(unsigned int version);
+  unsigned int (*get_key_size)(unsigned int version);
+  int (*get_key)(unsigned int version, unsigned char* key, unsigned int keybufsize);
+  int (*get_iv)(unsigned int version, unsigned char* iv, unsigned int ivbufsize);
+};

libmysqld/CMakeLists.txt

@@ -105,7 +105,7 @@ SET(SQL_EMBEDDED_SOURCES emb_qcache.cc libmysqld.c lib_sql.cc
            ../sql/compat56.cc
            ../sql/table_cache.cc
            ../sql/item_inetfunc.cc
-           ../sql/wsrep_dummy.cc
+           ../sql/wsrep_dummy.cc ../sql/encryption_keys.cc
            ${GEN_SOURCES}
            ${MYSYS_LIBWRAP_SOURCE}
 )

mysql-test/include/have_example_key_management_plugin.inc

@@ -0,0 +1,5 @@
+if (`select count(*) = 0 from information_schema.plugins
+     where plugin_name = 'example_key_management_plugin' and plugin_status='active'`)
+{
+  --skip Needs example_key_management_plugin
+}

mysql-test/include/have_example_key_management_plugin.opt

@@ -0,0 +1,2 @@
+--plugin-load-add=$EXAMPLE_KEY_MANAGEMENT_PLUGIN_SO
+--loose-example-key-management-plugin

mysql-test/include/have_file_key_management_plugin.inc

@@ -0,0 +1,5 @@
+if (`select count(*) = 0 from information_schema.plugins
+     where plugin_name = 'file_key_management_plugin' and plugin_status='active'`)
+{
+  --skip Needs file_key_management_plugin
+}

mysql-test/include/have_file_key_management_plugin.opt

@@ -0,0 +1,4 @@
+--plugin-load-add=$FILE_KEY_MANAGEMENT_PLUGIN_SO
+--loose-file-key-management-plugin
+--loose-file-key-management-plugin-filename=$MYSQL_TEST_DIR/std_data/keys.txt
+--encryption-algorithm=aes_cbc

mysql-test/suite/innodb/t/innodb-page_encryption-32k-master.opt

@@ -1,4 +0,0 @@
---default-storage-engine=InnoDB
---encryption-algorithm=aes_cbs
---file-key-management-plugin-filename=$MYSQL_TEST_DIR/suite/innodb/include/keys.txt
---innodb-buffer-pool-size=24M

mysql-test/suite/innodb/t/innodb-page_encryption-32k.opt

@@ -0,0 +1,2 @@
+--default_storage_engine=InnoDB
+--innodb-buffer-pool-size=24M

mysql-test/suite/innodb/t/innodb-page_encryption.opt

@@ -1,3 +0,0 @@
---enable-file-key-management-plugin
---encryption-algorithm=aes_cbs
---file-key-management-plugin-filename=$MYSQL_TEST_DIR/suite/innodb/include/keys.txt

mysql-test/suite/innodb/t/innodb-page_encryption.test

@@ -1,4 +1,5 @@
 -- source include/have_innodb.inc
+-- source include/have_file_key_management_plugin.inc
 
 --disable_query_log
 let $innodb_file_format_orig = `SELECT @@innodb_file_format`;

mysql-test/suite/innodb/t/innodb-page_encryption_compression.opt

@@ -1,3 +0,0 @@
---enable-file-key-management-plugin
---encryption-algorithm=aes_cbs
---file-key-management-plugin-filename=$MYSQL_TEST_DIR/suite/innodb/include/keys.txt

mysql-test/suite/innodb/t/innodb-page_encryption_compression.test

@@ -1,4 +1,5 @@
 -- source include/have_innodb.inc
+-- source include/have_file_key_management_plugin.inc
 
 --disable_query_log
 let $innodb_compression_algorithm_orig=`SELECT @@innodb_compression_algorithm`;

mysql-test/suite/innodb/t/innodb_encryption.opt

@@ -1,8 +1,7 @@
---enable-example-key-management-plugin
---encrypt-tmp-disk-tables=ON
 --aria-encrypt-tables=ON
---innodb-encryption-threads=4
+--encrypt-tmp-disk-tables=ON
---innodb-encryption-rotate-key-age=15
 --innodb-encrypt-tables=ON
+--innodb-encryption-rotate-key-age=15
+--innodb-encryption-threads=4
 --innodb-tablespaces-encryption
 --encryption-algorithm=aes_ctr

mysql-test/suite/innodb/t/innodb_encryption.test

@@ -2,6 +2,7 @@
 #
 #
 -- source include/have_innodb.inc
+-- source include/have_example_key_management_plugin.inc
 
 # embedded does not support restart
 -- source include/not_embedded.inc

mysql-test/suite/innodb/t/innodb_scrub.opt

@@ -1,14 +1,13 @@
---enable-example-key-management-plugin
+--aria-encrypt-tables=ON
+--encrypt-tmp-disk-tables=ON
 --innodb-background-scrub-data-compressed=OFF
 --innodb-background-scrub-data-uncompressed=OFF
 --innodb-encrypt-tables=0
+--innodb-encrypt-tables=ON
+--innodb-encryption-rotate-key-age=15
 --innodb-encryption-threads=0
+--innodb-encryption-threads=4
 --innodb-file-format=Barracuda
 --innodb-file-per-table=1
 --innodb-immediate-scrub-data-uncompressed=ON
---loose-aria-encrypt-tables=ON
---loose-encrypt-tmp-disk-tables=ON
---loose-innodb-encrypt-tables=ON
---loose-innodb-encryption-rotate-key-age=15
---loose-innodb-encryption-threads=4
 --loose-innodb-scrub-force-testing=ON

mysql-test/suite/innodb/t/innodb_scrub.test

@@ -1,5 +1,6 @@
 -- source include/have_innodb.inc
 -- source include/not_embedded.inc
+-- source include/have_example_key_management_plugin.inc
 
 let $MYSQLD_DATADIR=`select @@datadir`;
 let ib1_IBD = $MYSQLD_DATADIR/ibdata1;

