diff options
author | Jan Lindström <jan.lindstrom@skysql.com> | 2015-02-25 13:26:57 +0200 |
---|---|---|
committer | Jan Lindström <jan.lindstrom@skysql.com> | 2015-02-25 13:26:57 +0200 |
commit | 2330107ca886512c2f03696ce086f94beb39d70b (patch) | |
tree | ae3feef0efcc73b561fef30705d6e7eff28409a6 | |
parent | da181fee4ec849985b15a758c6b26058a0f5e318 (diff) | |
download | mariadb-git-2330107ca886512c2f03696ce086f94beb39d70b.tar.gz |
MDEV-7572: InnoDB: Assertion failure in log_init_crypt_key if
file_key_management_plugin is used
Fixed error handling and added disabling InnoDB redo log encryption
if encryption key management plugin is not there.
-rw-r--r-- | include/my_aes.h | 4 | ||||
-rw-r--r-- | include/mysql/plugin_encryption_key_management.h | 2 | ||||
-rw-r--r-- | mysql-test/suite/innodb/r/innodb-page_encryption_log_encryption.result | 239 | ||||
-rw-r--r-- | mysql-test/suite/innodb/t/innodb-page_encryption_log_encryption.opt | 2 | ||||
-rw-r--r-- | mysql-test/suite/innodb/t/innodb-page_encryption_log_encryption.test | 152 | ||||
-rw-r--r-- | sql/encryption_keys.cc | 6 | ||||
-rw-r--r-- | storage/innobase/log/log0crypt.cc | 44 | ||||
-rw-r--r-- | storage/xtradb/log/log0crypt.cc | 43 |
8 files changed, 467 insertions, 25 deletions
diff --git a/include/my_aes.h b/include/my_aes.h index db50d35efd5..057fa1e9860 100644 --- a/include/my_aes.h +++ b/include/my_aes.h @@ -33,8 +33,8 @@ typedef int Crypt_result; #define AES_KEY_CREATION_FAILED -10 #define CRYPT_KEY_OK 0 -#define CRYPT_BUFFER_TO_SMALL -11; -#define CRYPT_KEY_UNKNOWN -48; +#define CRYPT_BUFFER_TO_SMALL -11 +#define CRYPT_KEY_UNKNOWN -48 /* The max block sizes of all supported algorithms */ #define MY_AES_BLOCK_SIZE 16 diff --git a/include/mysql/plugin_encryption_key_management.h b/include/mysql/plugin_encryption_key_management.h index 1ba4659196f..af7730e5ee7 100644 --- a/include/mysql/plugin_encryption_key_management.h +++ b/include/mysql/plugin_encryption_key_management.h @@ -29,7 +29,7 @@ #define MariaDB_ENCRYPTION_KEY_MANAGEMENT_INTERFACE_VERSION 0x0100 -#define BAD_ENCRYPTION_KEY_VERSION (~0U) +#define BAD_ENCRYPTION_KEY_VERSION (UINT_MAX32) /** Encryption key management plugin descriptor diff --git a/mysql-test/suite/innodb/r/innodb-page_encryption_log_encryption.result b/mysql-test/suite/innodb/r/innodb-page_encryption_log_encryption.result new file mode 100644 index 00000000000..62f07778d5a --- /dev/null +++ b/mysql-test/suite/innodb/r/innodb-page_encryption_log_encryption.result @@ -0,0 +1,239 @@ +call mtr.add_suppression("KeyID 0 not found or with error. Check the key and the log file*"); +call mtr.add_suppression("Disabling redo log encryption"); +SET GLOBAL innodb_file_format = `Barracuda`; +SET GLOBAL innodb_file_per_table = ON; +create table innodb_normal(c1 bigint not null, b char(200)) engine=innodb; +create table innodb_compact(c1 bigint not null, b char(200)) engine=innodb row_format=compact page_encryption=1 page_encryption_key=1; +create table innodb_compressed(c1 bigint not null, b char(200)) engine=innodb row_format=compressed page_encryption=1 page_encryption_key=2; +create table innodb_dynamic(c1 bigint not null, b char(200)) engine=innodb row_format=dynamic page_encryption=1 page_encryption_key=3; +create table innodb_redundant(c1 bigint not null, b char(200)) engine=innodb row_format=redundant page_encryption=1 page_encryption_key=4; +show create table