diff options
| author | Sergei Golubchik <serg@mariadb.org> | 2015-01-05 13:36:14 +0100 |
|---|---|---|
| committer | Sergei Golubchik <serg@mariadb.org> | 2015-02-10 10:21:17 +0100 |
| commit | cf8bf0b68e1c4281535813d4087680296138271c (patch) | |
| tree | 6215215741e5ff9cebc7b7ec83168f396b735882 | |
| parent | c8997c39b4fac47eb580ea31f97a421bfc399e28 (diff) | |
| download | mariadb-git-cf8bf0b68e1c4281535813d4087680296138271c.tar.gz | |
encryption key management plugin api
50 files changed, 696 insertions, 344 deletions
diff --git a/cmake/abi_check.cmake b/cmake/abi_check.cmake index b6e630eeb37..aff6c437c3b 100644 --- a/cmake/abi_check.cmake +++ b/cmake/abi_check.cmake @@ -44,6 +44,7 @@ IF(CMAKE_COMPILER_IS_GNUCC AND RUN_ABI_CHECK) ${CMAKE_SOURCE_DIR}/include/mysql/client_plugin.h ${CMAKE_SOURCE_DIR}/include/mysql/plugin_auth.h ${CMAKE_SOURCE_DIR}/include/mysql/plugin_password_validation.h + ${CMAKE_SOURCE_DIR}/include/mysql/plugin_encryption_key_management.h ) ADD_CUSTOM_TARGET(abi_check ALL diff --git a/include/my_crypt_key_management.h b/include/my_crypt_key_management.h index 3da0ab2b90e..1d144ced55c 100644 --- a/include/my_crypt_key_management.h +++ b/include/my_crypt_key_management.h @@ -1,6 +1,6 @@ -#ifndef MYSYS_MY_CRYPT_KEY_MANAGMENT_H_ -#define MYSYS_MY_CRYPT_KEY_MANAGMENT_H_ +#ifndef INCLUDE_MY_CRYPT_KEY_MANAGMENT_INCLUDED +#define INCLUDE_MY_CRYPT_KEY_MANAGMENT_INCLUDED #include "my_global.h" #include "my_pthread.h" @@ -18,63 +18,17 @@ extern uint opt_debug_encryption_key_version; #endif /* DBUG_OFF */ C_MODE_START -/** - * function returning latest key version - */ -typedef int (* GetLatestCryptoKeyVersionFunc_t)(); - -/** - * function returning if the key exists - */ -typedef unsigned int (* HasKeyVersionFunc_t)(unsigned int version); - -/** - * function returning the key size - */ -typedef int (* GetKeySizeFunc_t)(unsigned int version); - -/** - * function returning a key for a key version - */ -typedef int (* GetCryptoKeyFunc_t)(unsigned int version, - unsigned char* key, - unsigned keybufsize); - -/** - * function returning an iv for a key version - */ -typedef int (* GetCryptoIVFunc_t)(unsigned int version, - unsigned char* iv, - unsigned ivbufsize); - - -struct CryptoKeyFuncs_t -{ - GetLatestCryptoKeyVersionFunc_t getLatestCryptoKeyVersionFunc; - HasKeyVersionFunc_t hasCryptoKeyFunc; - GetKeySizeFunc_t getCryptoKeySize; - GetCryptoKeyFunc_t getCryptoKeyFunc; - GetCryptoIVFunc_t getCryptoIVFunc; -}; - -/** - * Install functions to use for key management - */ -void -InstallCryptoKeyFunctions(const struct CryptoKeyFuncs_t* cryptoKeyFuncs); /** * Functions to interact with key management */ -int GetLatestCryptoKeyVersion(); -unsigned int HasCryptoKey(unsigned int version); -int GetCryptoKeySize(unsigned int version); -int GetCryptoKey(unsigned int version, unsigned char* key_buffer, - unsigned int size); -int GetCryptoIV(unsigned int version, unsigned char* key_buffer, - unsigned int size); +uint get_latest_encryption_key_version(); +uint has_encryption_key(uint version); +uint get_encryption_key_size(uint version); +int get_encryption_key(uint version, uchar* key, uint size); +int get_encryption_iv(uint version, uchar* iv, uint size); C_MODE_END -#endif // MYSYS_MY_CRYPT_KEY_MANAGMENT_H_ +#endif // INCLUDE_MY_CRYPT_KEY_MANAGMENT_INCLUDED diff --git a/include/mysql/plugin.h b/include/mysql/plugin.h index df74be0209d..4a27527b565 100644 --- a/include/mysql/plugin.h +++ b/include/mysql/plugin.h @@ -88,11 +88,11 @@ typedef struct st_mysql_xid MYSQL_XID; #define MYSQL_AUDIT_PLUGIN 5 #define MYSQL_REPLICATION_PLUGIN 6 #define MYSQL_AUTHENTICATION_PLUGIN 7 -#define MYSQL_KEY_MANAGEMENT_PLUGIN 9 #define MYSQL_MAX_PLUGIN_TYPE_NUM 10 /* The number of plugin types */ /* MariaDB plugin types */ -#define MariaDB_PASSWORD_VALIDATION_PLUGIN 8 +#define MariaDB_PASSWORD_VALIDATION_PLUGIN 8 +#define MariaDB_ENCRYPTION_KEY_MANAGEMENT_PLUGIN 9 /* We use the following strings to define licenses for plugins */ #define PLUGIN_LICENSE_PROPRIETARY 0 diff --git a/include/mysql/plugin_encryption_key_management.h b/include/mysql/plugin_encryption_key_management.h new file mode 100644 index 00000000000..1ba4659196f --- /dev/null +++ b/include/mysql/plugin_encryption_key_management.h @@ -0,0 +1,73 @@ +#ifndef MYSQL_PLUGIN_ENCRYPTION_KEY_MANAGEMENT_INCLUDED +/* Copyright (C) 2014 Sergei Golubchik and MariaDB + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ + +/** + @file + + Encryption key Management Plugin API. + + This file defines the API for server plugins that manage encryption + keys for MariaDB on-disk data encryption. +*/ + +#define MYSQL_PLUGIN_ENCRYPTION_KEY_MANAGEMENT_INCLUDED + +#include <mysql/plugin.h> + +#define MariaDB_ENCRYPTION_KEY_MANAGEMENT_INTERFACE_VERSION 0x0100 + +#define BAD_ENCRYPTION_KEY_VERSION (~0U) + +/** + Encryption key management plugin descriptor +*/ +struct st_mariadb_encryption_key_management +{ + int interface_version; /**< version plugin uses */ + + /** + function returning latest key version. + + @return a version or BAD_ENCRYPTION_KEY_VERSION to indicate an error. + */ + unsigned int (*get_latest_key_version)(); + + /** function returning if a key of the given version exists */ + unsigned int (*has_key_version)(unsigned int version); + + /** function returning the key size in bytes */ + unsigned int (*get_key_size)(unsigned int version); + + /** + function returning a key for a key version + + the key is put in 'key' buffer, that has size of 'keybufsize' bytes. + + @return 0 on success, non-zero on failure + */ + int (*get_key)(unsigned int version, unsigned char* key, unsigned int keybufsize); + + /** + function returning an IV for a key version + + the IV is put in 'iv' buffer, that has size of 'ivbufsize' bytes. + + @return 0 on success, non-zero on failure + */ + int (*get_iv)(unsigned int version, unsigned char* iv, unsigned int ivbufsize); +}; +#endif + diff --git a/include/mysql/plugin_encryption_key_management.h.pp b/include/mysql/plugin_encryption_key_management.h.pp new file mode 100644 index 00000000000..07f238d6c0d --- /dev/null +++ b/include/mysql/plugin_encryption_key_management.h.pp @@ -0,0 +1,364 @@ +#include <mysql/plugin.h> +typedef char my_bool; +typedef void * MYSQL_PLUGIN; +#include <mysql/services.h> +#include <mysql/service_my_snprintf.h> +extern struct my_snprintf_service_st { + size_t (*my_snprintf_type)(char*, size_t, const char*, ...); + size_t (*my_vsnprintf_type)(char *, size_t, const char*, va_list); +} *my_snprintf_service; +size_t my_snprintf(char* to, size_t n, const char* fmt, ...); +size_t my_vsnprintf(char *to, size_t n, const char* fmt, va_list ap); +#include <mysql/service_thd_alloc.h> +struct st_mysql_lex_string +{ + char *str; + size_t length; +}; +typedef struct st_mysql_lex_string MYSQL_LEX_STRING; +extern struct thd_alloc_service_st { + void *(*thd_alloc_func)(void*, unsigned int); + void *(*thd_calloc_func)(void*, unsigned int); + char *(*thd_strdup_func)(void*, const char *); + char *(*thd_strmake_func)(void*, const char *, unsigned int); + void *(*thd_memdup_func)(void*, const void*, unsigned int); + MYSQL_LEX_STRING *(*thd_make_lex_string_func)(void*, MYSQL_LEX_STRING *, + const char *, unsigned int, int); +} *thd_alloc_service; +void *thd_alloc(void* thd, unsigned int size); +void *thd_calloc(void* thd, unsigned int size); +char *thd_strdup(void* thd, const char *str); +char *thd_strmake(void* thd, const char *str, unsigned int size); +void *thd_memdup(void* thd, const void* str, unsigned int size); +MYSQL_LEX_STRING *thd_make_lex_string(void* thd, MYSQL_LEX_STRING *lex_str, + const char *str, unsigned int size, + int allocate_lex_string); +#include <mysql/service_thd_wait.h> +typedef enum _thd_wait_type_e { + THD_WAIT_SLEEP= 1, + THD_WAIT_DISKIO= 2, + THD_WAIT_ROW_LOCK= 3, + THD_WAIT_GLOBAL_LOCK= 4, + THD_WAIT_META_DATA_LOCK= 5, + THD_WAIT_TABLE_LOCK= 6, + THD_WAIT_USER_LOCK= 