mysql-test/suite/innodb/t/innodb_scrub_background.opt

@@ -1,15 +1,14 @@
---enable-example-key-management-plugin
+--innodb-file-per-table=1
---innodb-background-scrub-data-compressed=ON
+--innodb-file-format=Barracuda
---innodb-background-scrub-data-uncompressed=ON
 --innodb-encrypt-tables=0
 --innodb-encryption-threads=0
---innodb-file-format=Barracuda
---innodb-file-per-table=1
 --innodb-immediate-scrub-data-uncompressed=OFF
---innodb-tablespaces-scrubbing
+--innodb-background-scrub-data-uncompressed=ON
---loose-aria-encrypt-tables=ON
+--innodb-background-scrub-data-compressed=ON
---loose-encrypt-tmp-disk-tables=ON
---loose-innodb-encrypt-tables=ON
---loose-innodb-encryption-rotate-key-age=15
---loose-innodb-encryption-threads=4
 --loose-innodb-scrub-force-testing=ON
+--encrypt-tmp-disk-tables=ON
+--aria-encrypt-tables=ON
+--innodb-encryption-threads=4
+--innodb-encryption-rotate-key-age=15
+--innodb-encrypt-tables=ON
+--innodb-tablespaces-scrubbing

mysql-test/suite/innodb/t/innodb_scrub_background.test

@@ -1,5 +1,6 @@
 -- source include/have_innodb.inc
 -- source include/not_embedded.inc
+-- source include/have_example_key_management_plugin.inc
 
 let $MYSQLD_DATADIR=`select @@datadir`;
 let ib1_IBD = $MYSQLD_DATADIR/ibdata1;

mysql-test/suite/innodb/t/innodb_scrub_compressed.opt

@@ -1,15 +1,15 @@
---enable-example-key-management-plugin
---innodb-background-scrub-data-compressed=ON
---innodb-background-scrub-data-uncompressed=ON
---innodb-encrypt-tables=off
---innodb-encryption-threads=0
---innodb-file-format=Barracuda
 --innodb-file-per-table=1
+--innodb-file-format=Barracuda
+--innodb-encrypt-tables=off
 --innodb-immediate-scrub-data-uncompressed=ON
---innodb-tablespaces-scrubbing
+--innodb-background-scrub-data-uncompressed=ON
---loose-aria-encrypt-tables=ON
+--innodb-background-scrub-data-compressed=ON
---loose-encrypt-tmp-disk-tables=ON
---loose-innodb-encrypt-tables=ON
---loose-innodb-encryption-rotate-key-age=15
---loose-innodb-encryption-threads=4
 --loose-innodb-scrub-force-testing=ON
+--innodb-encryption-threads=0
+--encrypt-tmp-disk-tables=ON
+--aria-encrypt-tables=ON
+--innodb-encryption-threads=4
+--innodb-encryption-rotate-key-age=15
+--innodb-encrypt-tables=ON
+--innodb-tablespaces-scrubbing
+

mysql-test/suite/innodb/t/innodb_scrub_compressed.test

@@ -1,5 +1,6 @@
 -- source include/have_innodb.inc
 -- source include/not_embedded.inc
+-- source include/have_example_key_management_plugin.inc
 
 let $MYSQLD_DATADIR=`select @@datadir`;
 let ib1_IBD = $MYSQLD_DATADIR/ibdata1;

mysql-test/suite/plugins/r/show_all_plugins.result

@@ -21,11 +21,12 @@ Name	Status	Type	Library	License
 EXAMPLE	NOT INSTALLED	STORAGE ENGINE	ha_example.so	GPL
 UNUSABLE	NOT INSTALLED	DAEMON	ha_example.so	GPL
 daemon_example	NOT INSTALLED	DAEMON	libdaemon_example.so	GPL
+example_key_management_plugin	NOT INSTALLED	ENCRYPTION KEY MANAGEMENT	example_key_management_plugin.so	GPL
 three_attempts	NOT INSTALLED	AUTHENTICATION	dialog_examples.so	GPL
 two_questions	NOT INSTALLED	AUTHENTICATION	dialog_examples.so	GPL
 show status like '%libraries%';
 Variable_name	Value
-Opened_plugin_libraries	6
+Opened_plugin_libraries	7
 show plugins soname where library = 'ha_example.so';
 Name	Status	Type	Library	License
 EXAMPLE	NOT INSTALLED	STORAGE ENGINE	ha_example.so	GPL

mysys/my_thr_init.c

@@ -66,10 +66,6 @@ static void my_thread_init_common_mutex(void)
 #if !defined(HAVE_LOCALTIME_R) || !defined(HAVE_GMTIME_R)
   mysql_mutex_init(key_LOCK_localtime_r, &LOCK_localtime_r, MY_MUTEX_INIT_SLOW);
 #endif
-#ifndef DBUG_OFF
-  mysql_rwlock_init(key_LOCK_dbug_encryption_key_version,
-                    &LOCK_dbug_encryption_key_version);
-#endif
 }
 
 void my_thread_destroy_common_mutex(void)
@@ -84,9 +80,6 @@ void my_thread_destroy_common_mutex(void)
 #if !defined(HAVE_LOCALTIME_R) || !defined(HAVE_GMTIME_R)
   mysql_mutex_destroy(&LOCK_localtime_r);
 #endif
-#ifndef DBUG_OFF
-  mysql_rwlock_destroy(&LOCK_dbug_encryption_key_version);
-#endif
 }
 
 

mysys_ssl/CMakeLists.txt

@@ -40,8 +40,6 @@ SET(MYSYS_SSL_SOURCES
     my_md5.cc
     my_rnd.cc
     my_crypt.cc
-    my_crypt_key_management.cc
-    my_crypt_key_management_impl.cc
    )
 
 ADD_CONVENIENCE_LIBRARY(mysys_ssl ${MYSYS_SSL_SOURCES})