innodb_compact; +Table Create Table +innodb_compact CREATE TABLE `innodb_compact` ( + `c1` bigint(20) NOT NULL, + `b` char(200) DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=latin1 ROW_FORMAT=COMPACT `page_encryption`=1 `page_encryption_key`=1 +show create table innodb_compressed; +Table Create Table +innodb_compressed CREATE TABLE `innodb_compressed` ( + `c1` bigint(20) NOT NULL, + `b` char(200) DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=latin1 ROW_FORMAT=COMPRESSED `page_encryption`=1 `page_encryption_key`=2 +show create table innodb_dynamic; +Table Create Table +innodb_dynamic CREATE TABLE `innodb_dynamic` ( + `c1` bigint(20) NOT NULL, + `b` char(200) DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=latin1 ROW_FORMAT=DYNAMIC `page_encryption`=1 `page_encryption_key`=3 +show create table innodb_redundant; +Table Create Table +innodb_redundant CREATE TABLE `innodb_redundant` ( + `c1` bigint(20) NOT NULL, + `b` char(200) DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=latin1 ROW_FORMAT=REDUNDANT `page_encryption`=1 `page_encryption_key`=4 +create procedure innodb_insert_proc (repeat_count int) +begin +declare current_num int; +set current_num = 0; +while current_num < repeat_count do +insert into innodb_normal values(current_num, substring(MD5(RAND()), -64)); +set current_num = current_num + 1; +end while; +end// +commit; +set autocommit=0; +call innodb_insert_proc(2000); +commit; +set autocommit=1; +insert into innodb_compact select * from innodb_normal; +insert into innodb_compressed select * from innodb_normal; +insert into innodb_dynamic select * from innodb_normal; +insert into innodb_redundant select * from innodb_normal; +update innodb_normal set c1 = c1 +1; +update innodb_compact set c1 = c1 + 1; +update innodb_compressed set c1 = c1 + 1; +update innodb_dynamic set c1 = c1 + 1; +update innodb_redundant set c1 = c1 + 1; +select count(*) from innodb_compact where c1 < 1500000; +count(*) +2000 +select count(*) from innodb_compressed where c1 < 1500000; +count(*) +2000 +select count(*) from innodb_dynamic where c1 < 1500000; +count(*) +2000 +select count(*) from innodb_redundant where c1 < 1500000; +count(*) +2000 +select count(*) from innodb_compact t1, innodb_normal t2 where +t1.c1 = t2.c1 and t1.b = t2.b; +count(*) +2000 +select count(*) from innodb_dynamic t1, innodb_normal t2 where +t1.c1 = t2.c1 and t1.b = t2.b; +count(*) +2000 +select count(*) from innodb_compressed t1, innodb_normal t2 where +t1.c1 = t2.c1 and t1.b = t2.b; +count(*) +2000 +select count(*) from innodb_redundant t1, innodb_normal t2 where +t1.c1 = t2.c1 and t1.b = t2.b; +count(*) +2000 +SELECT variable_value >= 0 FROM information_schema.global_status WHERE LOWER(variable_name) = 'innodb_num_pages_page_encrypted'; +variable_value >= 0 +1 +SELECT variable_value >= 0 FROM information_schema.global_status WHERE LOWER(variable_name) = 'innodb_num_pages_page_decrypted'; +variable_value >= 0 +1 +SELECT variable_value = 0 FROM information_schema.global_status WHERE LOWER(variable_name) = 'innodb_num_pages_page_encryption_error'; +variable_value = 0 +1 +SET GLOBAL innodb_file_format = `Barracuda`; +SET GLOBAL innodb_file_per_table = ON; +update innodb_normal set c1 = c1 +1; +update innodb_compact set c1 = c1 + 1; +update innodb_compressed set c1 = c1 + 1; +update innodb_dynamic set c1 = c1 + 1; +update innodb_redundant set c1 = c1 + 