encryption plugin controls the encryption

* no --encryption-algorithm option anymore * encrypt/decrypt methods in the encryption plugin * ecnrypt/decrypt methods in the encryption_km service * file_km plugin has --file-key-management-encryption-algorithm * debug_km always uses aes_cbc * example_km changes between aes_cbc and aes_ecb for different key versions
author: Sergei Golubchik <serg@mariadb.org> 2015-03-31 19:32:35 +0200
committer: Sergei Golubchik <serg@mariadb.org> 2015-04-09 18:42:43 +0200
commit: bb1b61b312088ba9f5f2cb606594b6f33c284402 (patch)
tree: c5b433d19434e194fb82d2407adbbfee759dfd31 /plugin
parent: 9ccafffc29526ea30151eb3e62901bfdb77aaf84 (diff)
download: mariadb-git-bb1b61b312088ba9f5f2cb606594b6f33c284402.tar.gz
3 files changed, 81 insertions, 25 deletions
diff --git a/plugin/debug_key_management/debug_key_management_plugin.cc b/plugin/debug_key_management/debug_key_management_plugin.cc
index 9843c08d8bf..5b42c70c772 100644
--- a/plugin/debug_key_management/debug_key_management_plugin.cc
+++ b/plugin/debug_key_management/debug_key_management_plugin.cc
@@ -64,7 +64,8 @@ static unsigned int get_key(unsigned int version, unsigned char* dstbuf, unsigne
 struct st_mariadb_encryption debug_key_management_plugin= {
   MariaDB_ENCRYPTION_INTERFACE_VERSION,
   get_latest_key_version,
-  get_key
+  get_key,
+  0, 0 // use default encrypt/decrypt functions
 };
 
 /*
diff --git a/plugin/example_key_management/example_key_management_plugin.cc b/plugin/example_key_management/example_key_management_plugin.cc
index 5ced65a7088..dd8416504a0 100644
--- a/plugin/example_key_management/example_key_management_plugin.cc
+++ b/plugin/example_key_management/example_key_management_plugin.cc
@@ -27,11 +27,9 @@
 
 #include <my_global.h>
 #include <my_pthread.h>
-#include <my_aes.h>
 #include <mysql/plugin_encryption.h>
-#include <my_md5.h>
 #include <my_rnd.h>
-#include "sql_class.h"
+#include <my_crypt.h>
 
 /* rotate key randomly between 45 and 90 seconds */
 #define KEY_ROTATION_MIN 45
@@ -61,12 +59,12 @@ get_latest_key_version()
 static unsigned int
 get_key(unsigned int version, unsigned char* dstbuf, unsigned *buflen)
 {
-  if (*buflen < MD5_HASH_SIZE)
+  if (*buflen < MY_MD5_HASH_SIZE)
   {
-    *buflen= MD5_HASH_SIZE;
+    *buflen= MY_MD5_HASH_SIZE;
     return KEY_BUFFER_TOO_SMALL;
   }
-  *buflen= MD5_HASH_SIZE;
+  *buflen= MY_MD5_HASH_SIZE;
   if (!dstbuf)
     return 0;
 
@@ -75,21 +73,35 @@ get_key(unsigned int version, unsigned char* dstbuf, unsigned *buflen)
   return 0;
 }
 
+/*
+  for the sake of an example, let's use different encryption algorithms/modes
+  for different keys.
+*/
+int encrypt(const unsigned char* src, unsigned int slen,
+            unsigned char* dst, unsigned int* dlen,
+            const unsigned char* key, unsigned int klen,
+            const unsigned char* iv, unsigned int ivlen,
+            int no_padding, unsigned int key_version)
+{
+  return ((key_version & 1) ? my_aes_encrypt_cbc : my_aes_encrypt_ecb)
+    (src, slen, dst, dlen, key, klen, iv, ivlen, no_padding);
+}
+
+int decrypt(const unsigned char* src, unsigned int slen,
+            unsigned char* dst, unsigned int* dlen,
+            const unsigned char* key, unsigned int klen,
+            const unsigned char* iv, unsigned int ivlen,
+            int no_padding, unsigned int key_version)
+{
+  return ((key_version & 1) ? my_aes_decrypt_cbc : my_aes_decrypt_ecb)
+    (src, slen, dst, dlen, key, klen, iv, ivlen, no_padding);
+}
+
 static int example_key_management_plugin_init(void *p)
 {
   /* init */
   my_rnd_init(&seed, time(0), 0);
   get_latest_key_version();
-
-  if (current_aes_dynamic_method == MY_AES_ALGORITHM_NONE)
-  {
-    sql_print_error("No encryption method choosen with --encryption-algorithm. "
-                    "example_key_management_plugin disabled");
-    return 1;
-  }
-
-  my_aes_init_dynamic_encrypt(current_aes_dynamic_method);
-
   pthread_mutex_init(&mutex, NULL);
 
   return 0;
@@ -104,7 +116,9 @@ static int example_key_management_plugin_deinit(void *p)
 struct st_mariadb_encryption example_key_management_plugin= {
   MariaDB_ENCRYPTION_INTERFACE_VERSION,
   get_latest_key_version,
-  get_key
+  get_key,
+  encrypt,
+  decrypt
 };
 