7, + THD_WAIT_BINLOG= 8, + THD_WAIT_GROUP_COMMIT= 9, + THD_WAIT_SYNC= 10, + THD_WAIT_NET= 11, + THD_WAIT_LAST= 12 +} thd_wait_type; +extern struct thd_wait_service_st { + void (*thd_wait_begin_func)(void*, int); + void (*thd_wait_end_func)(void*); +} *thd_wait_service; +void thd_wait_begin(void* thd, int wait_type); +void thd_wait_end(void* thd); +#include <mysql/service_progress_report.h> +extern struct progress_report_service_st { + void (*thd_progress_init_func)(void* thd, unsigned int max_stage); + void (*thd_progress_report_func)(void* thd, + unsigned long long progress, + unsigned long long max_progress); + void (*thd_progress_next_stage_func)(void* thd); + void (*thd_progress_end_func)(void* thd); + const char *(*set_thd_proc_info_func)(void*, const char *info, + const char *func, + const char *file, + unsigned int line); +} *progress_report_service; +void thd_progress_init(void* thd, unsigned int max_stage); +void thd_progress_report(void* thd, + unsigned long long progress, + unsigned long long max_progress); +void thd_progress_next_stage(void* thd); +void thd_progress_end(void* thd); +const char *set_thd_proc_info(void*, const char * info, const char *func, + const char *file, unsigned int line); +#include <mysql/service_debug_sync.h> +extern void (*debug_sync_C_callback_ptr)(void*, const char *, size_t); +#include <mysql/service_kill_statement.h> +enum thd_kill_levels { + THD_IS_NOT_KILLED=0, + THD_ABORT_SOFTLY=50, + THD_ABORT_ASAP=100, +}; +extern struct kill_statement_service_st { + enum thd_kill_levels (*thd_kill_level_func)(const void*); +} *thd_kill_statement_service; +enum thd_kill_levels thd_kill_level(const void*); +#include <mysql/service_thd_timezone.h> +#include "mysql_time.h" +typedef long my_time_t; +enum enum_mysql_timestamp_type +{ + MYSQL_TIMESTAMP_NONE= -2, MYSQL_TIMESTAMP_ERROR= -1, + MYSQL_TIMESTAMP_DATE= 0, MYSQL_TIMESTAMP_DATETIME= 1, MYSQL_TIMESTAMP_TIME= 2 +}; +typedef struct st_mysql_time +{ + unsigned int year, month, day, hour, minute, second; + unsigned long second_part; + my_bool neg; + enum enum_mysql_timestamp_type time_type; +} MYSQL_TIME; +extern struct thd_timezone_service_st { + my_time_t (*thd_TIME_to_gmt_sec)(void* thd, const MYSQL_TIME *ltime, unsigned int *errcode); + void (*thd_gmt_sec_to_TIME)(void* thd, MYSQL_TIME *ltime, my_time_t t); +} *thd_timezone_service; +my_time_t thd_TIME_to_gmt_sec(void* thd, const MYSQL_TIME *ltime, unsigned int *errcode); +void thd_gmt_sec_to_TIME(void* thd, MYSQL_TIME *ltime, my_time_t t); +#include <mysql/service_sha1.h> +extern struct my_sha1_service_st { + void (*my_sha1_type)(unsigned char*, const char*, size_t); + void (*my_sha1_multi_type)(unsigned char*, ...); + size_t (*my_sha1_context_size_type)(); + void (*my_sha1_init_type)(void *); + void (*my_sha1_input_type)(void *, const unsigned char *, size_t); + void (*my_sha1_result_type)(void *, unsigned char *); +} *my_sha1_service; +void my_sha1(unsigned char*, const char*, size_t); +void my_sha1_multi(unsigned char*, ...); +size_t my_sha1_context_size(); +void my_sha1_init(void *context); +void my_sha1_input(void *context, const unsigned char *buf, size_t len); +void my_sha1_result(void *context, unsigned char *digest); +#include <mysql/service_md5.h> +extern struct my_md5_service_st { + void (*my_md5_type)(unsigned char*, const char*, size_t); + void (*my_md5_multi_type)(unsigned char*, ...); + size_t (*my_md5_context_size_type)(); + void (*my_md5_init_type)(void *); + void (*my_md5_input_type)(void *, const unsigned char *, size_t); + void (*my_md5_result_type)(void *, unsigned char *); +} *my_md5_service; +void my_md5(unsigned char*, const char*, size_t); +void my_md5_multi(unsigned char*, ...); +size_t my_md5_context_size(); +void my_md5_init(void *context); +void my_md5_input(void *context, const unsigned char *buf, size_t len); +void my_md5_result(void *context, unsigned char *digest); +#include <mysql/service_logger.h> +typedef struct logger_handle_st LOGGER_HANDLE; +extern struct logger_service_st { + void (*logger_init_mutexes)(); + LOGGER_HANDLE* (*open)(const char *path, + unsigned long long size_limit, + unsigned int rotations); + int (*close)(LOGGER_HANDLE *log); + int (*vprintf)(LOGGER_HANDLE *log, const char *fmt, va_list argptr); + int (*printf)(LOGGER_HANDLE *log, const char *fmt, ...); + int (*write)(LOGGER_HANDLE *log, const char *buffer, size_t size); + int (*rotate)(LOGGER_HANDLE *log); +} *logger_service; + void logger_init_mutexes(); + LOGGER_HANDLE *logger_open(const char *path, + unsigned long long size_limit, + unsigned int rotations); + int logger_close(LOGGER_HANDLE *log); + int logger_vprintf(LOGGER_HANDLE *log, const char *fmt, va_list argptr); + int logger_printf(LOGGER_HANDLE *log, const char *fmt, ...); + int logger_write(LOGGER_HANDLE *log, const char *buffer, size_t size); + int logger_rotate(LOGGER_HANDLE *log); +#include <mysql/service_thd_autoinc.h> +extern struct thd_autoinc_service_st { + void (*thd_get_autoinc_func)(const void* thd, + unsigned long* off, unsigned long* inc); +} *thd_autoinc_service; +void thd_get_autoinc(const void* thd, + unsigned long* off, unsigned long* inc); +#include <mysql/service_thd_error_context.h> +extern struct thd_error_context_service_st { + const char *(*thd_get_error_message_func)(const void* thd); + unsigned int (*thd_get_error_number_func)(const void* thd); + unsigned long (*thd_get_error_row_func)(const void* thd); + void (*thd_inc_error_row_func)(void* thd); + char *(*thd_get_error_context_description_func)(void* thd, + char *buffer, + unsigned int length, + unsigned int max_query_length); +} *thd_error_context_service; +const char *thd_get_error_message(const void* thd); +unsigned int thd_get_error_number(const void* thd); +unsigned long thd_get_error_row(const void* thd); +void thd_inc_error_row(void* thd); +char *thd_get_error_context_description(void* thd, + char *buffer, unsigned int length, + unsigned int max_query_length); +#include <mysql/service_thd_specifics.h> +typedef int MYSQL_THD_KEY_T; +extern struct thd_specifics_service_st { + int (*thd_key_create_func)(MYSQL_THD_KEY_T *key); + void (*thd_key_delete_func)(MYSQL_THD_KEY_T *key); + void *(*thd_getspecific_func)(void* thd, MYSQL_THD_KEY_T key); + int (*thd_setspecific_func)(void* thd, MYSQL_THD_KEY_T key, void *value); +} *thd_specifics_service; +int thd_key_create(MYSQL_THD_KEY_T *key); +void thd_key_delete(MYSQL_THD_KEY_T *key); +void* thd_getspecific(void* thd, MYSQL_THD_KEY_T key); +int thd_setspecific(void* thd, MYSQL_THD_KEY_T key, void *value); +struct st_mysql_xid { + long formatID; + long gtrid_length; + long bqual_length; + char data[128]; +}; +typedef struct st_mysql_xid MYSQL_XID; +enum enum_mysql_show_type +{ + SHOW_UNDEF, SHOW_BOOL, SHOW_UINT, SHOW_ULONG, + SHOW_ULONGLONG, SHOW_CHAR, SHOW_CHAR_PTR, + SHOW_ARRAY, SHOW_FUNC, SHOW_DOUBLE, + SHOW_SINT, SHOW_SLONG, SHOW_SLONGLONG, SHOW_SIMPLE_FUNC, + SHOW_always_last +}; +enum enum_var_type +{ + SHOW_OPT_DEFAULT= 0, SHOW_OPT_SESSION, SHOW_OPT_GLOBAL +}; +struct st_mysql_show_var { + const char *name; + char *value; + enum enum_mysql_show_type type; +}; +typedef int (*mysql_show_var_func)(void*, struct st_mysql_show_var*, char *, enum enum_var_type); +struct st_mysql_sys_var; +struct st_mysql_value; +typedef int (*mysql_var_check_func)(void* thd, + struct st_mysql_sys_var *var, + void *save, struct st_mysql_value *value); +typedef void (*mysql_var_update_func)(void* thd, + struct st_mysql_sys_var *var, + void *var_ptr, const void *save); +struct st_mysql_plugin +{ + int type; + void *info; + const char *name; + const char *author; + const char *descr; + int license; + int (*init)(void *); + int (*deinit)(void *); + unsigned int version; + struct st_mysql_show_var *status_vars; + struct st_mysql_sys_var **system_vars; + void * __reserved1; + unsigned long flags; +}; +struct st_maria_plugin +{ + int type; + void *info; + const char *name; + const char *author; + const char *descr; + int license; + int (*init)(void *); + int (*deinit)(void *); + unsigned int version; + struct st_mysql_show_var *status_vars; + struct st_mysql_sys_var **system_vars; + const char *version_info; + unsigned int maturity; +}; +#include "plugin_ftparser.h" +#include "plugin.h" +enum enum_ftparser_mode +{ + MYSQL_FTPARSER_SIMPLE_MODE= 0, + MYSQL_FTPARSER_WITH_STOPWORDS= 1, + MYSQL_FTPARSER_FULL_BOOLEAN_INFO= 2 +}; +enum enum_ft_token_type +{ + FT_TOKEN_EOF= 0, + FT_TOKEN_WORD= 1, + FT_TOKEN_LEFT_PAREN= 2, + FT_TOKEN_RIGHT_PAREN= 3, + FT_TOKEN_STOPWORD= 4 +}; +typedef struct st_mysql_ftparser_boolean_info +{ + enum enum_ft_token_type type; + int yesno; + int weight_adjust; + char wasign; + char trunc; + char prev; + char *quot; +} MYSQL_FTPARSER_BOOLEAN_INFO; +typedef struct st_mysql_ftparser_param +{ + int (*mysql_parse)(struct st_mysql_ftparser_param *, + const char *doc, int doc_len); + int (*mysql_add_word)(struct st_mysql_ftparser_param *, + const char *word, int word_len, + MYSQL_FTPARSER_BOOLEAN_INFO *boolean_info); + void *ftparser_state; + void *mysql_ftparam; + const struct charset_info_st *cs; + const char *doc; + int length; + unsigned int flags; + enum enum_ftparser_mode mode; +} MYSQL_FTPARSER_PARAM; +struct st_mysql_ftparser +{ + int interface_version; + int (*parse)(MYSQL_FTPARSER_PARAM *param); + int (*init)(MYSQL_FTPARSER_PARAM *param); + int (*deinit)(MYSQL_FTPARSER_PARAM *param); +}; +struct st_mysql_daemon +{ + int interface_version; +}; +struct st_mysql_information_schema +{ + int interface_version; +}; +struct st_mysql_storage_engine +{ + int interface_version; +}; +struct handlerton; + struct Mysql_replication { + int interface_version; + }; +struct st_mysql_value +{ + int (*value_type)(struct st_mysql_value *); + const char *(*val_str)(struct st_mysql_value *, char *buffer, int *length); + int (*val_real)(struct st_mysql_value *, double *realbuf); + int (*val_int)(struct st_mysql_value *, long long *intbuf); + int (*is_unsigned)(struct st_mysql_value *); +}; +int thd_in_lock_tables(const void* thd); +int thd_tablespace_op(const void* thd); +long long thd_test_options(const void* thd, long long test_options); +int thd_sql_command(const void* thd); +void **thd_ha_data(const void* thd, const struct handlerton *hton); +void thd_storage_lock_wait(void* thd, long long value); +int thd_tx_isolation(const void* thd); +int thd_tx_is_read_only(const void* thd); +int thd_rpl_is_parallel(const void* thd); +int mysql_tmpfile(const char *prefix); +unsigned long thd_get_thread_id(const void* thd); +void thd_get_xid(const void* thd, MYSQL_XID *xid); +void mysql_query_cache_invalidate4(void* thd, + const char *key, unsigned int key_length, + int using_trx); +void *thd_get_ha_data(const void* thd, const struct handlerton *hton); +void thd_set_ha_data(void* thd, const struct handlerton *hton, + const void *ha_data); +void thd_wakeup_subsequent_commits(void* thd, int wakeup_error); +struct st_mariadb_encryption_key_management +{ + int interface_version; + unsigned int (*get_latest_key_version)(); + unsigned int (*has_key_version)(unsigned int version); + unsigned int (*get_key_size)(unsigned int version); + int (*get_key)(unsigned int version, unsigned char* key, unsigned int keybufsize); + int (*get_iv)(unsigned int version, unsigned char* iv, unsigned int ivbufsize); +}; diff --git a/libmysqld/CMakeLists.txt b/libmysqld/CMakeLists.txt index 3826fbbc9bf..7168c67e57e 100644 --- a/libmysqld/CMakeLists.txt +++ b/libmysqld/CMakeLists.txt @@ -105,7 +105,7 @@ SET(SQL_EMBEDDED_SOURCES emb_qcache.cc libmysqld.c lib_sql.cc ../sql/compat56.cc ../sql/table_cache.cc ../sql/item_inetfunc.cc - ../sql/wsrep_dummy.cc + ../sql/wsrep_dummy.cc ../sql/encryption_keys.cc ${GEN_SOURCES} ${MYSYS_LIBWRAP_SOURCE} ) diff --git a/mysql-test/include/have_example_key_management_plugin.inc b/mysql-test/include/have_example_key_management_plugin.inc new file mode 100644 index 00000000000..622e9a5286c --- /dev/null +++ b/mysql-test/include/have_example_key_management_plugin.inc @@ -0,0 +1,5 @@ +if (`select count(*) = 0 from information_schema.plugins + where plugin_name = 'example_key_management_plugin' and plugin_status='active'`) +{ + --skip Needs example_key_management_plugin +} diff --git a/mysql-test/include/have_example_key_management_plugin.opt b/mysql-test/include/have_example_key_management_plugin.opt new file mode 100644 index 00000000000..581ee1c73b9 --- /dev/null +++ b/mysql-test/include/have_example_key_management_plugin.opt @@ -0,0 +1,2 @@ +--plugin-load-add=$EXAMPLE_KEY_MANAGEMENT_PLUGIN_SO +--loose-example-key-management-plugin diff --git a/mysql-test/include/have_file_key_management_plugin.inc b/mysql-test/include/have_file_key_management_plugin.inc new file mode 100644 index 00000000000..fc682a77f35 --- /dev/null +++ b/mysql-test/include/have_file_key_management_plugin.inc @@ -0,0 +1,5 @@ +if (`select count(*) = 0 from information_schema.plugins + where plugin_name = 'file_key_management_plugin' and plugin_status='active'`) +{ + --skip Needs file_key_management_plugin +} diff --git a/mysql-test/include/have_file_key_management_plugin.opt b/mysql-test/include/have_file_key_management_plugin.opt new file mode 100644 index 00000000000..599847be1fe --- /dev/null +++ b/mysql-test/include/have_file_key_management_plugin.opt @@ -0,0 +1,4 @@ +--plugin-load-add=$FILE_KEY_MANAGEMENT_PLUGIN_SO +--loose-file-key-management-plugin +--loose-file-key-management-plugin-filename=$MYSQL_TEST_DIR/std_data/keys.txt +--encryption-algorithm=aes_cbc diff --git a/mysql-test/suite/innodb/include/keys.txt b/mysql-test/std_data/keys.txt index 419b76f698f..419b76f698f 100644 --- a/mysql-test/suite/innodb/include/keys.txt +++ b/mysql-test/std_data/keys.txt diff --git a/mysql-test/suite/innodb/t/innodb-page_encryption-32k-master.opt b/mysql-test/suite/innodb/t/innodb-page_encryption-32k-master.opt deleted file mode 100644 index 723c0b360fd..00000000000 --- a/mysql-test/suite/innodb/t/innodb-page_encryption-32k-master.opt +++ /dev/null @@ -1,4 +0,0 @@ ---default-storage-engine=InnoDB ---encryption-algorithm=aes_cbs ---file-key-management-plugin-filename=$MYSQL_TEST_DIR/suite/innodb/include/keys.txt ---innodb-buffer-pool-size=24M diff --git a/mysql-test/suite/innodb/t/innodb-page_encryption-32k.opt b/mysql-test/suite/innodb/t/innodb-page_encryption-32k.opt new file mode 100644 index 00000000000..a9021f6de15 --- /dev/null +++ b/mysql-test/suite/innodb/t/innodb-page_encryption-32k.opt @@ -0,0 +1,2 @@ +--default_storage_engine=InnoDB +--innodb-buffer-pool-size=24M diff --git a/mysql-test/suite/innodb/t/innodb-page_encryption.opt b/mysql-test/suite/innodb/t/innodb-page_encryption.opt deleted file mode 100644 index f3aa00059a8..00000000000 --- a/mysql-test/suite/innodb/t/innodb-page_encryption.opt +++ /dev/null @@ -1,3 +0,0 @@ ---enable-file-key-management-plugin ---encryption-algorithm=aes_cbs ---file-key-management-plugin-filename=$MYSQL_TEST_DIR/suite/innodb/include/keys.txt diff --git a/mysql-test/suite/innodb/t/innodb-page_encryption.test b/mysql-test/suite/innodb/t/innodb-page_encryption.test index a3ba64c5d48..fbecf42daad 100644 --- a/mysql-test/suite/innodb/t/innodb-page_encryption.test +++ b/mysql-test/suite/innodb/t/innodb-page_encryption.test @@ -1,4 +1,5 @@ -- source include/have_innodb.inc +-- source include/have_file_key_management_plugin.inc --disable_query_log let $innodb_file_format_orig = `SELECT @@innodb_file_format`; diff --git a/mysql-test/suite/innodb/t/innodb-page_encryption_compression.opt b/mysql-test/suite/innodb/t/innodb-page_encryption_compression.opt deleted file mode 100644 index f3aa00059a8..00000000000 --- a/mysql-test/suite/innodb/t/innodb-page_encryption_compression.opt +++ /dev/null @@ -1,3 +0,0 @@ ---enable-file-key-management-plugin ---encryption-algorithm=aes_cbs ---file-key-management-plugin-filename=$MYSQL_TEST_DIR/suite/innodb/include/keys.txt