1; +select count(*) from innodb_compact where c1 < 1500000; +count(*) +2000 +select count(*) from innodb_compressed where c1 < 1500000; +count(*) +2000 +select count(*) from innodb_dynamic where c1 < 1500000; +count(*) +2000 +select count(*) from innodb_redundant where c1 < 1500000; +count(*) +2000 +select count(*) from innodb_compact t1, innodb_normal t2 where +t1.c1 = t2.c1 and t1.b = t2.b; +count(*) +2000 +select count(*) from innodb_dynamic t1, innodb_normal t2 where +t1.c1 = t2.c1 and t1.b = t2.b; +count(*) +2000 +select count(*) from innodb_compressed t1, innodb_normal t2 where +t1.c1 = t2.c1 and t1.b = t2.b; +count(*) +2000 +select count(*) from innodb_redundant t1, innodb_normal t2 where +t1.c1 = t2.c1 and t1.b = t2.b; +count(*) +2000 +SELECT variable_value >= 0 FROM information_schema.global_status WHERE LOWER(variable_name) = 'innodb_num_pages_page_encrypted'; +variable_value >= 0 +1 +SELECT variable_value >= 0 FROM information_schema.global_status WHERE LOWER(variable_name) = 'innodb_num_pages_page_decrypted'; +variable_value >= 0 +1 +SELECT variable_value = 0 FROM information_schema.global_status WHERE LOWER(variable_name) = 'innodb_num_pages_page_encryption_error'; +variable_value = 0 +1 +alter table innodb_compact engine=innodb page_encryption=DEFAULT page_encryption_key=DEFAULT; +show create table innodb_compact; +Table Create Table +innodb_compact CREATE TABLE `innodb_compact` ( + `c1` bigint(20) NOT NULL, + `b` char(200) DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=latin1 ROW_FORMAT=COMPACT +alter table innodb_compressed engine=innodb page_encryption=DEFAULT page_encryption_key=DEFAULT; +show create table innodb_compressed; +Table Create Table +innodb_compressed CREATE TABLE `innodb_compressed` ( + `c1` bigint(20) NOT NULL, + `b` char(200) DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=latin1 ROW_FORMAT=COMPRESSED +alter table innodb_dynamic engine=innodb page_encryption=DEFAULT page_encryption_key=DEFAULT; +show create table innodb_dynamic; +Table Create Table +innodb_dynamic CREATE TABLE `innodb_dynamic` ( + `c1` bigint(20) NOT NULL, + `b` char(200) DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=latin1 ROW_FORMAT=DYNAMIC +alter table innodb_redundant engine=innodb page_encryption=DEFAULT page_encryption_key=DEFAULT; +show create table innodb_redundant; +Table Create Table +innodb_redundant CREATE TABLE `innodb_redundant` ( + `c1` bigint(20) NOT NULL, + `b` char(200) DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=latin1 ROW_FORMAT=REDUNDANT +SET GLOBAL innodb_file_format = `Barracuda`; +SET GLOBAL innodb_file_per_table = ON; +show create table innodb_compact; +Table Create Table +innodb_compact CREATE TABLE `innodb_compact` ( + `c1` bigint(20) NOT NULL, + `b` char(200) DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=latin1 ROW_FORMAT=COMPACT +show create table innodb_compressed; +Table Create Table +innodb_compressed CREATE TABLE `innodb_compressed` ( + `c1` bigint(20) NOT NULL, + `b` char(200) DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=latin1 ROW_FORMAT=COMPRESSED +show create table innodb_dynamic; +Table Create Table +innodb_dynamic CREATE TABLE `innodb_dynamic` ( + `c1` bigint(20) NOT NULL, + `b` char(200) DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=latin1 ROW_FORMAT=DYNAMIC +show create table innodb_redundant; +Table Create Table +innodb_redundant CREATE TABLE `innodb_redundant` ( + `c1` bigint(20) NOT NULL, + `b` char(200) DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=latin1 ROW_FORMAT=REDUNDANT +update innodb_normal set c1 = c1 +1; +update innodb_compact set c1 = c1 + 1; +update innodb_compressed set c1 = c1 + 1; +update innodb_dynamic set c1 = c1 + 1; +update innodb_redundant set c1 = c1 + 1; +select count(*) from innodb_compact where c1 < 1500000; +count(*) +2000 +select count(*) from innodb_compressed where c1 < 1500000; +count(*) +2000 +select count(*) from innodb_dynamic where c1 < 1500000; +count(*) +2000 +select count(*) from innodb_redundant where c1 < 1500000; +count(*) +2000 +select count(*) from innodb_compact t1, innodb_normal t2 where +t1.c1 = t2.c1 and t1.b = t2.b; +count(*) +2000 +select count(*) from innodb_dynamic t1, innodb_normal t2 where +t1.c1 = t2.c1 and t1.b = t2.b; +count(*) +2000 +select count(*) from innodb_compressed t1, innodb_normal t2 where +t1.c1 = t2.c1 and t1.b = t2.b; +count(*) +2000 +select count(*) from innodb_redundant t1, innodb_normal t2 where +t1.c1 = t2.c1 and t1.b = t2.b; +count(*) +2000 +SELECT variable_value = 0 FROM information_schema.global_status WHERE LOWER(variable_name) = 'innodb_num_pages_page_encrypted'; +variable_value = 0 +1 +SELECT variable_value = 0 FROM information_schema.global_status WHERE LOWER(variable_name) = 'innodb_num_pages_page_decrypted'; +variable_value = 0 +1 +SELECT variable_value = 0 FROM information_schema.global_status WHERE LOWER(variable_name) = 'innodb_num_pages_page_encryption_error'; +variable_value = 0 +1 +drop procedure innodb_insert_proc; +drop table innodb_normal; +drop table innodb_compact; +drop table innodb_compressed; +drop table innodb_dynamic; +drop table innodb_redundant; diff --git a/mysql-test/suite/innodb/t/innodb-page_encryption_log_encryption.opt b/mysql-test/suite/innodb/t/innodb-page_encryption_log_encryption.opt new file mode 100644 index 00000000000..7cda4be1fff --- /dev/null +++ b/mysql-test/suite/innodb/t/innodb-page_encryption_log_encryption.opt @@ -0,0 +1,2 @@ +--encryption-algorithm=aes_ctr +--innodb-encrypt-log diff --git a/mysql-test/suite/innodb/t/innodb-page_encryption_log_encryption.test b/mysql-test/suite/innodb/t/innodb-page_encryption_log_encryption.test new file mode 100644 index 00000000000..c2f67dbe5b5 --- /dev/null +++ b/mysql-test/suite/innodb/t/innodb-page_encryption_log_encryption.test @@ -0,0 +1,152 @@ +-- source include/have_innodb.inc +-- source include/have_file_key_management_plugin.inc + +--disable_query_log +let $innodb_file_format_orig = `SELECT @@innodb_file_format`; +let $innodb_file_per_table_orig = `SELECT @@innodb_file_per_table`; +--enable_query_log + +call mtr.add_suppression("KeyID 0 not found or with error. Check the key and the log file*"); +call mtr.add_suppression("Disabling redo log encryption"); + +SET GLOBAL innodb_file_format = `Barracuda`; +SET GLOBAL innodb_file_per_table = ON; + +create table innodb_normal(c1 bigint not null, b char(200)) engine=innodb; +create table innodb_compact(c1 bigint not null, b char(200)) engine=innodb row_format=compact page_encryption=1 page_encryption_key=1; +create table innodb_compressed(c1 bigint not null, b char(200)) engine=innodb row_format=compressed page_encryption=1 page_encryption_key=2; +create table innodb_dynamic(c1 bigint not null, b char(200)) engine=innodb row_format=dynamic page_encryption=1 