MDEV-12634: Uninitialised ROW_MERGE_RESERVE_SIZE bytes written to tem…

…porary file

Fixed by removing writing key version to start of every block that
was encrypted. Instead we will use single key version from log_sys
crypt info.

After this MDEV also blocks writen to row log are encrypted and blocks
read from row log aren decrypted if encryption is configured for the
table.

innodb_status_variables[], struct srv_stats_t
	Added status variables for merge block and row log block
	encryption and decryption amounts.

Removed ROW_MERGE_RESERVE_SIZE define.

row_merge_fts_doc_tokenize
	Remove ROW_MERGE_RESERVE_SIZE

row_log_t
	Add index, crypt_tail, crypt_head to be used in case of
	encryption.

row_log_online_op, row_log_table_close_func
	Before writing a block encrypt it if encryption is enabled

row_log_table_apply_ops, row_log_apply_ops
	After reading a block decrypt it if encryption is enabled

row_log_allocate
	Allocate temporary buffers crypt_head and crypt_tail
	if needed.

row_log_free
	Free temporary buffers crypt_head and crypt_tail if they
	exist.

row_merge_encrypt_buf, row_merge_decrypt_buf
	Removed.

row_merge_buf_create, row_merge_buf_write
	Remove ROW_MERGE_RESERVE_SIZE

row_merge_build_indexes
	Allocate temporary buffer used in decryption and encryption
	if needed.

log_tmp_blocks_crypt, log_tmp_block_encrypt, log_temp_block_decrypt
	New functions used in block encryption and decryption

log_tmp_is_encrypted
	New function to check is encryption enabled.

Added test case innodb-rowlog to force creating a row log and
verify that operations are done using introduced status
variables.