diff --git a/mysql-test/suite/innodb/t/innodb-page_encryption_compression.test b/mysql-test/suite/innodb/t/innodb-page_encryption_compression.test index c07a03a1e37..0ce70bbc803 100644 --- a/mysql-test/suite/innodb/t/innodb-page_encryption_compression.test +++ b/mysql-test/suite/innodb/t/innodb-page_encryption_compression.test @@ -1,4 +1,5 @@ -- source include/have_innodb.inc +-- source include/have_file_key_management_plugin.inc --disable_query_log let $innodb_compression_algorithm_orig=`SELECT @@innodb_compression_algorithm`; diff --git a/mysql-test/suite/innodb/t/innodb_encryption.opt b/mysql-test/suite/innodb/t/innodb_encryption.opt index e2fc72eb5a8..306e3f95660 100644 --- a/mysql-test/suite/innodb/t/innodb_encryption.opt +++ b/mysql-test/suite/innodb/t/innodb_encryption.opt @@ -1,8 +1,7 @@ ---enable-example-key-management-plugin ---encrypt-tmp-disk-tables=ON --aria-encrypt-tables=ON ---innodb-encryption-threads=4 ---innodb-encryption-rotate-key-age=15 +--encrypt-tmp-disk-tables=ON --innodb-encrypt-tables=ON +--innodb-encryption-rotate-key-age=15 +--innodb-encryption-threads=4 --innodb-tablespaces-encryption --encryption-algorithm=aes_ctr diff --git a/mysql-test/suite/innodb/t/innodb_encryption.test b/mysql-test/suite/innodb/t/innodb_encryption.test index ffd57e47c01..50aca2a7260 100644 --- a/mysql-test/suite/innodb/t/innodb_encryption.test +++ b/mysql-test/suite/innodb/t/innodb_encryption.test @@ -2,6 +2,7 @@ # # -- source include/have_innodb.inc +-- source include/have_example_key_management_plugin.inc # embedded does not support restart -- source include/not_embedded.inc diff --git a/mysql-test/suite/innodb/t/innodb_scrub.opt b/mysql-test/suite/innodb/t/innodb_scrub.opt index fd165b269b5..fcbedad0df7 100644 --- a/mysql-test/suite/innodb/t/innodb_scrub.opt +++ b/mysql-test/suite/innodb/t/innodb_scrub.opt @@ -1,14 +1,13 @@ ---enable-example-key-management-plugin +--aria-encrypt-tables=ON +--encrypt-tmp-disk-tables=ON --innodb-background-scrub-data-compressed=OFF --innodb-background-scrub-data-uncompressed=OFF --innodb-encrypt-tables=0 +--innodb-encrypt-tables=ON +--innodb-encryption-rotate-key-age=15 --innodb-encryption-threads=0 +--innodb-encryption-threads=4 --innodb-file-format=Barracuda --innodb-file-per-table=1 --innodb-immediate-scrub-data-uncompressed=ON ---loose-aria-encrypt-tables=ON ---loose-encrypt-tmp-disk-tables=ON ---loose-innodb-encrypt-tables=ON ---loose-innodb-encryption-rotate-key-age=15 ---loose-innodb-encryption-threads=4 --loose-innodb-scrub-force-testing=ON diff --git a/mysql-test/suite/innodb/t/innodb_scrub.test b/mysql-test/suite/innodb/t/innodb_scrub.test index 9bb7a359e68..4b370b3e148 100644 --- a/mysql-test/suite/innodb/t/innodb_scrub.test +++ b/mysql-test/suite/innodb/t/innodb_scrub.test @@ -1,5 +1,6 @@ -- source include/have_innodb.inc -- source include/not_embedded.inc +-- source include/have_example_key_management_plugin.inc let $MYSQLD_DATADIR=`select @@datadir`; let ib1_IBD = $MYSQLD_DATADIR/ibdata1; diff --git a/mysql-test/suite/innodb/t/innodb_scrub_background.opt b/mysql-test/suite/innodb/t/innodb_scrub_background.opt index e1fc6d82626..bb1f4ce4e86 100644 --- a/mysql-test/suite/innodb/t/innodb_scrub_background.opt +++ b/mysql-test/suite/innodb/t/innodb_scrub_background.opt @@ -1,15 +1,14 @@ ---enable-example-key-management-plugin ---innodb-background-scrub-data-compressed=ON ---innodb-background-scrub-data-uncompressed=ON +--innodb-file-per-table=1 +--innodb-file-format=Barracuda --innodb-encrypt-tables=0 --innodb-encryption-threads=0 ---innodb-file-format=Barracuda ---innodb-file-per-table=1 --innodb-immediate-scrub-data-uncompressed=OFF ---innodb-tablespaces-scrubbing ---loose-aria-encrypt-tables=ON ---loose-encrypt-tmp-disk-tables=ON ---loose-innodb-encrypt-tables=ON ---loose-innodb-encryption-rotate-key-age=15 ---loose-innodb-encryption-threads=4 +--innodb-background-scrub-data-uncompressed=ON +--innodb-background-scrub-data-compressed=ON --loose-innodb-scrub-force-testing=ON +--encrypt-tmp-disk-tables=ON +--aria-encrypt-tables=ON +--innodb-encryption-threads=4 +--innodb-encryption-rotate-key-age=15 +--innodb-encrypt-tables=ON +--innodb-tablespaces-scrubbing diff --git a/mysql-test/suite/innodb/t/innodb_scrub_background.test b/mysql-test/suite/innodb/t/innodb_scrub_background.test index 931177f6fd4..44cb16b1241 100644 --- a/mysql-test/suite/innodb/t/innodb_scrub_background.test +++ b/mysql-test/suite/innodb/t/innodb_scrub_background.test @@ -1,5 +1,6 @@ -- source include/have_innodb.inc -- source include/not_embedded.inc +-- source include/have_example_key_management_plugin.inc let $MYSQLD_DATADIR=`select @@datadir`; let ib1_IBD = $MYSQLD_DATADIR/ibdata1; diff --git a/mysql-test/suite/innodb/t/innodb_scrub_compressed.opt b/mysql-test/suite/innodb/t/innodb_scrub_compressed.opt index b956866e648..ac7ef8a1675 100644 --- a/mysql-test/suite/innodb/t/innodb_scrub_compressed.opt +++ b/mysql-test/suite/innodb/t/innodb_scrub_compressed.opt @@ -1,15 +1,15 @@ ---enable-example-key-management-plugin ---innodb-background-scrub-data-compressed=ON ---innodb-background-scrub-data-uncompressed=ON ---innodb-encrypt-tables=off ---innodb-encryption-threads=0 ---innodb-file-format=Barracuda --innodb-file-per-table=1 +--innodb-file-format=Barracuda +--innodb-encrypt-tables=off --innodb-immediate-scrub-data-uncompressed=ON ---innodb-tablespaces-scrubbing ---loose-aria-encrypt-tables=ON ---loose-encrypt-tmp-disk-tables=ON ---loose-innodb-encrypt-tables=ON ---loose-innodb-encryption-rotate-key-age=15 ---loose-innodb-encryption-threads=4 +--innodb-background-scrub-data-uncompressed=ON +--innodb-background-scrub-data-compressed=ON --loose-innodb-scrub-force-testing=ON +--innodb-encryption-threads=0 +--encrypt-tmp-disk-tables=ON +--aria-encrypt-tables=ON +--innodb-encryption-threads=4 +--innodb-encryption-rotate-key-age=15 +--innodb-encrypt-tables=ON +--innodb-tablespaces-scrubbing + diff --git a/mysql-test/suite/innodb/t/innodb_scrub_compressed.test b/mysql-test/suite/innodb/t/innodb_scrub_compressed.test index 4e9cf6d9ec9..c89c32a4de8 100644 --- a/mysql-test/suite/innodb/t/innodb_scrub_compressed.test +++ b/mysql-test/suite/innodb/t/innodb_scrub_compressed.test @@ -1,5 +1,6 @@ -- source include/have_innodb.inc -- source include/not_embedded.inc +-- source include/have_example_key_management_plugin.inc let $MYSQLD_DATADIR=`select @@datadir`; let ib1_IBD = $MYSQLD_DATADIR/ibdata1; diff --git a/mysql-test/suite/plugins/r/show_all_plugins.result b/mysql-test/suite/plugins/r/show_all_plugins.result index 24ffbebdc8b..5fe80e23af0 100644 --- a/mysql-test/suite/plugins/r/show_all_plugins.result +++ b/mysql-test/suite/plugins/r/show_all_plugins.result @@ -21,11 +21,12 @@ Name Status Type Library License EXAMPLE NOT INSTALLED STORAGE ENGINE ha_example.so GPL UNUSABLE NOT INSTALLED DAEMON ha_example.so GPL daemon_example NOT INSTALLED DAEMON libdaemon_example.so GPL +example_key_management_plugin NOT INSTALLED ENCRYPTION KEY MANAGEMENT example_key_management_plugin.so GPL three_attempts NOT INSTALLED AUTHENTICATION dialog_examples.so GPL two_questions NOT INSTALLED AUTHENTICATION dialog_examples.so GPL show status like '%libraries%'; Variable_name Value -Opened_plugin_libraries 6 +Opened_plugin_libraries 7 show plugins soname where library = 'ha_example.so'; Name Status Type Library License EXAMPLE NOT INSTALLED STORAGE ENGINE ha_example.so GPL diff --git a/mysys/my_thr_init.c b/mysys/my_thr_init.c index d49a2eff970..debff7d396c 100644 --- a/mysys/my_thr_init.c +++ b/mysys/my_thr_init.c @@ -66,10 +66,6 @@ static void my_thread_init_common_mutex(void) #if !defined(HAVE_LOCALTIME_R) || !defined(HAVE_GMTIME_R) mysql_mutex_init(key_LOCK_localtime_r, &LOCK_localtime_r, MY_MUTEX_INIT_SLOW); #endif -#ifndef DBUG_OFF - mysql_rwlock_init(key_LOCK_dbug_encryption_key_version, - &LOCK_dbug_encryption_key_version); -#endif } void