page_encryption_key=3; +create table innodb_redundant(c1 bigint not null, b char(200)) engine=innodb row_format=redundant page_encryption=1 page_encryption_key=4; + +show create table innodb_compact; +show create table innodb_compressed; +show create table innodb_dynamic; +show create table innodb_redundant; + +delimiter //; +create procedure innodb_insert_proc (repeat_count int) +begin + declare current_num int; + set current_num = 0; + while current_num < repeat_count do + insert into innodb_normal values(current_num, substring(MD5(RAND()), -64)); + set current_num = current_num + 1; + end while; +end// +delimiter ;// +commit; + +set autocommit=0; +call innodb_insert_proc(2000); +commit; +set autocommit=1; + +insert into innodb_compact select * from innodb_normal; +insert into innodb_compressed select * from innodb_normal; +insert into innodb_dynamic select * from innodb_normal; +insert into innodb_redundant select * from innodb_normal; + +update innodb_normal set c1 = c1 +1; +update innodb_compact set c1 = c1 + 1; +update innodb_compressed set c1 = c1 + 1; +update innodb_dynamic set c1 = c1 + 1; +update innodb_redundant set c1 = c1 + 1; +select count(*) from innodb_compact where c1 < 1500000; +select count(*) from innodb_compressed where c1 < 1500000; +select count(*) from innodb_dynamic where c1 < 1500000; +select count(*) from innodb_redundant where c1 < 1500000; +select count(*) from innodb_compact t1, innodb_normal t2 where +t1.c1 = t2.c1 and t1.b = t2.b; +select count(*) from innodb_dynamic t1, innodb_normal t2 where +t1.c1 = t2.c1 and t1.b = t2.b; +select count(*) from innodb_compressed t1, innodb_normal t2 where +t1.c1 = t2.c1 and t1.b = t2.b; +select count(*) from innodb_redundant t1, innodb_normal t2 where +t1.c1 = t2.c1 and t1.b = t2.b; + +# Note there that these variables are updated only when real I/O is done, thus they are not reliable +SELECT variable_value >= 0 FROM information_schema.global_status WHERE LOWER(variable_name) = 'innodb_num_pages_page_encrypted'; +SELECT variable_value >= 0 FROM information_schema.global_status WHERE LOWER(variable_name) = 'innodb_num_pages_page_decrypted'; +SELECT variable_value = 0 FROM information_schema.global_status WHERE LOWER(variable_name) = 'innodb_num_pages_page_encryption_error'; + +--source include/restart_mysqld.inc + +SET GLOBAL innodb_file_format = `Barracuda`; +SET GLOBAL innodb_file_per_table = ON; + +update innodb_normal set c1 = c1 +1; +update innodb_compact set c1 = c1 + 1; +update innodb_compressed set c1 = c1 + 1; +update innodb_dynamic set c1 = c1 + 1; +update innodb_redundant set c1 = c1 + 1; +select count(*) from innodb_compact where c1 < 1500000; +select count(*) from innodb_compressed where c1 < 1500000; +select count(*) from innodb_dynamic where c1 < 1500000; +select count(*) from innodb_redundant where c1 < 1500000; +select count(*) from innodb_compact t1, innodb_normal t2 where +t1.c1 = t2.c1 and t1.b = t2.b; +select count(*) from innodb_dynamic t1, innodb_normal t2 where +t1.c1 = t2.c1 and t1.b = t2.b; +select count(*) from innodb_compressed t1, innodb_normal t2 where +t1.c1 = t2.c1 and t1.b = t2.b; +select count(*) from innodb_redundant t1, innodb_normal t2 where +t1.c1 = t2.c1 and t1.b = t2.b; + +SELECT variable_value >= 0 FROM information_schema.global_status WHERE LOWER(variable_name) = 'innodb_num_pages_page_encrypted'; +SELECT variable_value >= 0 FROM