mysys_ssl/my_crypt_key_management.cc

@@ -1,110 +0,0 @@
-#include <my_global.h>
-#include <my_crypt_key_management.h>
-#include <cstring>
-
-#ifndef DBUG_OFF
-#include <myisampack.h>
-my_bool debug_use_static_encryption_keys = 0;
-
-#ifdef HAVE_PSI_INTERFACE
-PSI_rwlock_key key_LOCK_dbug_encryption_key_version;
-#endif
-mysql_rwlock_t LOCK_dbug_encryption_key_version;
-unsigned int opt_debug_encryption_key_version = 0;
-#endif
-
-/**
- * Default functions
- */
-int GetLatestCryptoKeyVersionImpl();
-unsigned int HasCryptoKeyImpl(unsigned int version);
-int GetCryptoKeySizeImpl(unsigned int version);
-int GetCryptoKeyImpl(unsigned int version, unsigned char* key_buffer,
-                     unsigned int size);
-int GetCryptoIVImpl(unsigned int version, unsigned char* key_buffer,
-                    unsigned int size);
-
-/**
- * Function pointers for
- * - GetLatestCryptoKeyVersion
- * - GetCryptoKey
- */
-static
-struct CryptoKeyFuncs_t cryptoKeyFuncs = {
-  GetLatestCryptoKeyVersionImpl,
-  HasCryptoKeyImpl,
-  GetCryptoKeySizeImpl,
-  GetCryptoKeyImpl,
-  GetCryptoIVImpl
-};
-
-extern "C"
-int GetLatestCryptoKeyVersion() {
-#ifndef DBUG_OFF
-  if (debug_use_static_encryption_keys) {
-    mysql_rwlock_rdlock(&LOCK_dbug_encryption_key_version);
-    unsigned int res = opt_debug_encryption_key_version;
-    mysql_rwlock_unlock(&LOCK_dbug_encryption_key_version);
-    return res;
-  }
-#endif
-
-  return (* cryptoKeyFuncs.getLatestCryptoKeyVersionFunc)();
-}
-
-extern "C"
-unsigned int HasCryptoKey(unsigned int version) {
-  return (* cryptoKeyFuncs.hasCryptoKeyFunc)(version);
-}
-
-extern "C"
-int GetCryptoKeySize(unsigned int version) {
-  return (* cryptoKeyFuncs.getCryptoKeySize)(version);
-}
-
-extern "C"
-int GetCryptoKey(unsigned int version, unsigned char* key, unsigned int size) {
-#ifndef DBUG_OFF
-  if (debug_use_static_encryption_keys) {
-    memset(key, 0, size);
-    // Just don't support tiny keys, no point anyway.
-    if (size < 4) {
-      return 1;
-    }
-
-    mi_int4store(key, version);
-    return 0;
-  }
-#endif
-
-  return (* cryptoKeyFuncs.getCryptoKeyFunc)(version, key, size);
-}
-
-extern "C"
-int GetCryptoIV(unsigned int version, unsigned char* key, unsigned int size) {
-  return (* cryptoKeyFuncs.getCryptoIVFunc)(version, key, size);
-}
-
-extern "C"
-void
-InstallCryptoKeyFunctions(const struct CryptoKeyFuncs_t* _cryptoKeyFuncs)
-{
-  if (_cryptoKeyFuncs == NULL)
-  {
-    /* restore defaults wHashhen called with NULL argument */
-    cryptoKeyFuncs.getLatestCryptoKeyVersionFunc =
-        GetLatestCryptoKeyVersionImpl;
-    cryptoKeyFuncs.hasCryptoKeyFunc =
-	HasCryptoKeyImpl;
-    cryptoKeyFuncs.getCryptoKeySize =
-	GetCryptoKeySizeImpl;
-    cryptoKeyFuncs.getCryptoKeyFunc =
-        GetCryptoKeyImpl;
-    cryptoKeyFuncs.getCryptoIVFunc =
-        GetCryptoIVImpl;
-  }
-  else
-  {
-    cryptoKeyFuncs = *_cryptoKeyFuncs;
-  }
-}

mysys_ssl/my_crypt_key_management_impl.cc

@@ -1,34 +0,0 @@
-#include <my_global.h>
-
-// TODO Not yet implemented.
-int GetLatestCryptoKeyVersionImpl()
-{
-  abort();
-  return 0; /* Keep compiler happy */
-}
-
-unsigned int HasCryptoKeyImpl(unsigned int version)
-{
-  abort();
-  return 0; /* Keep compiler happy */
-}
-
-int GetCryptoKeySizeImpl(unsigned int version)
-{
-  abort();
-  return 0; /* Keep compiler happy */
-}
-
-int GetCryptoKeyImpl(unsigned int version, unsigned char* key,
-                     unsigned int key_size)
-{
-  abort();
-  return 0; /* Keep compiler happy */
-}
-
-int GetCryptoIVImpl(unsigned int version, unsigned char* key,
-                     unsigned int key_size)
-{
-  abort();
-  return 0; /* Keep compiler happy */
-}

plugin/example_key_management_plugin/CMakeLists.txt

@@ -1 +1,2 @@
-MYSQL_ADD_PLUGIN(EXAMPLE_KEY_MANAGEMENT_PLUGIN example_key_management_plugin.cc MANDATORY)
+MYSQL_ADD_PLUGIN(EXAMPLE_KEY_MANAGEMENT_PLUGIN example_key_management_plugin.cc
+                 MODULE_ONLY)

plugin/example_key_management_plugin/example_key_management_plugin.cc

@@ -1,10 +1,9 @@
 // Copyright (C) 2014 Google Inc.
 
-#include <mysql_version.h>
 #include <my_global.h>
 #include <my_pthread.h>
 #include <my_aes.h>
-#include <my_crypt_key_management.h>
+#include <mysql/plugin_encryption_key_management.h>
 #include <my_md5.h>
 #include <my_rnd.h>
 
@@ -17,8 +16,7 @@ static unsigned int key_version = 0;
 static unsigned int next_key_version = 0;
 static pthread_mutex_t mutex;
 
-static
+static unsigned int
-int
 get_latest_key_version()
 {
   uint now = time(0);
@@ -34,8 +32,7 @@ get_latest_key_version()
   return key_version;
 }
 
-static
+static int
-int
 get_key(unsigned int version, unsigned char* dstbuf, unsigned buflen)
 {
   char *dst = (char*)dstbuf; // md5 function takes char* as argument...
@@ -58,7 +55,7 @@ static unsigned int has_key_func(unsigned int keyID)
   return true;
 }
 
-static int get_key_size(unsigned int keyID)
+static unsigned int get_key_size(unsigned int keyID)
 {
 	return 16;
 }
@@ -87,13 +84,6 @@ static int example_key_management_plugin_init(void *p)
 
   pthread_mutex_init(&mutex, NULL);
 
-  struct CryptoKeyFuncs_t func;
-  func.getLatestCryptoKeyVersionFunc = get_latest_key_version;
-  func.hasCryptoKeyFunc = has_key_func;
-  func.getCryptoKeySize = get_key_size;
-  func.getCryptoKeyFunc = get_key;
-  func.getCryptoIVFunc = get_iv;
-  InstallCryptoKeyFunctions(&func);
   return 0;
 }
 
