diff options
author | Julius Goryavsky <julius.goryavsky@mariadb.com> | 2022-05-06 15:01:08 +0200 |
---|---|---|
committer | Julius Goryavsky <julius.goryavsky@mariadb.com> | 2022-05-09 07:55:41 +0200 |
commit | 2e14f2c889651d743164d6eb6598dae06e74cd7a (patch) | |
tree | c843981c24232de648e1c21a6185eb2340b09283 | |
parent | 94841ba656fb728c600aa9b13c79d4c5922b5d34 (diff) | |
download | mariadb-git-2e14f2c889651d743164d6eb6598dae06e74cd7a.tar.gz |
MDEV-28279: Hashicorp: Cannot migrate hexadecimal keys from file key management
This commit fixes a bug in the algorithm for converting hexadecimal
strings to binary key values, which leads to incompatibility with other
plugins and reduces the effective information capacity of the keys.
The new key conversion algorithm is incompatible with tables which
alrady encrypted using a old plugin (plugin version less than or
equalt to the 1.05).
4 files changed, 100 insertions, 4 deletions
diff --git a/plugin/hashicorp_key_management/hashicorp_key_management_plugin.cc b/plugin/hashicorp_key_management/hashicorp_key_management_plugin.cc index 33b434555a3..629cae09865 100644 --- a/plugin/hashicorp_key_management/hashicorp_key_management_plugin.cc +++ b/plugin/hashicorp_key_management/hashicorp_key_management_plugin.cc @@ -636,7 +636,7 @@ static inline int c2xdigit (int c) { if (c > 9) { - c -= 'A' - '0'; + c -= 'A' - '0' - 10; if (c > 15) { c -= 'a' - 'A'; @@ -1380,10 +1380,10 @@ maria_declare_plugin(hashicorp_key_management) PLUGIN_LICENSE_GPL, hashicorp_key_management_plugin_init, hashicorp_key_management_plugin_deinit, - 0x0105 /* 1.05 */, + 0x0200 /* 2.0 */, NULL, /* status variables */ settings, - "1.05", + "2.0", MariaDB_PLUGIN_MATURITY_STABLE } maria_declare_plugin_end; diff --git a/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_key_migration.result b/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_key_migration.result new file mode 100644 index 00000000000..e2cc0452958 --- /dev/null +++ b/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_key_migration.result @@ -0,0 +1,39 @@ +# restart: with restart_parameters +CREATE TABLE t1 (a VARCHAR(8)) ENGINE=InnoDB ENCRYPTED=YES ENCRYPTION_KEY_ID=1; +INSERT INTO t1 VALUES ('foo'),('bar'); +SELECT * FROM t1; +a +foo +bar +# restart: with restart_parameters +CREATE TABLE t2 (a VARCHAR(8)) ENGINE=InnoDB ENCRYPTED=YES ENCRYPTION_KEY_ID=1; +INSERT INTO t2 VALUES ('baz'),('qux'); +SELECT * FROM t2; +a +baz +qux +# +# This should not fail, but it does if the bug is not fixed +# +SELECT * FROM t1; +a +foo +bar +SHOW WARNINGS; +Level Code Message +# restart: with restart_parameters +SELECT * FROM t1; +a +foo +bar +# +# This should not fail, but it does if the bug is not fixed +# +SELECT * FROM t2; +a +baz +qux +SHOW WARNINGS; +Level Code Message +DROP TABLE t1, t2; +# restart diff --git a/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_init.inc b/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_init.inc index 91f5e1db843..172c1d87935 100644 --- a/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_init.inc +++ b/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_init.inc @@ -1,7 +1,7 @@ --exec vault secrets disable mariadbtest > /dev/null --exec vault secrets enable -path /mariadbtest -version=2 kv > /dev/null --exec vault kv put /mariadbtest/1 data="123456789ABCDEF0123456789ABCDEF0" > /dev/null ---exec vault kv put /mariadbtest/2 data="23456789ABCDEF0123456789ABCDEF01" > /dev/null +--exec vault kv put /mariadbtest/2 data="23456789ABCDEF0123456789ABCDef01" > /dev/null --exec vault kv put /mariadbtest/3 data="00000000000000000000000000000000" > /dev/null --exec vault kv put /mariadbtest/3 data="00000000000000000000000000000001" > /dev/null --exec vault kv put /mariadbtest/4 data="456789ABCDEF0123456789ABCDEF0123" > /dev/null diff --git a/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_key_migration.test b/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_key_migration.test new file mode 100644 index 00000000000..2e67c2cc639 --- /dev/null +++ b/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_key_migration.test @@ -0,0 +1,57 @@ +# MDEV-28279: Cannot migrate hexadecimal keys from file key management + +# The test presumes that the local vault is running at $VAULT_ADDR, +# and the token is configured in $VAULT_TOKEN. + +--source include/have_innodb.inc +--source hashicorp_plugin.inc + +--let $my_key=012345678901234567890123456789aB +--exec echo "1;$my_key" > $MYSQL_TMP_DIR/mykeys.txt +--let $restart_parameters=--plugin-load-add=file_key_management --loose-file-key-management-filename=$MYSQL_TMP_DIR/mykeys.txt --hashicorp-key-management=off +--let $restart_noprint=1 +--source include/restart_mysqld.inc + +if (`SELECT COUNT(*)=0 FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME = 'file_key_management' AND PLUGIN_STATUS='ACTIVE'`) +{ + --skip Test requires file_key_management plugin +} + +CREATE TABLE t1 (a VARCHAR(8)) ENGINE=InnoDB ENCRYPTED=YES ENCRYPTION_KEY_ID=1; +INSERT INTO t1 VALUES ('foo'),('bar'); +SELECT * FROM t1; + +--exec vault secrets disable bug > /dev/null +--exec vault secrets enable -path /bug -version=2 kv > /dev/null +--exec vault kv put /bug/1 data=$my_key > /dev/null +--let $restart_parameters=--plugin-load-add=hashicorp_key_management --hashicorp-key-management-vault-url="$VAULT_ADDR/v1/bug/" --hashicorp-key-management-token="$VAULT_TOKEN" +--source include/restart_mysqld.inc + +CREATE TABLE t2 (a VARCHAR(8)) ENGINE=InnoDB ENCRYPTED=YES ENCRYPTION_KEY_ID=1; +INSERT INTO t2 VALUES ('baz'),('qux'); +SELECT * FROM t2; +--echo # +--echo # This should not fail, but it does if the bug is not fixed +--echo # +--error 0,1932,1877 +SELECT * FROM t1; +SHOW WARNINGS; + +--let $restart_parameters=--plugin-load-add=file_key_management --file-key-management-filename=$MYSQL_TMP_DIR/mykeys.txt --hashicorp-key-management=off +--source include/restart_mysqld.inc + +SELECT * FROM t1; +--echo # +--echo # This should not fail, but it does if the bug is not fixed +--echo # +--error 0,1932,1877 +SELECT * FROM t2; +SHOW WARNINGS; + +# Cleanup +DROP TABLE t1, t2; + +--exec vault secrets disable bug > /dev/null + +--let $restart_parameters= +--source include/restart_mysqld.inc |