3 files changed, 127 insertions, 0 deletions

diff --git a/mysql-test/suite/encryption/r/innodb-rowlog.result b/mysql-test/suite/encryption/r/innodb-rowlog.result
new file mode 100644
index 00000000000..873041ab421
--- /dev/null
+++ b/mysql-test/suite/encryption/r/innodb-rowlog.result
@@ -0,0 +1,30 @@
+SET GLOBAL innodb_file_format = `Barracuda`;
+create table t1(id int not null primary key auto_increment, credit_card varchar(200), private varchar(50)) engine=innodb;
+SET SESSION debug_dbug="+d,ib_merge_wait_after_read";
+alter table t1 add index secret (credit_card), ALGORITHM=INPLACE, LOCK=NONE;
+SET GLOBAL innodb_encryption_rotate_key_age = 1;
+create table t2(id int) engine=innodb;
+SET SESSION debug_dbug="+d,ib_merge_wait_after_read";
+alter table t1 add index secret2 (private), ALGORITHM=INPLACE, LOCK=NONE;
+insert into t1(credit_card) select credit_card from t1;
+insert into t1(credit_card) select credit_card from t1;
+insert into t1(credit_card) select credit_card from t1;
+drop table t2;
+SELECT variable_value > 0 FROM information_schema.global_status WHERE variable_name = 'innodb_num_pages_encrypted';
+variable_value > 0
+1
+SELECT variable_value > 0 FROM information_schema.global_status WHERE variable_name = 'innodb_encryption_n_merge_blocks_encrypted';
+variable_value > 0
+1
+SELECT variable_value > 0 FROM information_schema.global_status WHERE variable_name = 'innodb_encryption_n_merge_blocks_decrypted';
+variable_value > 0
+1
+SELECT variable_value > 0 FROM information_schema.global_status WHERE variable_name = 'innodb_encryption_n_rowlog_blocks_encrypted';
+variable_value > 0
+1
+SELECT variable_value > 0 FROM information_schema.global_status WHERE variable_name = 'innodb_encryption_n_rowlog_blocks_decrypted';
+variable_value > 0
+1
+drop table t1;
+SET GLOBAL innodb_file_format=Antelope;
+SET GLOBAL innodb_encryption_rotate_key_age=15;
diff --git a/mysql-test/suite/encryption/t/innodb-rowlog.opt b/mysql-test/suite/encryption/t/innodb-rowlog.opt
new file mode 100644
index 00000000000..6338ddbde35
--- /dev/null
+++ b/mysql-test/suite/encryption/t/innodb-rowlog.opt
@@ -0,0 +1,7 @@
+--aria-encrypt-tables
+--encrypt-tmp-disk-tables
+--innodb-encrypt-tables
+--innodb-encrypt-log
+--innodb-encryption-rotate-key-age=15
+--innodb-encryption-threads=4
+--innodb-tablespaces-encryption
diff --git a/mysql-test/suite/encryption/t/innodb-rowlog.test b/mysql-test/suite/encryption/t/innodb-rowlog.test
new file mode 100644
index 00000000000..135293ef4b9
--- /dev/null
+++ b/mysql-test/suite/encryption/t/innodb-rowlog.test
@@ -0,0 +1,90 @@
+-- source include/have_innodb.inc
+-- source include/have_example_key_management_plugin.inc
+# needs dbug_dbug
+-- source include/have_debug.inc
+
+--disable_warnings
+--disable_query_log
+let $innodb_file_format_orig = `SELECT @@innodb_file_format`;
+let $key_age = `SELECT @@innodb_encryption_rotate_key_age`;
+--enable_query_log
+
+SET GLOBAL innodb_file_format = `Barracuda`;
+--enable_warnings
+
+let $MYSQLD_DATADIR = `SELECT @@datadir`;
+let $MYSQLD_TMPDIR = `SELECT @@tmpdir`;
+
+#
+# Create a table that will be encrypted and put some sensitive data to it (credit card numbers)
+#
+
+create table t1(id int not null primary key auto_increment, credit_card varchar(200), private varchar(50)) engine=innodb;
+
+let $rows = 15000;
+--disable_query_log
+begin;
+while ($rows)
+{
+    eval insert into t1 values(NULL, '0000-0000-0000-0000','private_data');
+    dec $rows;
+}
+commit;
+--enable_query_log
+
+--let $wait_timeout= 600
+--let $wait_condition=SELECT COUNT(*) = 0 FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION = 0
+--source include/wait_condition.inc
+
+#
+# Now we create secondary index for credit_card column in parallel we create new rows
+# forcing alter table to wait so that row log is used.
+#
+SET SESSION debug_dbug="+d,ib_merge_wait_after_read";
+send alter table t1 add index secret (credit_card), ALGORITHM=INPLACE, LOCK=NONE;
+#
+# Force key rotation and create second index for same table
+#
+connect (con2,localhost,root,,);
+SET GLOBAL innodb_encryption_rotate_key_age = 1;
+create table t2(id int) engine=innodb;
+SET SESSION debug_dbug="+d,ib_merge_wait_after_read";
+send alter table t1 add index secret2 (private), ALGORITHM=INPLACE, LOCK=NONE;
+#
+# Create new rows to row log
+#
+connect (con1,localhost,root,,);
+insert into t1(credit_card) select credit_card from t1;
+insert into t1(credit_card) select credit_card from t1;
+insert into t1(credit_card) select credit_card from t1;
+
+connection default;
+reap;
+disconnect con1;
+
+connection con2;
+reap;
+drop table t2;
+
+connection default;
+disconnect con2;
+
+let $wait_condition= select variable_value > 0 from information_schema.global_status where variable_name = 'INNODB_NUM_PAGES_ENCRYPTED';
+--source include/wait_condition.inc
+
+#
+# Verify that both merge blocks and row log blocks are encryted and decrypted
+#
+
+SELECT variable_value > 0 FROM information_schema.global_status WHERE variable_name = 'innodb_num_pages_encrypted';
+SELECT variable_value > 0 FROM information_schema.global_status WHERE variable_name = 'innodb_encryption_n_merge_blocks_encrypted';
+SELECT variable_value > 0 FROM information_schema.global_status WHERE variable_name = 'innodb_encryption_n_merge_blocks_decrypted';
+SELECT variable_value > 0 FROM information_schema.global_status WHERE variable_name = 'innodb_encryption_n_rowlog_blocks_encrypted';
+SELECT variable_value > 0 FROM information_schema.global_status WHERE variable_name = 'innodb_encryption_n_rowlog_blocks_decrypted';
+
+drop table t1;
+
+--disable_warnings
+eval SET GLOBAL innodb_file_format=$innodb_file_format_orig;
+eval SET GLOBAL innodb_encryption_rotate_key_age=$key_age;
+--enable_warnings