@@ -103,8 +93,13 @@ static int example_key_management_plugin_deinit(void *p)
   return 0;
 }
 
-struct st_mysql_daemon example_key_management_plugin= {
+struct st_mariadb_encryption_key_management example_key_management_plugin= {
-  MYSQL_DAEMON_INTERFACE_VERSION
+  MariaDB_ENCRYPTION_KEY_MANAGEMENT_INTERFACE_VERSION,
+  get_latest_key_version,
+  has_key_func,
+  get_key_size,
+  get_key,
+  get_iv
 };
 
 /*
@@ -112,7 +107,7 @@ struct st_mysql_daemon example_key_management_plugin= {
 */
 maria_declare_plugin(example_key_management_plugin)
 {
-  MYSQL_DAEMON_PLUGIN,
+  MariaDB_ENCRYPTION_KEY_MANAGEMENT_PLUGIN,
   &example_key_management_plugin,
   "example_key_management_plugin",
   "Jonas Oreland",
@@ -124,6 +119,6 @@ maria_declare_plugin(example_key_management_plugin)
   NULL,	/* status variables */
   NULL,	/* system variables */
   "1.0",
-  MariaDB_PLUGIN_MATURITY_UNKNOWN
+  MariaDB_PLUGIN_MATURITY_EXPERIMENTAL
 }
 maria_declare_plugin_end;

plugin/file_key_management_plugin/CMakeLists.txt

@@ -1,4 +1,4 @@
 SET(FILE_KEY_MANAGEMENT_PLUGIN_SOURCES file_key_management_plugin.cc EncKeys.cc KeySingleton.cc)
 
-MYSQL_ADD_PLUGIN(FILE_KEY_MANAGEMENT_PLUGIN ${FILE_KEY_MANAGEMENT_PLUGIN_SOURCES} DEFAULT
+MYSQL_ADD_PLUGIN(FILE_KEY_MANAGEMENT_PLUGIN ${FILE_KEY_MANAGEMENT_PLUGIN_SOURCES}
                  LINK_LIBRARIES pcre)

plugin/file_key_management_plugin/file_key_management_plugin.cc

@@ -16,6 +16,7 @@
 
 #include <my_global.h>
 #include <mysql_version.h>
+#include <mysql/plugin_encryption_key_management.h>
 #include <my_aes.h>
 #include <my_crypt_key_management.h>
 #include "sql_class.h"
@@ -50,7 +51,7 @@ static struct st_mysql_sys_var* settings[] = {
    rotation feature of encrypting log files.
 */
 
-static int get_highest_key_used_in_key_file()
+static unsigned int get_highest_key_used_in_key_file()
 {
   if (KeySingleton::getInstance().hasKey(0))
   {
@@ -67,7 +68,7 @@ static unsigned int has_key_from_key_file(unsigned int keyID)
   return entry != NULL;
 }
 
-static int get_key_size_from_key_file(unsigned int keyID)
+static unsigned int get_key_size_from_key_file(unsigned int keyID)
 {
   keyentry* entry = KeySingleton::getInstance().getKeys(keyID);
 
@@ -146,16 +147,6 @@ static int file_key_management_plugin_init(void *p)
     return 1;
   }
 
-  /* Initializing the key provider */
-  struct CryptoKeyFuncs_t func;
-  func.getLatestCryptoKeyVersionFunc = get_highest_key_used_in_key_file;
-  func.hasCryptoKeyFunc = has_key_from_key_file;
-  func.getCryptoKeySize = get_key_size_from_key_file;
-  func.getCryptoKeyFunc = get_key_from_key_file;
-  func.getCryptoIVFunc = get_iv_from_key_file;
-
-  InstallCryptoKeyFunctions(&func);
-
   if (filename == NULL || strcmp("", filename) == 0)
   {
     sql_print_error("Parameter file_key_management_plugin_filename is required");
@@ -175,8 +166,13 @@ static int file_key_management_plugin_deinit(void *p)
   return 0;
 }
 
-struct st_mysql_daemon file_key_management_plugin= {
+struct st_mariadb_encryption_key_management file_key_management_plugin= {
-  MYSQL_DAEMON_INTERFACE_VERSION
+  MariaDB_ENCRYPTION_KEY_MANAGEMENT_INTERFACE_VERSION,
+  get_highest_key_used_in_key_file,
+  has_key_from_key_file,
+  get_key_size_from_key_file,
+  get_key_from_key_file,
+  get_iv_from_key_file
 };
 
 /*
@@ -184,7 +180,7 @@ struct st_mysql_daemon file_key_management_plugin= {
 */
 maria_declare_plugin(file_key_management_plugin)
 {
-  MYSQL_KEY_MANAGEMENT_PLUGIN,
+  MariaDB_ENCRYPTION_KEY_MANAGEMENT_PLUGIN,
   &file_key_management_plugin,
   "file_key_management_plugin",
   "Denis Endro eperi GmbH",

sql/CMakeLists.txt

@@ -115,7 +115,7 @@ SET (SQL_SOURCE
                my_json_writer.cc my_json_writer.h
                rpl_gtid.cc rpl_parallel.cc
 	       ${WSREP_SOURCES}
-               table_cache.cc
+               table_cache.cc encryption_keys.cc
                ${CMAKE_CURRENT_BINARY_DIR}/sql_builtin.cc
                ${GEN_SOURCES}
                ${MYSYS_LIBWRAP_SOURCE}