my_thread_destroy_common_mutex(void) @@ -84,9 +80,6 @@ void my_thread_destroy_common_mutex(void) #if !defined(HAVE_LOCALTIME_R) || !defined(HAVE_GMTIME_R) mysql_mutex_destroy(&LOCK_localtime_r); #endif -#ifndef DBUG_OFF - mysql_rwlock_destroy(&LOCK_dbug_encryption_key_version); -#endif } diff --git a/mysys_ssl/CMakeLists.txt b/mysys_ssl/CMakeLists.txt index 05b04b4d8cb..1479e3b3a90 100644 --- a/mysys_ssl/CMakeLists.txt +++ b/mysys_ssl/CMakeLists.txt @@ -40,8 +40,6 @@ SET(MYSYS_SSL_SOURCES my_md5.cc my_rnd.cc my_crypt.cc - my_crypt_key_management.cc - my_crypt_key_management_impl.cc ) ADD_CONVENIENCE_LIBRARY(mysys_ssl ${MYSYS_SSL_SOURCES}) diff --git a/mysys_ssl/my_crypt_key_management.cc b/mysys_ssl/my_crypt_key_management.cc deleted file mode 100644 index 69efed32567..00000000000 --- a/mysys_ssl/my_crypt_key_management.cc +++ /dev/null @@ -1,110 +0,0 @@ -#include <my_global.h> -#include <my_crypt_key_management.h> -#include <cstring> - -#ifndef DBUG_OFF -#include <myisampack.h> -my_bool debug_use_static_encryption_keys = 0; - -#ifdef HAVE_PSI_INTERFACE -PSI_rwlock_key key_LOCK_dbug_encryption_key_version; -#endif -mysql_rwlock_t LOCK_dbug_encryption_key_version; -unsigned int opt_debug_encryption_key_version = 0; -#endif - -/** - * Default functions - */ -int GetLatestCryptoKeyVersionImpl(); -unsigned int HasCryptoKeyImpl(unsigned int version); -int GetCryptoKeySizeImpl(unsigned int version); -int GetCryptoKeyImpl(unsigned int version, unsigned char* key_buffer, - unsigned int size); -int GetCryptoIVImpl(unsigned int version, unsigned char* key_buffer, - unsigned int size); - -/** - * Function pointers for - * - GetLatestCryptoKeyVersion - * - GetCryptoKey - */ -static -struct CryptoKeyFuncs_t cryptoKeyFuncs = { - GetLatestCryptoKeyVersionImpl, - HasCryptoKeyImpl, - GetCryptoKeySizeImpl, - GetCryptoKeyImpl, - GetCryptoIVImpl -}; - -extern "C" -int GetLatestCryptoKeyVersion() { -#ifndef DBUG_OFF - if (debug_use_static_encryption_keys) { - mysql_rwlock_rdlock(&LOCK_dbug_encryption_key_version); - unsigned int res = opt_debug_encryption_key_version; - mysql_rwlock_unlock(&LOCK_dbug_encryption_key_version); - return res; - } -#endif - - return (* cryptoKeyFuncs.getLatestCryptoKeyVersionFunc)(); -} - -extern "C" -unsigned int HasCryptoKey(unsigned int version) { - return (* cryptoKeyFuncs.hasCryptoKeyFunc)(version); -} - -extern "C" -int GetCryptoKeySize(unsigned int version) { - return (* cryptoKeyFuncs.getCryptoKeySize)(version); -} - -extern "C" -int GetCryptoKey(unsigned int version, unsigned char* key, unsigned int size) { -#ifndef DBUG_OFF - if (debug_use_static_encryption_keys) { - memset(key, 0, size); - // Just don't support tiny keys, no point anyway. - if (size < 4) { - return 1; - } - - mi_int4store(key, version); - return 0; - } -#endif - - return (* cryptoKeyFuncs.getCryptoKeyFunc)(version, key, size); -} - -extern "C" -int GetCryptoIV(unsigned int version, unsigned char* key, unsigned int size) { - return (* cryptoKeyFuncs.getCryptoIVFunc)(version, key, size); -} - -extern "C" -void -InstallCryptoKeyFunctions(const struct CryptoKeyFuncs_t* _cryptoKeyFuncs) -{ - if (_cryptoKeyFuncs == NULL) - { - /* restore defaults wHashhen called with NULL argument */ - cryptoKeyFuncs.getLatestCryptoKeyVersionFunc = - GetLatestCryptoKeyVersionImpl; - cryptoKeyFuncs.hasCryptoKeyFunc = - HasCryptoKeyImpl; - cryptoKeyFuncs.getCryptoKeySize = - GetCryptoKeySizeImpl; - cryptoKeyFuncs.getCryptoKeyFunc = - GetCryptoKeyImpl; - cryptoKeyFuncs.getCryptoIVFunc = - GetCryptoIVImpl; - } - else - { - cryptoKeyFuncs = *_cryptoKeyFuncs; - } -} diff --git a/mysys_ssl/my_crypt_key_management_impl.cc b/mysys_ssl/my_crypt_key_management_impl.cc deleted file mode 100644 index af2077d8d15..00000000000 --- a/mysys_ssl/my_crypt_key_management_impl.cc +++ /dev/null @@ -1,34 +0,0 @@ -#include <my_global.h> - -// TODO Not yet implemented. -int GetLatestCryptoKeyVersionImpl() -{ - abort(); - return 0; /* Keep compiler happy */ -} - -unsigned int HasCryptoKeyImpl(unsigned int version) -{ - abort(); - return 0; /* Keep compiler happy */ -} - -int GetCryptoKeySizeImpl(unsigned int version) -{ - abort(); - return 0; /* Keep compiler happy */ -} - -int GetCryptoKeyImpl(unsigned int version, unsigned char* key, - unsigned int key_size) -{ - abort(); - return 0; /* Keep compiler happy */ -} - -int GetCryptoIVImpl(unsigned int version, unsigned char* key, - unsigned int key_size) -{ - abort(); - return 0; /* Keep compiler happy */ -} diff --git a/plugin/example_key_management_plugin/CMakeLists.txt b/plugin/example_key_management_plugin/CMakeLists.txt index 237d21a1e8e..95ff433dc43 100644 --- a/plugin/example_key_management_plugin/CMakeLists.txt +++ b/plugin/example_key_management_plugin/CMakeLists.txt @@ -1 +1,2 @@ -MYSQL_ADD_PLUGIN(EXAMPLE_KEY_MANAGEMENT_PLUGIN example_key_management_plugin.cc MANDATORY) +MYSQL_ADD_PLUGIN(EXAMPLE_KEY_MANAGEMENT_PLUGIN example_key_management_plugin.cc + MODULE_ONLY) diff --git a/plugin/example_key_management_plugin/example_key_management_plugin.cc b/plugin/example_key_management_plugin/example_key_management_plugin.cc index cdc32e87aad..f590fbb55b8 100644 --- a/plugin/example_key_management_plugin/example_key_management_plugin.cc +++ b/plugin/example_key_management_plugin/example_key_management_plugin.cc @@ -1,10 +1,9 @@ // Copyright (C) 2014 Google Inc. -#include <mysql_version.h> #include <my_global.h> #include <my_pthread.h> #include <my_aes.h> -#include <my_crypt_key_management.h> +#include <mysql/plugin_encryption_key_management.h> #include <my_md5.h> #include <my_rnd.h> @@ -17,8 +16,7 @@ static unsigned int key_version = 0; static unsigned int next_key_version = 0; static pthread_mutex_t mutex; -static -int +static unsigned int get_latest_key_version() { uint now = time(0); @@ -34,8 +32,7 @@ get_latest_key_version() return key_version; } -static -int +static int get_key(unsigned int version, unsigned char* dstbuf, unsigned buflen) { char *dst = (char*)dstbuf; // md5 function takes char* as argument... @@ -58,7 +55,7 @@ static unsigned int has_key_func(unsigned int keyID) return true; } -static int get_key_size(unsigned int keyID) +static unsigned int get_key_size(unsigned int keyID) { return 16; } @@ -87,13 +84,6 @@ static int example_key_management_plugin_init(void *p) pthread_mutex_init(&mutex, NULL); - struct CryptoKeyFuncs_t func; - func.getLatestCryptoKeyVersionFunc = get_latest_key_version; - func.hasCryptoKeyFunc = has_key_func; - func.getCryptoKeySize = get_key_size; - func.getCryptoKeyFunc = get_key; - func.getCryptoIVFunc = get_iv; - InstallCryptoKeyFunctions(&func); return 0; } @@ -103,8 +93,13 @@ static int example_key_management_plugin_deinit(void *p) return 0; } -struct st_mysql_daemon example_key_management_plugin= { - MYSQL_DAEMON_INTERFACE_VERSION +struct st_mariadb_encryption_key_management example_key_management_plugin= { + MariaDB_ENCRYPTION_KEY_MANAGEMENT_INTERFACE_VERSION, + get_latest_key_version, + has_key_func, + get_key_size, + get_key, + get_iv }; /* @@ -112,7 +107,7 @@ struct st_mysql_daemon example_key_management_plugin= { */ maria_declare_plugin(example_key_management_plugin) { - MYSQL_DAEMON_PLUGIN, + MariaDB_ENCRYPTION_KEY_MANAGEMENT_PLUGIN, &example_key_management_plugin, "example_key_management_plugin", "Jonas Oreland", @@ -124,6 +119,6 @@ maria_declare_plugin(example_key_management_plugin) NULL, /* status variables */ NULL, /* system variables */ "1.0", - MariaDB_PLUGIN_MATURITY_UNKNOWN + MariaDB_PLUGIN_MATURITY_EXPERIMENTAL } maria_declare_plugin_end; diff --git a/plugin/file_key_management_plugin/CMakeLists.txt b/plugin/file_key_management_plugin/CMakeLists.txt index d5412abf714..87e885c3550 100644 --- a/plugin/file_key_management_plugin/CMakeLists.txt +++ b/plugin/file_key_management_plugin/CMakeLists.txt @@ -1,4 +1,4 @@ SET(FILE_KEY_MANAGEMENT_PLUGIN_SOURCES file_key_management_plugin.cc EncKeys.cc KeySingleton.cc) -MYSQL_ADD_PLUGIN(FILE_KEY_MANAGEMENT_PLUGIN ${FILE_KEY_MANAGEMENT_PLUGIN_SOURCES} DEFAULT +MYSQL_ADD_PLUGIN(FILE_KEY_MANAGEMENT_PLUGIN ${FILE_KEY_MANAGEMENT_PLUGIN_SOURCES} LINK_LIBRARIES pcre) diff --git a/plugin/file_key_management_plugin/file_key_management_plugin.cc b/plugin/file_key_management_plugin/file_key_management_plugin.cc index 11892d74385..7dbf8c132da 100644 --- a/plugin/file_key_management_plugin/file_key_management_plugin.cc +++ b/plugin/file_key_management_plugin/file_key_management_plugin.cc @@ -16,6 +16,7 @@ #include <my_global.h> #include <mysql_version.h> +#include <mysql/plugin_encryption_key_management.h> #include <my_aes.h> #include <my_crypt_key_management.h> #include "sql_class.h" @@ -50,7 +51,7 @@ static struct st_mysql_sys_var* settings[] = { rotation feature of encrypting log files. */ -static int get_highest_key_used_in_key_file() +static unsigned int get_highest_key_used_in_key_file() { if (KeySingleton::getInstance().hasKey(0)) { @@ -67,7 +68,7 @@ static unsigned int has_key_from_key_file(unsigned int keyID) return entry != NULL; } -static int get_key_size_from_key_file(unsigned int keyID) +static unsigned int get_key_size_from_key_file(unsigned int keyID) { keyentry* entry = KeySingleton::getInstance().getKeys(keyID); @@ -146,16 +147,6 @@ static int file_key_management_plugin_init(void *p) return 1; } - /* Initializing the key provider */ - struct CryptoKeyFuncs_t func; - func.getLatestCryptoKeyVersionFunc = get_highest_key_used_in_key_file; - func.hasCryptoKeyFunc = has_key_from_key_file; - func.getCryptoKeySize = get_key_size_from_key_file; - func.getCryptoKeyFunc = get_key_from_key_file; - func.getCryptoIVFunc = get_iv_from_key_file; - - InstallCryptoKeyFunctions(&func); - if (filename == NULL || strcmp("", filename) == 0) { sql_print_error("Parameter file_key_management_plugin_filename is required"); @@ -175,8 +166,13 @@ static int file_key_management_plugin_deinit(void *p) return 0; } -struct st_mysql_daemon file_key_management_plugin= { - MYSQL_DAEMON_INTERFACE_VERSION +struct st_mariadb_encryption_key_management file_key_management_plugin= { + MariaDB_ENCRYPTION_KEY_MANAGEMENT_INTERFACE_VERSION, + get_highest_key_used_in_key_file, + has_key_from_key_file, + get_key_size_from_key_file, + get_key_from_key_file, + get_iv_from_key_file }; /* @@ -184,7 +180,7 @@ struct st_mysql_daemon file_key_management_plugin= { */ maria_declare_plugin(file_key_management_plugin) { - MYSQL_KEY_MANAGEMENT_PLUGIN, + MariaDB_ENCRYPTION_KEY_MANAGEMENT_PLUGIN, &file_key_management_plugin, "file_key_management_plugin", "Denis Endro eperi GmbH", diff --git a/sql/CMakeLists.txt b/sql/CMakeLists.txt index 8ac9d2d324d..c78fa73bb51 100644 --- a/sql/CMakeLists.txt +++ b/sql/CMakeLists.txt @@ -115,7 +115,7 @@ SET (SQL_SOURCE my_json_writer.cc my_json_writer.h rpl_gtid.cc rpl_parallel.cc ${WSREP_SOURCES} - table_cache.cc + table_cache.cc encryption_keys.cc ${CMAKE_CURRENT_BINARY_DIR}/sql_builtin.cc ${GEN_SOURCES} ${MYSYS_LIBWRAP_SOURCE} diff --git a/sql/encryption_keys.cc b/sql/encryption_keys.cc new file mode 100644 index 00000000000..f924ad1c599 --- /dev/null +++ b/sql/encryption_keys.cc @@ -0,0 +1,110 @@ +#include <my_global.h> +#include <mysql/plugin_encryption_key_management.h> +#include <my_crypt_key_management.h> +#include "log.h" +#include "sql_plugin.h" + +#ifndef DBUG_OFF +my_bool debug_use_static_encryption_keys = 0; +uint opt_debug_encryption_key_version = 0; +#endif + +/* there can be only one encryption key management plugin enabled */ +static plugin_ref encryption_key_manager= 0; +static struct st_mariadb_encryption_key_management *handle; + +uint get_latest_encryption_key_version() +{ +#ifndef DBUG_OFF + if (debug_use_static_encryption_keys) + { + //mysql_mutex_lock(&LOCK_global_system_variables); + uint res = opt_debug_encryption_key_version; + //mysql_mutex_unlock(&LOCK_global_system_variables); + return res; + } +#endif + + if (encryption_key_manager) + return handle->get_latest_key_version(); + + return BAD_ENCRYPTION_KEY_VERSION; +} + +uint has_encryption_key(uint version) +{ + if (encryption_key_manager) + return handle->has_key_version(version); + + return 0; +} + +uint get_encryption_key_size(uint version) +{ + if (encryption_key_manager) + return handle->get_key_size(version); + + return 0; +} + +int get_encryption_key(uint version, uchar* key, uint size) +{ +#ifndef DBUG_OFF + if (debug_use_static_encryption_keys) + { + memset(key, 0, size); + // Just don't support tiny keys, no point anyway. + if (size < 4) + return 1; + + mi_int4store(key, version); + return 0; + } +#endif + + if (encryption_key_manager) + return handle->get_key(version, key, size); + + return 1; +} + +int get_encryption_iv(uint version, uchar* iv, uint size) +{ + if (encryption_key_manager) + return handle->get_iv(version, iv, size); + + return 1; +} + +int initialize_encryption_key_management_plugin(st_plugin_int *plugin) +{ + if (encryption_key_manager) + return 1; + + if (plugin->plugin->init && plugin->plugin->init(plugin)) + { + sql_print_error("Plugin '%s' init function returned error.", + plugin->name.str); + return 1; + } + + encryption_key_manager= plugin_lock(NULL, plugin_int_to_ref(plugin)); + handle= (struct st_mariadb_encryption_key_management*) + plugin->plugin->info; + return 0; +} + +int finalize_encryption_key_management_plugin(st_plugin_int *plugin) +{ + DBUG_ASSERT(encryption_key_manager); + + if (plugin->plugin->deinit && plugin->plugin->deinit(NULL)) + { + DBUG_PRINT("warning", ("Plugin '%s' deinit function returned error.", + plugin->name.str)); + } + plugin_unlock(NULL, encryption_key_manager); + encryption_key_manager= 0; + return 0; +} + diff --git a/sql/sql_plugin.cc b/sql/sql_plugin.cc index 7ec7b0ccc9d..3aba1e0a3bb 100644 --- a/sql/sql_plugin.cc +++ b/sql/sql_plugin.cc @@ -37,6 +37,7 @@ #include "lock.h" // MYSQL_LOCK_IGNORE_TIMEOUT #include <mysql/plugin_auth.h> #include <mysql/plugin_password_validation.h> +#include <mysql/plugin_encryption_key_management.h> #include "sql_plugin_compat.h" #define REPORT_TO_LOG 1 @@ -85,7 +86,8 @@ const LEX_STRING plugin_type_names[MYSQL_MAX_PLUGIN_TYPE_NUM]= { C_STRING_WITH_LEN("AUDIT") }, { C_STRING_WITH_LEN("REPLICATION") }, { C_STRING_WITH_LEN("AUTHENTICATION") }, - { C_STRING_WITH_LEN("PASSWORD VALIDATION") } + { C_STRING_WITH_LEN("PASSWORD VALIDATION") }, + { C_STRING_WITH_LEN("ENCRYPTION KEY MANAGEMENT") } }; extern int initialize_schema_table(st_plugin_int *plugin); @@ -94,6 +96,9 @@ extern int finalize_schema_table(st_plugin_int *plugin); extern int initialize_audit_plugin(st_plugin_int *plugin); extern int finalize_audit_plugin(st_plugin_int *plugin); +extern int initialize_encryption_key_management_plugin(st_plugin_int *plugin); +extern int finalize_encryption_key_management_plugin(st_plugin_int *plugin); + /* The number of elements in both plugin_type_initialize and plugin_type_deinitialize should equal to the number of plugins @@ -102,13 +107,13 @@ extern int finalize_audit_plugin(st_plugin_int *plugin); plugin_type_init plugin_type_initialize[MYSQL_MAX_PLUGIN_TYPE_NUM]= { 0, ha_initialize_handlerton, 0, 0,initialize_schema_table, - initialize_audit_plugin, 0, 0, 0 + initialize_audit_plugin, 0, 0, 0, initialize_encryption_key_management_plugin }; plugin_type_init plugin_type_deinitialize[MYSQL_MAX_PLUGIN_TYPE_NUM]= { 0, ha_finalize_handlerton, 0, 0, finalize_schema_table, - finalize_audit_plugin, 0, 0, 0 + finalize_audit_plugin, 0, 0, 0, finalize_encryption_key_management_plugin }; /* @@ -119,7 +124,7 @@ plugin_type_init plugin_type_deinitialize[MYSQL_MAX_PLUGIN_TYPE_NUM]= static int plugin_type_initialization_order[MYSQL_MAX_PLUGIN_TYPE_NUM]= { MYSQL_DAEMON_PLUGIN, - MYSQL_KEY_MANAGEMENT_PLUGIN, + MariaDB_ENCRYPTION_KEY_MANAGEMENT_PLUGIN, MYSQL_STORAGE_ENGINE_PLUGIN, MYSQL_INFORMATION_SCHEMA_PLUGIN, MYSQL_FTPARSER_PLUGIN, @@ -160,7 +165,8 @@ static int min_plugin_info_interface_version[MYSQL_MAX_PLUGIN_TYPE_NUM]= MYSQL_AUDIT_INTERFACE_VERSION, MYSQL_REPLICATION_INTERFACE_VERSION, MIN_AUTHENTICATION_INTERFACE_VERSION, - MariaDB_PASSWORD_VALIDATION_INTERFACE_VERSION + MariaDB_PASSWORD_VALIDATION_INTERFACE_VERSION, + MariaDB_ENCRYPTION_KEY_MANAGEMENT_INTERFACE_VERSION }; static int cur_plugin_info_interface_version[MYSQL_MAX_PLUGIN_TYPE_NUM]= { @@ -172,7 +178,8 @@ static int cur_plugin_info_interface_version[MYSQL_MAX_PLUGIN_TYPE_NUM]= MYSQL_AUDIT_INTERFACE_VERSION, MYSQL_REPLICATION_INTERFACE_VERSION, MYSQL_AUTHENTICATION_INTERFACE_VERSION, - MariaDB_PASSWORD_VALIDATION_INTERFACE_VERSION + MariaDB_PASSWORD_VALIDATION_INTERFACE_VERSION, + MariaDB_ENCRYPTION_KEY_MANAGEMENT_INTERFACE_VERSION }; static struct @@ -1954,8 +1961,6 @@ void plugin_shutdown(void) if (!