information_schema.global_status WHERE LOWER(variable_name) = 'innodb_num_pages_page_decrypted'; +SELECT variable_value = 0 FROM information_schema.global_status WHERE LOWER(variable_name) = 'innodb_num_pages_page_encryption_error'; + +alter table innodb_compact engine=innodb page_encryption=DEFAULT page_encryption_key=DEFAULT; +show create table innodb_compact; +alter table innodb_compressed engine=innodb page_encryption=DEFAULT page_encryption_key=DEFAULT; +show create table innodb_compressed; +alter table innodb_dynamic engine=innodb page_encryption=DEFAULT page_encryption_key=DEFAULT; +show create table innodb_dynamic; +alter table innodb_redundant engine=innodb page_encryption=DEFAULT page_encryption_key=DEFAULT; +show create table innodb_redundant; + +--source include/restart_mysqld.inc + +SET GLOBAL innodb_file_format = `Barracuda`; +SET GLOBAL innodb_file_per_table = ON; + +show create table innodb_compact; +show create table innodb_compressed; +show create table innodb_dynamic; +show create table innodb_redundant; + +update innodb_normal set c1 = c1 +1; +update innodb_compact set c1 = c1 + 1; +update innodb_compressed set c1 = c1 + 1; +update innodb_dynamic set c1 = c1 + 1; +update innodb_redundant set c1 = c1 + 1; +select count(*) from innodb_compact where c1 < 1500000; +select count(*) from innodb_compressed where c1 < 1500000; +select count(*) from innodb_dynamic where c1 < 1500000; +select count(*) from innodb_redundant where c1 < 1500000; +select count(*) from innodb_compact t1, innodb_normal t2 where +t1.c1 = t2.c1 and t1.b = t2.b; +select count(*) from innodb_dynamic t1, innodb_normal t2 where +t1.c1 = t2.c1 and t1.b = t2.b; +select count(*) from innodb_compressed t1, innodb_normal t2 where +t1.c1 = t2.c1 and t1.b = t2.b; +select count(*) from innodb_redundant t1, innodb_normal t2 where +t1.c1 = t2.c1 and t1.b = t2.b; + +# After alter+restart these should be 0 +SELECT variable_value = 0 FROM information_schema.global_status WHERE LOWER(variable_name) = 'innodb_num_pages_page_encrypted'; +SELECT variable_value = 0 FROM information_schema.global_status WHERE LOWER(variable_name) = 'innodb_num_pages_page_decrypted'; +SELECT variable_value = 0 FROM information_schema.global_status WHERE LOWER(variable_name) = 'innodb_num_pages_page_encryption_error'; + +drop procedure innodb_insert_proc; +drop table innodb_normal; +drop table innodb_compact; +drop table innodb_compressed; +drop table innodb_dynamic; +drop table innodb_redundant; + +# reset system +--disable_query_log +EVAL SET GLOBAL innodb_file_per_table = $innodb_file_per_table_orig; +EVAL SET GLOBAL innodb_file_format = $innodb_file_format_orig; +--enable_query_log diff --git a/sql/encryption_keys.cc b/sql/encryption_keys.cc index 835ecd470cf..07a5d346a05 100644 --- a/sql/encryption_keys.cc +++ b/sql/encryption_keys.cc @@ -13,7 +13,7 @@ uint opt_debug_encryption_key_version = 0; static plugin_ref encryption_key_manager= 0; static struct st_mariadb_encryption_key_management *handle; -uint get_latest_encryption_key_version() +unsigned int get_latest_encryption_key_version() { #ifndef DBUG_OFF if (debug_use_static_encryption_keys) @@ -31,7 +31,7 @@ uint get_latest_encryption_key_version() return BAD_ENCRYPTION_KEY_VERSION; } -uint has_encryption_key(uint version) +unsigned int has_encryption_key(uint version) { if (encryption_key_manager) return handle->has_key_version(version); @@ -39,7 +39,7 @@ uint has_encryption_key(uint version) return 0; } -uint get_encryption_key_size(uint version) +unsigned int get_encryption_key_size(uint version) { if (encryption_key_manager) return handle->get_key_size(version); diff --git a/storage/innobase/log/log0crypt.cc b/storage/innobase/log/log0crypt.cc index 17e1404777e..3d4be2e7792 100644 --- a/storage/innobase/log/log0crypt.cc +++ b/storage/innobase/log/log0crypt.cc @@ -7,11 +7,13 @@ Created 11/25/2013 Minli Zhu #include "m_string.h" #include "log0crypt.h" #include <my_crypt.h> - +#include <my_aes.h> #include "log0log.h" #include "srv0start.h" // for srv_start_lsn #include "log0recv.h" // for recv_sys +#include "mysql/plugin_encryption_key_management.h" // for BAD_ENCRYPTION_KEY_VERSION + /* If true, enable redo log encryption. */ UNIV_INTERN my_bool srv_encrypt_log = FALSE; /* @@ -50,7 +52,7 @@ log_init_crypt_msg_and_nonce(void) if (my_random_bytes(redo_log_crypt_msg + 1, PURPOSE_BYTE_LEN) != AES_OK) { fprintf(stderr, - "\nInnodb redo log crypto: generate " + "\nInnoDB redo log crypto: generate " "%u-byte random number as crypto msg failed.\n", PURPOSE_BYTE_LEN); abort(); @@ -59,7 +61,7 @@ log_init_crypt_msg_and_nonce(void) if (my_random_bytes(aes_ctr_nonce, MY_AES_BLOCK_SIZE) != AES_OK) { fprintf(stderr, - "\nInnodb redo log crypto: generate " + "\nInnoDB redo log crypto: generate " "%u-byte random number as AES_CTR nonce failed.\n", MY_AES_BLOCK_SIZE); abort(); @@ -78,7 +80,7 @@ log_init_crypt_key( { if (crypt_ver == UNENCRYPTED_KEY_VER) { - fprintf(stderr, "\nInnodb redo log crypto: unencrypted key ver.\n\n"); + fprintf(stderr, "\nInnoDB redo log crypto: unencrypted key ver.\n\n"); memset(key, 0, MY_AES_BLOCK_SIZE); return; } @@ -86,7 +88,7 @@ log_init_crypt_key( if (crypt_msg[PURPOSE_BYTE_OFFSET] != redo_log_purpose_byte) { fprintf(stderr, - "\nInnodb redo log crypto: msg type mismatched. " + "\nInnoDB redo log crypto: msg type mismatched. " "Expected: %x; Actual: %x\n", redo_log_purpose_byte, crypt_msg[PURPOSE_BYTE_OFFSET]); abort(); @@ -96,7 +98,7 @@ log_init_crypt_key( if (get_encryption_key(crypt_ver, mysqld_key, MY_AES_BLOCK_SIZE)) { fprintf(stderr, - "\nInnodb redo log crypto: getting mysqld crypto key " + "\nInnoDB redo log crypto: getting mysqld crypto key " "from key version failed.\n"); abort(); } @@ -112,7 +114,7 @@ log_init_crypt_key( if (rc != AES_OK || dst_len != MY_AES_BLOCK_SIZE) { fprintf(stderr, - "\nInnodb redo log crypto: getting redo log crypto key " + "\nInnoDB redo log crypto: getting redo log crypto key " "failed.\n"); abort(); } @@ -233,13 +235,35 @@ log_crypt_set_ver_and_key( uint& key_ver, /*!< out: latest key version */ byte* crypt_key) /*!< out: crypto key */ { - if (!srv_encrypt_log || - (key_ver = get_latest_encryption_key_version()) == UNENCRYPTED_KEY_VER) - { + bool encrypted; + + if (srv_encrypt_log) { + unsigned int vkey; + vkey = get_latest_encryption_key_version(); + encrypted = true; + + if (vkey == UNENCRYPTED_KEY_VER || + vkey == BAD_ENCRYPTION_KEY_VERSION || + vkey == (unsigned int)CRYPT_KEY_UNKNOWN) { + encrypted = false; + + fprintf(stderr, "\nInnoDB redo log crypto: Can't initialize to key version %du\n", + key_ver); + fprintf(stderr, "InnoDB: [Warning] Disabling redo log encryption\n"); + srv_encrypt_log = FALSE; + } else { + key_ver = vkey; + } + } else { + encrypted = false; + } + + if (!encrypted) { key_ver = UNENCRYPTED_KEY_VER; memset(crypt_key, 0, MY_AES_BLOCK_SIZE); return; } + log_init_crypt_key(redo_log_crypt_msg, key_ver, crypt_key); } diff --git a/storage/xtradb/log/log0crypt.cc b/storage/xtradb/log/log0crypt.cc index 17e1404777e..be2f77ebc72 100644 --- a/storage/xtradb/log/log0crypt.cc +++ b/storage/xtradb/log/log0crypt.cc @@ -7,11 +7,14 @@ Created 11/25/2013 Minli Zhu #include "m_string.h" #include "log0crypt.h" #include <my_crypt.h> +#include <my_aes.h> #include "log0log.h" #include "srv0start.h" // for srv_start_lsn #include "log0recv.h" // for recv_sys +#include "mysql/plugin_encryption_key_management.h" // for BAD_ENCRYPTION_KEY_VERSION + /* If true, enable redo log encryption. */ UNIV_INTERN my_bool srv_encrypt_log = FALSE; /* @@ -50,7 +53,7 @@ log_init_crypt_msg_and_nonce(void) if (my_random_bytes(redo_log_crypt_msg + 1, PURPOSE_BYTE_LEN) != AES_OK) { fprintf(stderr, - "\nInnodb redo log crypto: generate " + "\nInnoDB redo log crypto: generate " "%u-byte random number as crypto msg failed.\n", PURPOSE_BYTE_LEN); abort(); @@ -59,7 +62,7 @@ log_init_crypt_msg_and_nonce(void) if (my_random_bytes(aes_ctr_nonce, MY_AES_BLOCK_SIZE) != AES_OK) { fprintf(stderr, - "\nInnodb redo log crypto: generate " + "\nInnoDB redo log crypto: generate " "%u-byte random number as AES_CTR nonce failed.\n", MY_AES_BLOCK_SIZE); abort(); @@ -78,7 +81,7 @@ log_init_crypt_key( { if (crypt_ver == UNENCRYPTED_KEY_VER) { - fprintf(stderr, "\nInnodb redo log crypto: unencrypted key ver.\n\n"); + fprintf(stderr, "\nInnoDB redo log crypto: unencrypted key ver.\n\n"); memset(key, 0, MY_AES_BLOCK_SIZE); return; } @@ -86,7 +89,7 @@ log_init_crypt_key( if (crypt_msg[PURPOSE_BYTE_OFFSET] != redo_log_purpose_byte) { fprintf(stderr, - "\nInnodb redo log crypto: msg type mismatched. " + "\nInnoDB redo log crypto: msg type mismatched. " "Expected: %x; Actual: %x\n", redo_log_purpose_byte, crypt_msg[PURPOSE_BYTE_OFFSET]); abort(); @@ -96,7 +99,7 @@ log_init_crypt_key( if (get_encryption_key(crypt_ver, mysqld_key, MY_AES_BLOCK_SIZE)) { fprintf(stderr, - "\nInnodb redo log crypto: getting mysqld crypto key " + "\nInnoDB redo log crypto: getting mysqld crypto key " "from key version failed.\n"); abort(); } @@ -112,7 +115,7 @@ log_init_crypt_key( if (rc != AES_OK || dst_len != MY_AES_BLOCK_SIZE) { fprintf(stderr, - "\nInnodb redo log crypto: getting redo log crypto key " + "\nInnoDB redo log crypto: getting redo log crypto key " "failed.\n"); abort(); } @@ -233,13 +236,35 @@ log_crypt_set_ver_and_key( uint& key_ver, /*!< out: latest key version */ byte* crypt_key) /*!< out: crypto key */ { - if (!srv_encrypt_log || - (key_ver = get_latest_encryption_key_version()) == UNENCRYPTED_KEY_VER) - { + bool encrypted; + + if (srv_encrypt_log) { + unsigned int vkey; + vkey = get_latest_encryption_key_version(); + encrypted = true; + + if (vkey == UNENCRYPTED_KEY_VER || + vkey == BAD_ENCRYPTION_KEY_VERSION || + vkey == (unsigned int)CRYPT_KEY_UNKNOWN) { + encrypted = false; + + fprintf(stderr, "\nInnoDB redo log crypto: Can't initialize to key version %du\n", + key_ver); + fprintf(stderr, "InnoDB: [Warning] Disabling redo log encryption\n"); + srv_encrypt_log = FALSE; + } else { + key_ver = vkey; + } + } else { + encrypted = false; + } + + if (!encrypted) { key_ver = UNENCRYPTED_KEY_VER; memset(crypt_key, 0, MY_AES_BLOCK_SIZE); return; } + log_init_crypt_key(redo_log_crypt_msg, key_ver, crypt_key); } |