sql/encryption_keys.cc

@@ -0,0 +1,110 @@
+#include <my_global.h>
+#include <mysql/plugin_encryption_key_management.h>
+#include <my_crypt_key_management.h>
+#include "log.h"
+#include "sql_plugin.h"
+
+#ifndef DBUG_OFF
+my_bool debug_use_static_encryption_keys = 0;
+uint opt_debug_encryption_key_version = 0;
+#endif
+
+/* there can be only one encryption key management plugin enabled */
+static plugin_ref encryption_key_manager= 0;
+static struct st_mariadb_encryption_key_management *handle;
+
+uint get_latest_encryption_key_version()
+{
+#ifndef DBUG_OFF
+  if (debug_use_static_encryption_keys)
+  {
+    //mysql_mutex_lock(&LOCK_global_system_variables);
+    uint res = opt_debug_encryption_key_version;
+    //mysql_mutex_unlock(&LOCK_global_system_variables);
+    return res;
+  }
+#endif
+
+  if (encryption_key_manager)
+    return handle->get_latest_key_version();
+
+  return BAD_ENCRYPTION_KEY_VERSION;
+}
+
+uint has_encryption_key(uint version)
+{
+  if (encryption_key_manager)
+    return handle->has_key_version(version);
+
+  return 0;
+}
+
+uint get_encryption_key_size(uint version)
+{
+  if (encryption_key_manager)
+    return handle->get_key_size(version);
+
+  return 0;
+}
+
+int get_encryption_key(uint version, uchar* key, uint size)
+{
+#ifndef DBUG_OFF
+  if (debug_use_static_encryption_keys)
+  {
+    memset(key, 0, size);
+    // Just don't support tiny keys, no point anyway.
+    if (size < 4)
+      return 1;
+
+    mi_int4store(key, version);
+    return 0;
+  }
+#endif
+
+  if (encryption_key_manager)
+    return handle->get_key(version, key, size);
+
+  return 1;
+}
+
+int get_encryption_iv(uint version, uchar* iv, uint size)
+{
+  if (encryption_key_manager)
+    return handle->get_iv(version, iv, size);
+
+  return 1;
+}
+
+int initialize_encryption_key_management_plugin(st_plugin_int *plugin)
+{
+  if (encryption_key_manager)
+    return 1;
+
+  if (plugin->plugin->init && plugin->plugin->init(plugin))
+  {
+    sql_print_error("Plugin '%s' init function returned error.",
+                    plugin->name.str);
+    return 1;
+  }
+
+  encryption_key_manager= plugin_lock(NULL, plugin_int_to_ref(plugin));
+  handle= (struct st_mariadb_encryption_key_management*)
+            plugin->plugin->info;
+  return 0;
+}
+
+int finalize_encryption_key_management_plugin(st_plugin_int *plugin)
+{
+  DBUG_ASSERT(encryption_key_manager);
+
+  if (plugin->plugin->deinit && plugin->plugin->deinit(NULL))
+  {
+    DBUG_PRINT("warning", ("Plugin '%s' deinit function returned error.",
+                           plugin->name.str));
+  }
+  plugin_unlock(NULL, encryption_key_manager);
+  encryption_key_manager= 0;
+  return 0;
+}
+

sql/sql_plugin.cc

@@ -37,6 +37,7 @@
 #include "lock.h"                               // MYSQL_LOCK_IGNORE_TIMEOUT
 #include <mysql/plugin_auth.h>
 #include <mysql/plugin_password_validation.h>
+#include <mysql/plugin_encryption_key_management.h>
 #include "sql_plugin_compat.h"
 
 #define REPORT_TO_LOG  1
@@ -85,7 +86,8 @@ const LEX_STRING plugin_type_names[MYSQL_MAX_PLUGIN_TYPE_NUM]=
   { C_STRING_WITH_LEN("AUDIT") },
   { C_STRING_WITH_LEN("REPLICATION") },
   { C_STRING_WITH_LEN("AUTHENTICATION") },
-  { C_STRING_WITH_LEN("PASSWORD VALIDATION") }
+  { C_STRING_WITH_LEN("PASSWORD VALIDATION") },
+  { C_STRING_WITH_LEN("ENCRYPTION KEY MANAGEMENT") }
 };
 
 extern int initialize_schema_table(st_plugin_int *plugin);
@@ -94,6 +96,9 @@ extern int finalize_schema_table(st_plugin_int *plugin);
 extern int initialize_audit_plugin(st_plugin_int *plugin);
 extern int finalize_audit_plugin(st_plugin_int *plugin);
 
+extern int initialize_encryption_key_management_plugin(st_plugin_int *plugin);
+extern int finalize_encryption_key_management_plugin(st_plugin_int *plugin);
+
 /*
   The number of elements in both plugin_type_initialize and
   plugin_type_deinitialize should equal to the number of plugins
@@ -102,13 +107,13 @@ extern int finalize_audit_plugin(st_plugin_int *plugin);
 plugin_type_init plugin_type_initialize[MYSQL_MAX_PLUGIN_TYPE_NUM]=
 {
   0, ha_initialize_handlerton, 0, 0,initialize_schema_table,
-  initialize_audit_plugin, 0, 0, 0
+  initialize_audit_plugin, 0, 0, 0, initialize_encryption_key_management_plugin
 };
 
 plugin_type_init plugin_type_deinitialize[MYSQL_MAX_PLUGIN_TYPE_NUM]=
 {
   0, ha_finalize_handlerton, 0, 0, finalize_schema_table,
-  finalize_audit_plugin, 0, 0, 0
+  finalize_audit_plugin, 0, 0, 0, finalize_encryption_key_management_plugin
 };
 
 /*
@@ -119,7 +124,7 @@ plugin_type_init plugin_type_deinitialize[MYSQL_MAX_PLUGIN_TYPE_NUM]=
 static int plugin_type_initialization_order[MYSQL_MAX_PLUGIN_TYPE_NUM]=
 {
   MYSQL_DAEMON_PLUGIN,
-  MYSQL_KEY_MANAGEMENT_PLUGIN,
+  MariaDB_ENCRYPTION_KEY_MANAGEMENT_PLUGIN,
   MYSQL_STORAGE_ENGINE_PLUGIN,
   MYSQL_INFORMATION_SCHEMA_PLUGIN,
   MYSQL_FTPARSER_PLUGIN,
@@ -160,7 +165,8 @@ static int min_plugin_info_interface_version[MYSQL_MAX_PLUGIN_TYPE_NUM]=
   MYSQL_AUDIT_INTERFACE_VERSION,
   MYSQL_REPLICATION_INTERFACE_VERSION,
   MIN_AUTHENTICATION_INTERFACE_VERSION,
-  MariaDB_PASSWORD_VALIDATION_INTERFACE_VERSION
+  MariaDB_PASSWORD_VALIDATION_INTERFACE_VERSION,
+  MariaDB_ENCRYPTION_KEY_MANAGEMENT_INTERFACE_VERSION
 };
 static int cur_plugin_info_interface_version[MYSQL_MAX_PLUGIN_TYPE_NUM]=
 {
@@ -172,7 +178,8 @@ static int cur_plugin_info_interface_version[MYSQL_MAX_PLUGIN_TYPE_NUM]=
   MYSQL_AUDIT_INTERFACE_VERSION,
   MYSQL_REPLICATION_INTERFACE_VERSION,
   MYSQL_AUTHENTICATION_INTERFACE_VERSION,
-  MariaDB_PASSWORD_VALIDATION_INTERFACE_VERSION
+  MariaDB_PASSWORD_VALIDATION_INTERFACE_VERSION,
+  MariaDB_ENCRYPTION_KEY_MANAGEMENT_INTERFACE_VERSION
 };
 
 static struct
@@ -1954,8 +1961,6 @@ void plugin_shutdown(void)
       if (!(plugins[i]->state & (PLUGIN_IS_UNINITIALIZED | PLUGIN_IS_FREED |
                                  PLUGIN_IS_DISABLED)))
       {
-        sql_print_warning("Plugin '%s' will be forced to shutdown",
-                          plugins[i]->name.str);
         /*
           We are forcing deinit on plugins so we don't want to do a ref_count
           check until we have processed all the plugins.