(plugins[i]->state & (PLUGIN_IS_UNINITIALIZED | PLUGIN_IS_FREED | PLUGIN_IS_DISABLED))) { - sql_print_warning("Plugin '%s' will be forced to shutdown", - plugins[i]->name.str); /* We are forcing deinit on plugins so we don't want to do a ref_count check until we have processed all the plugins. diff --git a/sql/sys_vars.cc b/sql/sys_vars.cc index e7092354606..198e4073ef8 100644 --- a/sql/sys_vars.cc +++ b/sql/sys_vars.cc @@ -62,7 +62,7 @@ #include "sql_repl.h" #include "opt_range.h" #include "rpl_parallel.h" -#include "my_crypt_key_management.h" +#include <my_crypt_key_management.h> /* The rule for this file: everything should be 'static'. When a sys_var @@ -1134,15 +1134,12 @@ static Sys_var_mybool Sys_debug_use_static_keys( READ_ONLY GLOBAL_VAR(debug_use_static_encryption_keys), CMD_LINE(OPT_ARG), DEFAULT(FALSE)); -static PolyLock_rwlock PLock_sys_debug_encryption_key_version( - &LOCK_dbug_encryption_key_version); - static Sys_var_uint Sys_debug_encryption_key_version( "debug_encryption_key_version", "Encryption key version. Only to be used in internal testing.", GLOBAL_VAR(opt_debug_encryption_key_version), CMD_LINE(REQUIRED_ARG), VALID_RANGE(0,UINT_MAX), DEFAULT(0), - BLOCK_SIZE(1), &PLock_sys_debug_encryption_key_version); + BLOCK_SIZE(1)); #endif static Sys_var_mybool Sys_trust_function_creators( diff --git a/storage/innobase/fil/fil0crypt.cc b/storage/innobase/fil/fil0crypt.cc index 8ff2c490d35..c12bc385720 100644 --- a/storage/innobase/fil/fil0crypt.cc +++ b/storage/innobase/fil/fil0crypt.cc @@ -210,7 +210,7 @@ fil_crypt_get_key(byte *dst, uint* key_length, { // load iv - int rc = GetCryptoIV(version, (unsigned char*)iv, iv_len); + int rc = get_encryption_iv(version, (unsigned char*)iv, iv_len); if (rc != CRYPT_KEY_OK) { ib_logf(IB_LOG_LEVEL_FATAL, @@ -219,10 +219,10 @@ fil_crypt_get_key(byte *dst, uint* key_length, } } - if (HasCryptoKey(version)) { - *key_length = GetCryptoKeySize(version); + if (has_encryption_key(version)) { + *key_length = get_encryption_key_size(version); - int rc = GetCryptoKey(version, (unsigned char*)keybuf, *key_length); + int rc = get_encryption_key(version, (unsigned char*)keybuf, *key_length); if (rc != CRYPT_KEY_OK) { ib_logf(IB_LOG_LEVEL_FATAL, @@ -295,7 +295,7 @@ fil_crypt_get_latest_key(byte *dst, uint* key_length, { if (srv_encrypt_tables) { // used for key rotation - get the next key id from the key provider - int rc = GetLatestCryptoKeyVersion(); + int rc = get_latest_encryption_key_version(); // if no new key was created use the last one if (rc >= 0) @@ -325,7 +325,7 @@ fil_space_create_crypt_data() crypt_data->min_key_version = 0; } else { crypt_data->type = CRYPT_SCHEME_1; - crypt_data->min_key_version = GetLatestCryptoKeyVersion(); + crypt_data->min_key_version = get_latest_encryption_key_version(); } mutex_create(fil_crypt_data_mutex_key, @@ -652,7 +652,7 @@ fil_space_encrypt(ulint space, ulint offset, lsn_t lsn, { // take the iv from the key provider - int load_iv_rc = GetCryptoIV(key_version, (uchar *) iv, sizeof(iv)); + int load_iv_rc = get_encryption_iv(key_version, (uchar *) iv, sizeof(iv)); // if the iv can not be loaded the whole page can not be encrypted if (load_iv_rc != CRYPT_KEY_OK) @@ -869,7 +869,7 @@ fil_space_decrypt(fil_space_crypt_t* crypt_data, { // take the iv from the key provider - int load_iv_rc = GetCryptoIV(key_version, (uchar *) iv, sizeof(iv)); + int load_iv_rc = get_encryption_iv(key_version, (uchar *) iv, sizeof(iv)); // if the iv can not be loaded the whole page can not be decrypted if (load_iv_rc != CRYPT_KEY_OK) @@ -1049,7 +1049,7 @@ fil_crypt_get_key_state( key_state_t *new_state) { if (srv_encrypt_tables == TRUE) { - new_state->key_version = GetLatestCryptoKeyVersion(); + new_state->key_version = get_latest_encryption_key_version(); new_state->rotate_key_age = srv_fil_crypt_rotate_key_age; ut_a(new_state->key_version > 0); } else { @@ -2375,7 +2375,7 @@ fil_space_crypt_get_status( } if (srv_encrypt_tables == TRUE) { - status->current_key_version = GetLatestCryptoKeyVersion(); + status->current_key_version = get_latest_encryption_key_version(); } else { status->current_key_version = 0; } diff --git a/storage/innobase/fil/fil0fil.cc b/storage/innobase/fil/fil0fil.cc index cbe9ec56e88..7eb585609d2 100644 --- a/storage/innobase/fil/fil0fil.cc +++ b/storage/innobase/fil/fil0fil.cc @@ -1153,7 +1153,7 @@ fil_space_create( ut_a(fil_system); if (fsp_flags_is_page_encrypted(flags)) { - if (!HasCryptoKey(fsp_flags_get_page_encryption_key(flags))) { + if (!has_encryption_key(fsp_flags_get_page_encryption_key(flags))) { /* by returning here it should be avoided that * the server crashes, if someone tries to access an * encrypted table and the encryption key is not available. diff --git a/storage/innobase/handler/ha_innodb.cc b/storage/innobase/handler/ha_innodb.cc index df5867ce43b..5c5c21280c8 100644 --- a/storage/innobase/handler/ha_innodb.cc +++ b/storage/innobase/handler/ha_innodb.cc @@ -11370,7 +11370,7 @@ ha_innobase::check_table_options( return "PAGE_ENCRYPTION_KEY"; } - if (!HasCryptoKey(options->page_encryption_key)) { + if (!has_encryption_key(options->page_encryption_key)) { push_warning_printf( thd, Sql_condition::WARN_LEVEL_WARN, HA_WRONG_CREATE_OPTION, diff --git a/storage/innobase/include/fsp0pageencryption.ic b/storage/innobase/include/fsp0pageencryption.ic index 42c980b0430..e2bd76679ee 100644 --- a/storage/innobase/include/fsp0pageencryption.ic +++ b/storage/innobase/include/fsp0pageencryption.ic @@ -147,9 +147,9 @@ fil_page_encryption_status( if (page_type == FIL_PAGE_TYPE_FSP_HDR) { ulint flags = mach_read_from_4(FSP_HEADER_OFFSET + FSP_SPACE_FLAGS + buf); if (fsp_flags_is_page_encrypted(flags)) { - if (!HasCryptoKey(fsp_flags_get_page_encryption_key(flags))) { + if (!has_encryption_key(fsp_flags_get_page_encryption_key(flags))) { /* accessing table would surely fail, because no key or no key provider available */ - if (!HasCryptoKey(fsp_flags_get_page_encryption_key(flags))) { + if (!has_encryption_key(fsp_flags_get_page_encryption_key(flags))) { return PAGE_ENCRYPTION_KEY_MISSING; } return PAGE_ENCRYPTION_ERROR; @@ -159,7 +159,7 @@ fil_page_encryption_status( if(page_type == FIL_PAGE_PAGE_COMPRESSED_ENCRYPTED) { ulint key = mach_read_from_4(buf + FIL_PAGE_FILE_FLUSH_LSN_OR_KEY_VERSION); - if (!HasCryptoKey(key)) { + if (!has_encryption_key(key)) { return PAGE_ENCRYPTION_KEY_MISSING; } return PAGE_ENCRYPTION_ERROR; diff --git a/storage/innobase/include/log0crypt.h b/storage/innobase/include/log0crypt.h index 188e82397a2..0c0d046c471 100644 --- a/storage/innobase/include/log0crypt.h +++ b/storage/innobase/include/log0crypt.h @@ -12,7 +12,7 @@ Created 11/25/2013 Minli Zhu #include "ut0lst.h" #include "ut0rnd.h" #include "my_aes.h" -#include "my_crypt_key_management.h" // for key version and key +#include <my_crypt_key_management.h> #define PURPOSE_BYTE_LEN MY_AES_BLOCK_SIZE - 1 #define PURPOSE_BYTE_OFFSET 0 diff --git a/storage/innobase/log/log0crypt.cc b/storage/innobase/log/log0crypt.cc index 0647fd04e84..17e1404777e 100644 --- a/storage/innobase/log/log0crypt.cc +++ b/storage/innobase/log/log0crypt.cc @@ -37,7 +37,7 @@ Note: We should not use flags and conditions such as: (srv_encrypt_log && debug_use_static_keys && - GetLatestCryptoKeyVersion() == UNENCRYPTED_KEY_VER) + get_latest_encryption_key_version() == UNENCRYPTED_KEY_VER) because they haven't been read and set yet in the situation of resetting redo logs. */ @@ -93,7 +93,7 @@ log_init_crypt_key( } byte mysqld_key[MY_AES_BLOCK_SIZE] = {0}; - if (GetCryptoKey(crypt_ver, mysqld_key, MY_AES_BLOCK_SIZE)) + if (get_encryption_key(crypt_ver, mysqld_key, MY_AES_BLOCK_SIZE)) { fprintf(stderr, "\nInnodb redo log crypto: getting mysqld crypto key " @@ -234,7 +234,7 @@ log_crypt_set_ver_and_key( byte* crypt_key) /*!