 /*
diff --git a/plugin/file_key_management/file_key_management_plugin.cc b/plugin/file_key_management/file_key_management_plugin.cc
index be623706051..d7edeb73665 100644
--- a/plugin/file_key_management/file_key_management_plugin.cc
+++ b/plugin/file_key_management/file_key_management_plugin.cc
@@ -15,12 +15,28 @@
 
 
 #include "parser.h"
-#include <mysql_version.h>
 #include <mysql/plugin_encryption.h>
 #include <string.h>
 
 static char* filename;
 static char* filekey;
+static unsigned long encryption_algorithm;
+
+static const char *encryption_algorithm_names[]=
+{
+  "aes_cbc",
+#ifdef HAVE_EncryptAes128Ctr
+  "aes_ctr",
+#endif
+  0
+};
+
+static TYPELIB encryption_algorithm_typelib=
+{
+  array_elements(encryption_algorithm_names)-1,"",
+  encryption_algorithm_names, NULL
+};
+
 
 static MYSQL_SYSVAR_STR(filename, filename,
   PLUGIN_VAR_RQCMDARG | PLUGIN_VAR_READONLY,
@@ -32,9 +48,15 @@ static MYSQL_SYSVAR_STR(filekey, filekey,
   "Key to encrypt / decrypt the keyfile.",
   NULL, NULL, "");
 
+static MYSQL_SYSVAR_ENUM(encryption_algorithm, encryption_algorithm,
+  PLUGIN_VAR_RQCMDARG | PLUGIN_VAR_READONLY,
+  "Encryption algorithm to use.",
+  NULL, NULL, 0, &encryption_algorithm_typelib);
+
 static struct st_mysql_sys_var* settings[] = {
   MYSQL_SYSVAR(filename),
   MYSQL_SYSVAR(filekey),
+  MYSQL_SYSVAR(encryption_algorithm),
   NULL
 };
 
@@ -88,18 +110,37 @@ static unsigned int get_key_from_key_file(unsigned int key_id,
   return 0;
 }
 
+struct st_mariadb_encryption file_key_management_plugin= {
+  MariaDB_ENCRYPTION_INTERFACE_VERSION,
+  get_highest_key_used_in_key_file,
+  get_key_from_key_file,
+  0,0
+};
+
 static int file_key_management_plugin_init(void *p)
 {
   Parser parser(filename, filekey);
+  switch (encryption_algorithm) {
+  case 0: // AES_CBC
+    file_key_management_plugin.encrypt=
+      (encrypt_decrypt_func)my_aes_encrypt_cbc;
+    file_key_management_plugin.decrypt=
+      (encrypt_decrypt_func)my_aes_decrypt_cbc;
+    break;
+#ifdef HAVE_EncryptAes128Ctr
+  case 1: // AES_CTR
+    file_key_management_plugin.encrypt=
+      (encrypt_decrypt_func)my_aes_encrypt_ctr;
+    file_key_management_plugin.decrypt=
+      (encrypt_decrypt_func)my_aes_decrypt_ctr;
+    break;
+#endif
+  default:
+    return 1; // cannot happen
+  }
   return parser.parse(&keys);
 }
 
-struct st_mariadb_encryption file_key_management_plugin= {
-  MariaDB_ENCRYPTION_INTERFACE_VERSION,
-  get_highest_key_used_in_key_file,
-  get_key_from_key_file
-};
-
 /*
   Plugin library descriptor
 */
author	Sergei Golubchik <serg@mariadb.org>	2015-03-31 19:32:35 +0200
committer	Sergei Golubchik <serg@mariadb.org>	2015-04-09 18:42:43 +0200
commit	bb1b61b312088ba9f5f2cb606594b6f33c284402 (patch)
tree	c5b433d19434e194fb82d2407adbbfee759dfd31 /plugin
parent	9ccafffc29526ea30151eb3e62901bfdb77aaf84 (diff)
download	mariadb-git-bb1b61b312088ba9f5f2cb606594b6f33c284402.tar.gz