sql/sys_vars.cc

@@ -62,7 +62,7 @@
 #include "sql_repl.h"
 #include "opt_range.h"
 #include "rpl_parallel.h"
-#include "my_crypt_key_management.h"
+#include <my_crypt_key_management.h>
 
 /*
   The rule for this file: everything should be 'static'. When a sys_var
@@ -1134,15 +1134,12 @@ static Sys_var_mybool Sys_debug_use_static_keys(
        READ_ONLY GLOBAL_VAR(debug_use_static_encryption_keys),
        CMD_LINE(OPT_ARG), DEFAULT(FALSE));
 
-static PolyLock_rwlock PLock_sys_debug_encryption_key_version(
-       &LOCK_dbug_encryption_key_version);
-
 static Sys_var_uint Sys_debug_encryption_key_version(
        "debug_encryption_key_version",
        "Encryption key version. Only to be used in internal testing.",
        GLOBAL_VAR(opt_debug_encryption_key_version),
        CMD_LINE(REQUIRED_ARG), VALID_RANGE(0,UINT_MAX), DEFAULT(0),
-       BLOCK_SIZE(1), &PLock_sys_debug_encryption_key_version);
+       BLOCK_SIZE(1));
 #endif
 
 static Sys_var_mybool Sys_trust_function_creators(

storage/innobase/fil/fil0crypt.cc

@@ -210,7 +210,7 @@ fil_crypt_get_key(byte *dst, uint* key_length,
         {
             // load iv
 
-	    int rc = GetCryptoIV(version, (unsigned char*)iv, iv_len);
+	    int rc = get_encryption_iv(version, (unsigned char*)iv, iv_len);
 
 	    if (rc != CRYPT_KEY_OK) {
 		ib_logf(IB_LOG_LEVEL_FATAL,
@@ -219,10 +219,10 @@ fil_crypt_get_key(byte *dst, uint* key_length,
 	    }
         }
 
-	if (HasCryptoKey(version)) {
+	if (has_encryption_key(version)) {
-	    *key_length = GetCryptoKeySize(version);
+	    *key_length = get_encryption_key_size(version);
 
-	    int rc = GetCryptoKey(version, (unsigned char*)keybuf, *key_length);
+	    int rc = get_encryption_key(version, (unsigned char*)keybuf, *key_length);
 
 	    if (rc != CRYPT_KEY_OK) {
 		ib_logf(IB_LOG_LEVEL_FATAL,
@@ -295,7 +295,7 @@ fil_crypt_get_latest_key(byte *dst, uint* key_length,
 {
 	if (srv_encrypt_tables) {
 	        // used for key rotation - get the next key id from the key provider
-		int rc = GetLatestCryptoKeyVersion();
+		int rc = get_latest_encryption_key_version();
 
 		// if no new key was created use the last one
 		if (rc >= 0)
@@ -325,7 +325,7 @@ fil_space_create_crypt_data()
 		crypt_data->min_key_version = 0;
 	} else {
 		crypt_data->type = CRYPT_SCHEME_1;
-		crypt_data->min_key_version = GetLatestCryptoKeyVersion();
+		crypt_data->min_key_version = get_latest_encryption_key_version();
 	}
 
 	mutex_create(fil_crypt_data_mutex_key,
@@ -652,7 +652,7 @@ fil_space_encrypt(ulint space, ulint offset, lsn_t lsn,
 	{
 	    // take the iv from the key provider
 
-	    int load_iv_rc = GetCryptoIV(key_version, (uchar *) iv, sizeof(iv));
+	    int load_iv_rc = get_encryption_iv(key_version, (uchar *) iv, sizeof(iv));
 
 	    // if the iv can not be loaded the whole page can not be encrypted
 	    if (load_iv_rc != CRYPT_KEY_OK)
@@ -869,7 +869,7 @@ fil_space_decrypt(fil_space_crypt_t* crypt_data,
 	{
 	    // take the iv from the key provider
 
-	    int load_iv_rc = GetCryptoIV(key_version, (uchar *) iv, sizeof(iv));
+	    int load_iv_rc = get_encryption_iv(key_version, (uchar *) iv, sizeof(iv));
 
 	    // if the iv can not be loaded the whole page can not be decrypted
 	    if (load_iv_rc != CRYPT_KEY_OK)
@@ -1049,7 +1049,7 @@ fil_crypt_get_key_state(
 	key_state_t *new_state)
 {
 	if (srv_encrypt_tables == TRUE) {
-		new_state->key_version = GetLatestCryptoKeyVersion();
+		new_state->key_version = get_latest_encryption_key_version();
 		new_state->rotate_key_age = srv_fil_crypt_rotate_key_age;
 		ut_a(new_state->key_version > 0);
 	} else {
@@ -2375,7 +2375,7 @@ fil_space_crypt_get_status(
 	}
 
 	if (srv_encrypt_tables == TRUE) {
-		status->current_key_version = GetLatestCryptoKeyVersion();
+		status->current_key_version = get_latest_encryption_key_version();
 	} else {
 		status->current_key_version = 0;
 	}

storage/innobase/fil/fil0fil.cc

@@ -1153,7 +1153,7 @@ fil_space_create(
 	ut_a(fil_system);
 
 	if (fsp_flags_is_page_encrypted(flags)) {
-		if (!HasCryptoKey(fsp_flags_get_page_encryption_key(flags))) {
+		if (!has_encryption_key(fsp_flags_get_page_encryption_key(flags))) {
 			/* by returning here it should be avoided that
 			 * the server crashes, if someone tries to access an
 			 * encrypted table and the encryption key is not available.

