summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorkurt <dingweiqings@163.com>2022-09-21 11:29:07 +0800
committerDaniel Black <daniel@mariadb.org>2022-10-21 15:54:17 +1100
commite11661a4a2c0d50d78b86dac71a0e3d226f0ddcf (patch)
tree59671c09f467614638627f9c22670782f24d43e0
parent9de37e07de860fdbaade1de482692a9221fbcc98 (diff)
downloadmariadb-git-e11661a4a2c0d50d78b86dac71a0e3d226f0ddcf.tar.gz
MDEV-25343 Error log message not helpful when filekey is too long
Add a test related to the Encrypted Key File by following instructions in kb example https://mariadb.com/kb/en/file-key-management-encryption-plugin/#creating-the-key-file Reviewed by Daniel Black (with minor formatting and re-org of duplicate close(f) calls).
-rw-r--r--mysql-test/suite/encryption/r/filekeys_secret_openssl_rand_128bits.result17
-rw-r--r--mysql-test/suite/encryption/r/filekeys_secret_too_long.result10
-rw-r--r--mysql-test/suite/encryption/t/filekeys-data-too-long.key4
-rw-r--r--mysql-test/suite/encryption/t/filekeys_secret_openssl_rand_128bits.enc4
-rw-r--r--mysql-test/suite/encryption/t/filekeys_secret_openssl_rand_128bits.key1
-rw-r--r--mysql-test/suite/encryption/t/filekeys_secret_openssl_rand_128bits.opt3
-rw-r--r--mysql-test/suite/encryption/t/filekeys_secret_openssl_rand_128bits.test13
-rw-r--r--mysql-test/suite/encryption/t/filekeys_secret_too_long.opt3
-rw-r--r--mysql-test/suite/encryption/t/filekeys_secret_too_long.test4
-rw-r--r--plugin/file_key_management/parser.cc15
10 files changed, 71 insertions, 3 deletions
diff --git a/mysql-test/suite/encryption/r/filekeys_secret_openssl_rand_128bits.result b/mysql-test/suite/encryption/r/filekeys_secret_openssl_rand_128bits.result
new file mode 100644
index 00000000000..880245c7a09
--- /dev/null
+++ b/mysql-test/suite/encryption/r/filekeys_secret_openssl_rand_128bits.result
@@ -0,0 +1,17 @@
+create table t1(c1 bigint not null, b char(200)) engine=innodb encrypted=yes encryption_key_id=1;
+show create table t1;
+Table Create Table
+t1 CREATE TABLE `t1` (
+ `c1` bigint(20) NOT NULL,
+ `b` char(200) DEFAULT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_swedish_ci `encrypted`=yes `encryption_key_id`=1
+insert t1 values (12345, repeat('1234567890', 20));
+alter table t1 encryption_key_id=2;
+show create table t1;
+Table Create Table
+t1 CREATE TABLE `t1` (
+ `c1` bigint(20) NOT NULL,
+ `b` char(200) DEFAULT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_swedish_ci `encrypted`=yes `encryption_key_id`=2
+drop table t1;
+# Test checks if opening an too large secret does not crash the server.
diff --git a/mysql-test/suite/encryption/r/filekeys_secret_too_long.result b/mysql-test/suite/encryption/r/filekeys_secret_too_long.result
new file mode 100644
index 00000000000..bd11e8d925e
--- /dev/null
+++ b/mysql-test/suite/encryption/r/filekeys_secret_too_long.result
@@ -0,0 +1,10 @@
+call mtr.add_suppression("the filekey is too long");
+call mtr.add_suppression("Plugin 'file_key_management' init function returned error");
+call mtr.add_suppression("Plugin 'file_key_management' registration.*failed");
+FOUND 1 /the filekey is too long/ in mysqld.1.err
+create table t1(c1 bigint not null, b char(200)) engine=innodb encrypted=yes encryption_key_id=1;
+ERROR HY000: Can't create table `test`.`t1` (errno: 140 "Wrong create options")
+select plugin_status from information_schema.plugins
+where plugin_name = 'file_key_management';
+plugin_status
+# Test checks if opening an too large secret does not crash the server.
diff --git a/mysql-test/suite/encryption/t/filekeys-data-too-long.key b/mysql-test/suite/encryption/t/filekeys-data-too-long.key
new file mode 100644
index 00000000000..ba1624fb324
--- /dev/null
+++ b/mysql-test/suite/encryption/t/filekeys-data-too-long.key
@@ -0,0 +1,4 @@
+secretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecret
+secretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecret
+secretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecret
+
diff --git a/mysql-test/suite/encryption/t/filekeys_secret_openssl_rand_128bits.enc b/mysql-test/suite/encryption/t/filekeys_secret_openssl_rand_128bits.enc
new file mode 100644
index 00000000000..3257ff7d6de
--- /dev/null
+++ b/mysql-test/suite/encryption/t/filekeys_secret_openssl_rand_128bits.enc
@@ -0,0 +1,4 @@
+Salted__40-6L sK?p\am8N?q n<*g( |F/!