< out: crypto key */ { if (!srv_encrypt_log || - (key_ver = GetLatestCryptoKeyVersion()) == UNENCRYPTED_KEY_VER) + (key_ver = get_latest_encryption_key_version()) == UNENCRYPTED_KEY_VER) { key_ver = UNENCRYPTED_KEY_VER; memset(crypt_key, 0, MY_AES_BLOCK_SIZE); diff --git a/storage/xtradb/fil/fil0crypt.cc b/storage/xtradb/fil/fil0crypt.cc index 930b8c63255..be0c120c6c7 100644 --- a/storage/xtradb/fil/fil0crypt.cc +++ b/storage/xtradb/fil/fil0crypt.cc @@ -210,7 +210,7 @@ fil_crypt_get_key(byte *dst, uint* key_length, { // load iv - int rc = GetCryptoIV(version, (unsigned char*)iv, iv_len); + int rc = get_encryption_iv(version, (unsigned char*)iv, iv_len); if (rc != CRYPT_KEY_OK) { ib_logf(IB_LOG_LEVEL_FATAL, @@ -219,10 +219,10 @@ fil_crypt_get_key(byte *dst, uint* key_length, } } - if (HasCryptoKey(version)) { - *key_length = GetCryptoKeySize(version); + if (has_encryption_key(version)) { + *key_length = get_encryption_key_size(version); - int rc = GetCryptoKey(version, (unsigned char*)keybuf, *key_length); + int rc = get_encryption_key(version, (unsigned char*)keybuf, *key_length); if (rc != CRYPT_KEY_OK) { ib_logf(IB_LOG_LEVEL_FATAL, @@ -295,7 +295,7 @@ fil_crypt_get_latest_key(byte *dst, uint* key_length, { if (srv_encrypt_tables) { // used for key rotation - get the next key id from the key provider - int rc = GetLatestCryptoKeyVersion(); + int rc = get_latest_encryption_key_version(); // if no new key was created use the last one if (rc >= 0) @@ -326,7 +326,7 @@ fil_space_create_crypt_data() crypt_data->min_key_version = 0; } else { crypt_data->type = CRYPT_SCHEME_1; - crypt_data->min_key_version = GetLatestCryptoKeyVersion(); + crypt_data->min_key_version = get_latest_encryption_key_version(); } mutex_create(fil_crypt_data_mutex_key, @@ -653,7 +653,7 @@ fil_space_encrypt(ulint space, ulint offset, lsn_t lsn, { // take the iv from the key provider - int load_iv_rc = GetCryptoIV(key_version, (uchar *) iv, sizeof(iv)); + int load_iv_rc = get_encryption_iv(key_version, (uchar *) iv, sizeof(iv)); // if the iv can not be loaded the whole page can not be encrypted if (load_iv_rc != CRYPT_KEY_OK) @@ -869,7 +869,7 @@ fil_space_decrypt(fil_space_crypt_t* crypt_data, { // take the iv from the key provider - int load_iv_rc = GetCryptoIV(key_version, (uchar *) iv, sizeof(iv)); + int load_iv_rc = get_encryption_iv(key_version, (uchar *) iv, sizeof(iv)); // if the iv can not be loaded the whole page can not be decrypted if (load_iv_rc != CRYPT_KEY_OK) @@ -1049,7 +1049,7 @@ fil_crypt_get_key_state( key_state_t *new_state) { if (srv_encrypt_tables == TRUE) { - new_state->key_version = GetLatestCryptoKeyVersion(); + new_state->key_version = get_latest_encryption_key_version(); new_state->rotate_key_age = srv_fil_crypt_rotate_key_age; ut_a(new_state->key_version > 0); } else { @@ -2375,7 +2375,7 @@ fil_space_crypt_get_status( } if (srv_encrypt_tables == TRUE) { - status->current_key_version = GetLatestCryptoKeyVersion(); + status->current_key_version = get_latest_encryption_key_version(); } else { status->current_key_version = 0; } diff --git a/storage/xtradb/fil/fil0fil.cc b/storage/xtradb/fil/fil0fil.cc index d0abced2cdb..530326c0f66 100644 --- a/storage/xtradb/fil/fil0fil.cc +++ b/storage/xtradb/fil/fil0fil.cc @@ -1188,7 +1188,7 @@ fil_space_create( ut_a(fil_system); if (fsp_flags_is_page_encrypted(flags)) { - if (!HasCryptoKey(fsp_flags_get_page_encryption_key(flags))) { + if (!has_encryption_key(fsp_flags_get_page_encryption_key(flags))) { /* by returning here it should be avoided that * the server crashes, if someone tries to access an * encrypted table and the encryption key is not available. diff --git a/storage/xtradb/handler/ha_innodb.cc b/storage/xtradb/handler/ha_innodb.cc index c7e98f02702..8053e7c9ce3 100644 --- a/storage/xtradb/handler/ha_innodb.cc +++ b/storage/xtradb/handler/ha_innodb.cc @@ -11887,7 +11887,7 @@ ha_innobase::check_table_options( return "PAGE_ENCRYPTION_KEY"; } - if (!HasCryptoKey(options->page_encryption_key)) { + if (!has_encryption_key(options->page_encryption_key)) { push_warning_printf( thd, Sql_condition::WARN_LEVEL_WARN, HA_WRONG_CREATE_OPTION, diff --git a/storage/xtradb/include/fsp0pageencryption.ic b/storage/xtradb/include/fsp0pageencryption.ic index a2c8c3b0660..311618e905a 100644 --- a/storage/xtradb/include/fsp0pageencryption.ic +++ b/storage/xtradb/include/fsp0pageencryption.ic @@ -27,9 +27,6 @@ Created 08/28/2014 #include "fil0pageencryption.h" #include <my_crypt_key_management.h> - - - /********************************************************************//** Determine if the tablespace is page encrypted from dict_table_t::flags. @return TRUE if page encrypted, FALSE if not page encrypted */ @@ -151,9 +148,9 @@ fil_page_encryption_status( if (page_type == FIL_PAGE_TYPE_FSP_HDR) { ulint flags = mach_read_from_4(FSP_HEADER_OFFSET + FSP_SPACE_FLAGS + buf); if (fsp_flags_is_page_encrypted(flags)) { - if (!HasCryptoKey(fsp_flags_get_page_encryption_key(flags))) { + if (!has_encryption_key(fsp_flags_get_page_encryption_key(flags))) { /* accessing table would surely fail, because no key or no key provider available */ - if (!HasCryptoKey(fsp_flags_get_page_encryption_key(flags))) { + if (!has_encryption_key(fsp_flags_get_page_encryption_key(flags))) { return PAGE_ENCRYPTION_KEY_MISSING; } return PAGE_ENCRYPTION_ERROR; @@ -163,7 +160,7 @@ fil_page_encryption_status( if(page_type == FIL_PAGE_PAGE_COMPRESSED_ENCRYPTED) { ulint key = mach_read_from_4(buf + FIL_PAGE_FILE_FLUSH_LSN_OR_KEY_VERSION); - if (!HasCryptoKey(key)) { + if (!has_encryption_key(key)) { return PAGE_ENCRYPTION_KEY_MISSING; } return PAGE_ENCRYPTION_ERROR; diff --git a/storage/xtradb/include/log0crypt.h b/storage/xtradb/include/log0crypt.h index 188e82397a2..0c0d046c471 100644 --- a/storage/xtradb/include/log0crypt.h +++ b/storage/xtradb/include/log0crypt.h @@ -12,7 +12,7 @@ Created 11/25/2013 Minli Zhu #include "ut0lst.h" #include "ut0rnd.h" #include "my_aes.h" -#include "my_crypt_key_management.h" // for key version and key +#include <my_crypt_key_management.h> #define PURPOSE_BYTE_LEN MY_AES_BLOCK_SIZE - 1 #define PURPOSE_BYTE_OFFSET 0 diff --git a/storage/xtradb/log/log0crypt.cc b/storage/xtradb/log/log0crypt.cc index 0647fd04e84..17e1404777e 100644 --- a/storage/xtradb/log/log0crypt.cc +++ b/storage/xtradb/log/log0crypt.cc @@ -37,7 +37,7 @@ Note: We should not use flags and conditions such as: (srv_encrypt_log && debug_use_static_keys && - GetLatestCryptoKeyVersion() == UNENCRYPTED_KEY_VER) + get_latest_encryption_key_version() == UNENCRYPTED_KEY_VER) because they haven't been read and set yet in the situation of resetting redo logs. */ @@ -93,7 +93,7 @@ log_init_crypt_key( } byte mysqld_key[MY_AES_BLOCK_SIZE] = {0}; - if (GetCryptoKey(crypt_ver, mysqld_key, MY_AES_BLOCK_SIZE)) + if (get_encryption_key(crypt_ver, mysqld_key, MY_AES_BLOCK_SIZE)) { fprintf(stderr, "\nInnodb redo log crypto: getting mysqld crypto key " @@ -234,7 +234,7 @@ log_crypt_set_ver_and_key( byte* crypt_key) /*!< out: crypto key */ { if (!srv_encrypt_log || - (key_ver = GetLatestCryptoKeyVersion()) == UNENCRYPTED_KEY_VER) + (key_ver = get_latest_encryption_key_version()) == UNENCRYPTED_KEY_VER) { key_ver = UNENCRYPTED_KEY_VER; memset(crypt_key, 0, MY_AES_BLOCK_SIZE); |