storage/innobase/handler/ha_innodb.cc

@@ -11370,7 +11370,7 @@ ha_innobase::check_table_options(
 			return "PAGE_ENCRYPTION_KEY";
 		}
 
-		if (!HasCryptoKey(options->page_encryption_key)) {
+		if (!has_encryption_key(options->page_encryption_key)) {
 			push_warning_printf(
 				thd, Sql_condition::WARN_LEVEL_WARN,
 				HA_WRONG_CREATE_OPTION,

storage/innobase/include/fsp0pageencryption.ic

@@ -147,9 +147,9 @@ fil_page_encryption_status(
 	if (page_type == FIL_PAGE_TYPE_FSP_HDR) {
 		ulint flags = mach_read_from_4(FSP_HEADER_OFFSET + FSP_SPACE_FLAGS + buf);
 		if (fsp_flags_is_page_encrypted(flags)) {
-			if (!HasCryptoKey(fsp_flags_get_page_encryption_key(flags))) {
+			if (!has_encryption_key(fsp_flags_get_page_encryption_key(flags))) {
 				/* accessing table would surely fail, because no key or no key provider available */
-				if (!HasCryptoKey(fsp_flags_get_page_encryption_key(flags))) {
+				if (!has_encryption_key(fsp_flags_get_page_encryption_key(flags))) {
 					return PAGE_ENCRYPTION_KEY_MISSING;
 				}
 				return PAGE_ENCRYPTION_ERROR;
@@ -159,7 +159,7 @@ fil_page_encryption_status(
 
 	if(page_type == FIL_PAGE_PAGE_COMPRESSED_ENCRYPTED) {
 		ulint key = mach_read_from_4(buf + FIL_PAGE_FILE_FLUSH_LSN_OR_KEY_VERSION);
-		if (!HasCryptoKey(key)) {
+		if (!has_encryption_key(key)) {
 						return PAGE_ENCRYPTION_KEY_MISSING;
 		}
 		return PAGE_ENCRYPTION_ERROR;

storage/innobase/include/log0crypt.h

@@ -12,7 +12,7 @@ Created 11/25/2013 Minli Zhu
 #include "ut0lst.h"
 #include "ut0rnd.h"
 #include "my_aes.h"
-#include "my_crypt_key_management.h"	// for key version and key 
+#include <my_crypt_key_management.h>
 
 #define PURPOSE_BYTE_LEN	MY_AES_BLOCK_SIZE - 1
 #define PURPOSE_BYTE_OFFSET	0

storage/innobase/log/log0crypt.cc

@@ -37,7 +37,7 @@ Note:
 We should not use flags and conditions such as:
 	(srv_encrypt_log &&
 	 debug_use_static_keys &&
-	 GetLatestCryptoKeyVersion() == UNENCRYPTED_KEY_VER)
+	 get_latest_encryption_key_version() == UNENCRYPTED_KEY_VER)
 because they haven't been read and set yet in the situation of resetting
 redo logs.
 */
@@ -93,7 +93,7 @@ log_init_crypt_key(
 	}
 
 	byte mysqld_key[MY_AES_BLOCK_SIZE] = {0};
-	if (GetCryptoKey(crypt_ver, mysqld_key, MY_AES_BLOCK_SIZE))
+	if (get_encryption_key(crypt_ver, mysqld_key, MY_AES_BLOCK_SIZE))
 	{
 		fprintf(stderr,
 			"\nInnodb redo log crypto: getting mysqld crypto key "
@@ -234,7 +234,7 @@ log_crypt_set_ver_and_key(
 	byte* crypt_key)		/*!< out: crypto key */
 {
 	if (!srv_encrypt_log ||
-	    (key_ver = GetLatestCryptoKeyVersion()) == UNENCRYPTED_KEY_VER)
+	    (key_ver = get_latest_encryption_key_version()) == UNENCRYPTED_KEY_VER)
 	{
 		key_ver = UNENCRYPTED_KEY_VER;
 		memset(crypt_key, 0, MY_AES_BLOCK_SIZE);

storage/xtradb/fil/fil0crypt.cc

@@ -210,7 +210,7 @@ fil_crypt_get_key(byte *dst, uint* key_length,
         {
             // load iv
 
-	    int rc = GetCryptoIV(version, (unsigned char*)iv, iv_len);
+	    int rc = get_encryption_iv(version, (unsigned char*)iv, iv_len);
 
 	    if (rc != CRYPT_KEY_OK) {
 		ib_logf(IB_LOG_LEVEL_FATAL,
@@ -219,10 +219,10 @@ fil_crypt_get_key(byte *dst, uint* key_length,
 	    }
         }
 
-	if (HasCryptoKey(version)) {
+	if (has_encryption_key(version)) {
-	    *key_length = GetCryptoKeySize(version);
+	    *key_length = get_encryption_key_size(version);
 
-	    int rc = GetCryptoKey(version, (unsigned char*)keybuf, *key_length);
+	    int rc = get_encryption_key(version, (unsigned char*)keybuf, *key_length);
 
 	    if (rc != CRYPT_KEY_OK) {
 		ib_logf(IB_LOG_LEVEL_FATAL,
@@ -295,7 +295,7 @@ fil_crypt_get_latest_key(byte *dst, uint* key_length,
 {
 	if (srv_encrypt_tables) {
 	        // used for key rotation - get the next key id from the key provider
-		int rc = GetLatestCryptoKeyVersion();
+		int rc = get_latest_encryption_key_version();
 
 		// if no new key was created use the last one
 		if (rc >= 0)
@@ -326,7 +326,7 @@ fil_space_create_crypt_data()
 		crypt_data->min_key_version = 0;
 	} else {
 		crypt_data->type = CRYPT_SCHEME_1;
-		crypt_data->min_key_version = GetLatestCryptoKeyVersion();
+		crypt_data->min_key_version = get_latest_encryption_key_version();
 	}
 
 	mutex_create(fil_crypt_data_mutex_key,
@@ -653,7 +653,7 @@ fil_space_encrypt(ulint space, ulint offset, lsn_t lsn,
 	{
 	    // take the iv from the key provider
 
-	    int load_iv_rc = GetCryptoIV(key_version, (uchar *) iv, sizeof(iv));
+	    int load_iv_rc = get_encryption_iv(key_version, (uchar *) iv, sizeof(iv));
 