+ kok6y7t67D#g洄ʗԣiyu*i#ƈ82#6 .C8۝;7Bԣ
+0 /
+w0w"xԱQu04xkj{W΢3C5՜ ᔪP$=Ҳ \ No newline at end of file
diff --git a/mysql-test/suite/encryption/t/filekeys_secret_openssl_rand_128bits.key b/mysql-test/suite/encryption/t/filekeys_secret_openssl_rand_128bits.key
new file mode 100644
index 00000000000..bba639aeaac
--- /dev/null
+++ b/mysql-test/suite/encryption/t/filekeys_secret_openssl_rand_128bits.key
@@ -0,0 +1 @@
+c9518399cbec2b5edf773e06d1b934b90ec0f46ae455b8f1e001b5629ef31a513b83e676bf654c08ba98659461410e5e040e46237a7d50b40bd9bb90576f841275506e61523e5e9a0beb7641127ed2d946395b6fee7ff5263a9019cbe71bd907bf1ac6365940fa391086830a4e6c1d2972b99505467ef31cfb46d0cb7ab8f4f1
diff --git a/mysql-test/suite/encryption/t/filekeys_secret_openssl_rand_128bits.opt b/mysql-test/suite/encryption/t/filekeys_secret_openssl_rand_128bits.opt
new file mode 100644
index 00000000000..9dee47bb96f
--- /dev/null
+++ b/mysql-test/suite/encryption/t/filekeys_secret_openssl_rand_128bits.opt
@@ -0,0 +1,3 @@
+--loose-file-key-management-filekey=FILE:$MTR_SUITE_DIR/t/filekeys_secret_openssl_rand_128bits.key
+--loose-file-key-management-filename=$MTR_SUITE_DIR/t/filekeys_secret_openssl_rand_128bits.enc
+
diff --git a/mysql-test/suite/encryption/t/filekeys_secret_openssl_rand_128bits.test b/mysql-test/suite/encryption/t/filekeys_secret_openssl_rand_128bits.test
new file mode 100644
index 00000000000..60718d21a10
--- /dev/null
+++ b/mysql-test/suite/encryption/t/filekeys_secret_openssl_rand_128bits.test
@@ -0,0 +1,13 @@
+-- source include/have_innodb.inc
+-- source filekeys_plugin.inc
+
+create table t1(c1 bigint not null, b char(200)) engine=innodb encrypted=yes encryption_key_id=1;
+show create table t1;
+insert t1 values (12345, repeat('1234567890', 20));
+
+alter table t1 encryption_key_id=2;
+show create table t1;
+
+drop table t1;
+
+--echo # Test checks if opening an too large secret does not crash the server.
diff --git a/mysql-test/suite/encryption/t/filekeys_secret_too_long.opt b/mysql-test/suite/encryption/t/filekeys_secret_too_long.opt
new file mode 100644
index 00000000000..c3f95019f2a
--- /dev/null
+++ b/mysql-test/suite/encryption/t/filekeys_secret_too_long.opt
@@ -0,0 +1,3 @@
+--loose-file-key-management-filekey=FILE:$MTR_SUITE_DIR/t/filekeys-data-too-long.key
+--loose-file-key-management-filename=$MTR_SUITE_DIR/t/filekeys-data.enc
+
diff --git a/mysql-test/suite/encryption/t/filekeys_secret_too_long.test b/mysql-test/suite/encryption/t/filekeys_secret_too_long.test
new file mode 100644
index 00000000000..0032e94de37
--- /dev/null
+++ b/mysql-test/suite/encryption/t/filekeys_secret_too_long.test
@@ -0,0 +1,4 @@
+let SEARCH_PATTERN=the filekey is too long;
+source filekeys_badtest.inc;
+
+--echo # Test checks if opening an too large secret does not crash the server.
diff --git a/plugin/file_key_management/parser.cc b/plugin/file_key_management/parser.cc
index 5a9e5e55d63..ec1b528da24 100644
--- a/plugin/file_key_management/parser.cc
+++ b/plugin/file_key_management/parser.cc
@@ -170,19 +170,28 @@ bool Parser::read_filekey(const char *filekey, char *secret)
int f= open(filekey, O_RDONLY|O_BINARY);
if (f == -1)
{
- my_error(EE_FILENOTFOUND,ME_ERROR_LOG, filekey, errno);
+ my_error(EE_FILENOTFOUND, ME_ERROR_LOG, filekey, errno);
return 1;
}
- int len= read(f, secret, MAX_SECRET_SIZE);
+ int len= read(f, secret, MAX_SECRET_SIZE + 1);
if (len <= 0)
{
- my_error(EE_READ,ME_ERROR_LOG, filekey, errno);
+ my_error(EE_READ, ME_ERROR_LOG, filekey, errno);
close(f);
return 1;
}
close(f);
+
while (secret[len - 1] == '\r' || secret[len - 1] == '\n') len--;
+ if (len > MAX_SECRET_SIZE)
+ {
+ my_printf_error(EE_READ,
+ "Cannot read %s, the filekey is too long, "
+ "max secret size is %dB ",
+ ME_ERROR_LOG, filekey, MAX_SECRET_SIZE);
+ return 1;
+ }
secret[len]= '\0';
return 0;
}