 	    // if the iv can not be loaded the whole page can not be encrypted
 	    if (load_iv_rc != CRYPT_KEY_OK)
@@ -869,7 +869,7 @@ fil_space_decrypt(fil_space_crypt_t* crypt_data,
 	{
 	    // take the iv from the key provider
 
-	    int load_iv_rc = GetCryptoIV(key_version, (uchar *) iv, sizeof(iv));
+	    int load_iv_rc = get_encryption_iv(key_version, (uchar *) iv, sizeof(iv));
 
 	    // if the iv can not be loaded the whole page can not be decrypted
 	    if (load_iv_rc != CRYPT_KEY_OK)
@@ -1049,7 +1049,7 @@ fil_crypt_get_key_state(
 	key_state_t *new_state)
 {
 	if (srv_encrypt_tables == TRUE) {
-		new_state->key_version = GetLatestCryptoKeyVersion();
+		new_state->key_version = get_latest_encryption_key_version();
 		new_state->rotate_key_age = srv_fil_crypt_rotate_key_age;
 		ut_a(new_state->key_version > 0);
 	} else {
@@ -2375,7 +2375,7 @@ fil_space_crypt_get_status(
 	}
 
 	if (srv_encrypt_tables == TRUE) {
-		status->current_key_version = GetLatestCryptoKeyVersion();
+		status->current_key_version = get_latest_encryption_key_version();
 	} else {
 		status->current_key_version = 0;
 	}

storage/xtradb/fil/fil0fil.cc

@@ -1188,7 +1188,7 @@ fil_space_create(
 	ut_a(fil_system);
 
 	if (fsp_flags_is_page_encrypted(flags)) {
-		if (!HasCryptoKey(fsp_flags_get_page_encryption_key(flags))) {
+		if (!has_encryption_key(fsp_flags_get_page_encryption_key(flags))) {
 			/* by returning here it should be avoided that
 			 * the server crashes, if someone tries to access an
 			 * encrypted table and the encryption key is not available.

storage/xtradb/handler/ha_innodb.cc

@@ -11887,7 +11887,7 @@ ha_innobase::check_table_options(
 			return "PAGE_ENCRYPTION_KEY";
 		}
 
-		if (!HasCryptoKey(options->page_encryption_key)) {
+		if (!has_encryption_key(options->page_encryption_key)) {
 			push_warning_printf(
 				thd, Sql_condition::WARN_LEVEL_WARN,
 				HA_WRONG_CREATE_OPTION,

storage/xtradb/include/fsp0pageencryption.ic

@@ -27,9 +27,6 @@ Created 08/28/2014
 #include "fil0pageencryption.h"
 #include <my_crypt_key_management.h>
 
-
-
-
 /********************************************************************//**
 Determine if the tablespace is page encrypted from dict_table_t::flags.
 @return	TRUE if page encrypted, FALSE if not page encrypted */
@@ -151,9 +148,9 @@ fil_page_encryption_status(
 	if (page_type == FIL_PAGE_TYPE_FSP_HDR) {
 		ulint flags = mach_read_from_4(FSP_HEADER_OFFSET + FSP_SPACE_FLAGS + buf);
 		if (fsp_flags_is_page_encrypted(flags)) {
-			if (!HasCryptoKey(fsp_flags_get_page_encryption_key(flags))) {
+			if (!has_encryption_key(fsp_flags_get_page_encryption_key(flags))) {
 				/* accessing table would surely fail, because no key or no key provider available */
-				if (!HasCryptoKey(fsp_flags_get_page_encryption_key(flags))) {
+				if (!has_encryption_key(fsp_flags_get_page_encryption_key(flags))) {
 					return PAGE_ENCRYPTION_KEY_MISSING;
 				}
 				return PAGE_ENCRYPTION_ERROR;
@@ -163,7 +160,7 @@ fil_page_encryption_status(
 
 	if(page_type == FIL_PAGE_PAGE_COMPRESSED_ENCRYPTED) {
 		ulint key = mach_read_from_4(buf + FIL_PAGE_FILE_FLUSH_LSN_OR_KEY_VERSION);
-		if (!HasCryptoKey(key)) {
+		if (!has_encryption_key(key)) {
 			return PAGE_ENCRYPTION_KEY_MISSING;
 		}
 		return PAGE_ENCRYPTION_ERROR;

storage/xtradb/include/log0crypt.h

@@ -12,7 +12,7 @@ Created 11/25/2013 Minli Zhu
 #include "ut0lst.h"
 #include "ut0rnd.h"
 #include "my_aes.h"
-#include "my_crypt_key_management.h"	// for key version and key 
+#include <my_crypt_key_management.h>
 
 #define PURPOSE_BYTE_LEN	MY_AES_BLOCK_SIZE - 1
 #define PURPOSE_BYTE_OFFSET	0

storage/xtradb/log/log0crypt.cc

@@ -37,7 +37,7 @@ Note:
 We should not use flags and conditions such as:
 	(srv_encrypt_log &&
 	 debug_use_static_keys &&
-	 GetLatestCryptoKeyVersion() == UNENCRYPTED_KEY_VER)
+	 get_latest_encryption_key_version() == UNENCRYPTED_KEY_VER)
 because they haven't been read and set yet in the situation of resetting
 redo logs.
 */
@@ -93,7 +93,7 @@ log_init_crypt_key(
 	}
 
 	byte mysqld_key[MY_AES_BLOCK_SIZE] = {0};
-	if (GetCryptoKey(crypt_ver, mysqld_key, MY_AES_BLOCK_SIZE))
+	if (get_encryption_key(crypt_ver, mysqld_key, MY_AES_BLOCK_SIZE))
 	{
 		fprintf(stderr,
 			"\nInnodb redo log crypto: getting mysqld crypto key "
@@ -234,7 +234,7 @@ log_crypt_set_ver_and_key(
 	byte* crypt_key)		/*!< out: crypto key */
 {
 	if (!srv_encrypt_log ||
-	    (key_ver = GetLatestCryptoKeyVersion()) == UNENCRYPTED_KEY_VER)
+	    (key_ver = get_latest_encryption_key_version()) == UNENCRYPTED_KEY_VER)
 	{
 		key_ver = UNENCRYPTED_KEY_VER;
 		memset(crypt_key, 0, MY_AES_BLOCK_SIZE);