encryption plugin controls the encryption

* no --encryption-algorithm option anymore
* encrypt/decrypt methods in the encryption plugin
* ecnrypt/decrypt methods in the encryption_km service
* file_km plugin has --file-key-management-encryption-algorithm
* debug_km always uses aes_cbc
* example_km changes between aes_cbc and aes_ecb for different key versions

5 files changed, 57 insertions, 18 deletions

diff --git a/sql/encryption_keys.cc b/sql/encryption_keys.cc
index b31ec270a8f..8a9a17a5452 100644
--- a/sql/encryption_keys.cc
+++ b/sql/encryption_keys.cc
@@ -1,7 +1,23 @@
+/* Copyright (C) 2015 MariaDB
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 of the License.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA */
+
 #include <my_global.h>
 #include <mysql/plugin_encryption.h>
 #include "log.h"
 #include "sql_plugin.h"
+#include <my_crypt.h>
 
 /* there can be only one encryption plugin enabled */
 static plugin_ref encryption_key_manager= 0;
@@ -34,6 +50,34 @@ uint get_encryption_key(uint version, uchar* key, uint *size)
   return BAD_ENCRYPTION_KEY_VERSION;
 }
 
+int encrypt_data(const uchar* source, uint source_length,
+                 uchar* dest, uint* dest_length,
+                 const uchar* key, uint key_length,
+                 const uchar* iv, uint iv_length,
+                 int no_padding, uint key_version)
+{
+  if (encryption_key_manager)
+    return handle->encrypt(source, source_length,
+                           dest, dest_length, key, key_length,
+                           iv, iv_length, no_padding, key_version);
+  return 1;
+}
+
+
+int decrypt_data(const uchar* source, uint source_length,
+                 uchar* dest, uint* dest_length,
+                 const uchar* key, uint key_length,
+                 const uchar* iv, uint iv_length,
+                 int no_padding, uint key_version)
+{
+  if (encryption_key_manager)
+    return handle->decrypt(source, source_length,
+                           dest, dest_length, key, key_length,
+                           iv, iv_length, no_padding, key_version);
+  return 1;
+}
+
+
 int initialize_encryption_plugin(st_plugin_int *plugin)
 {
   if (encryption_key_manager)
@@ -49,6 +93,13 @@ int initialize_encryption_plugin(st_plugin_int *plugin)
   encryption_key_manager= plugin_lock(NULL, plugin_int_to_ref(plugin));
   handle= (struct st_mariadb_encryption*)
             plugin->plugin->info;
+
+  /* default encryption algorithm */
+  if (!handle->encrypt)
+    handle->encrypt= (encrypt_decrypt_func)my_aes_encrypt_cbc;
+  if (!handle->decrypt)
+    handle->decrypt= (encrypt_decrypt_func)my_aes_decrypt_cbc;
+
   return 0;
 }
 
diff --git a/sql/item_strfunc.h b/sql/item_strfunc.h
index e11d2c41bc6..ca699b28245 100644
--- a/sql/item_strfunc.h
+++ b/sql/item_strfunc.h
@@ -142,7 +142,9 @@ class Item_aes_crypt :public Item_str_func
   void create_key(String *user_key, uchar* key);
 
 protected:
-  my_aes_encrypt_dynamic_type crypt;
+  int (*crypt)(const uchar* src, uint slen, uchar* dst, uint* dlen,
+               const uchar* key, uint klen, const uchar* iv, uint ivlen,
+               int no_padding);
 
 public:
   Item_aes_crypt(Item *a, Item *b) :Item_str_func(a,b) {}
diff --git a/sql/mysqld.cc b/sql/mysqld.cc
index da432063c0a..c002a9d7d46 100644
--- a/sql/mysqld.cc
+++ b/sql/mysqld.cc
@@ -630,7 +630,6 @@ char *mysqld_unix_port, *opt_mysql_tmpdir;
 ulong thread_handling;
 
 my_bool encrypt_tmp_disk_tables;
-ulong   encryption_algorithm;
 
 /** name of reference on left expression in rewritten IN subquery */
 const char *in_left_expr_name= "<left expr>";
@@ -4804,13 +4803,6 @@ static int init_server_components()
   my_rnd_init(&sql_rand,(ulong) server_start_time,(ulong) server_start_time/2);
   setup_fpu();
   init_thr_lock();
-  if (my_aes_init_dynamic_encrypt((enum_my_aes_encryption_algorithm)
-                                  encryption_algorithm))
-  {
-    fprintf(stderr, "Can't initialize encryption algorithm to \"%s\".\nCheck that the program is linked with the right library (openssl?)\n",
-            encryption_algorithm_names[encryption_algorithm]);
-    unireg_abort(1);
-  }
 
 #ifndef EMBEDDED_LIBRARY
   if (init_thr_timer(thread_scheduler->max_threads + extra_max_connections))
diff --git a/sql/sql_plugin_services.h b/sql/sql_plugin_services.h
index 4511d8bca59..8deac855a53 100644
--- a/sql/sql_plugin_services.h
+++ b/sql/sql_plugin_services.h
@@ -143,7 +143,9 @@ static struct encryption_keys_service_st encryption_keys_handler=
 {
   get_latest_encryption_key_version,
   has_encryption_key,
-  get_encryption_key
+  get_encryption_key,
+  encrypt_data,
+  decrypt_data
 };
 
 static struct thd_specifics_service_st thd_specifics_handler=
diff --git a/sql/sys_vars.cc b/sql/sys_vars.cc
index 9cba8739eee..32935f3404e 100644
--- a/sql/sys_vars.cc
+++ b/sql/sys_vars.cc
@@ -5168,14 +5168,6 @@ static Sys_var_mybool Sys_encrypt_tmp_disk_tables(
        GLOBAL_VAR(encrypt_tmp_disk_tables),
        CMD_LINE(OPT_ARG), DEFAULT(FALSE));
 
-const char *encryption_algorithm_names[]=
-{ "none", "aes_ecb", "aes_cbc", "aes_ctr", 0 };
-static Sys_var_enum Sys_encryption_algorithm(
-       "encryption_algorithm",
-       "Which encryption algorithm to use for table encryption. aes_cbc is the recommended one.",
-       READ_ONLY GLOBAL_VAR(encryption_algorithm),CMD_LINE(REQUIRED_ARG),
-       encryption_algorithm_names, DEFAULT(0));
-
 static bool check_pseudo_slave_mode(sys_var *self, THD *thd, set_var *var)
 {
   longlong previous_val= thd->variables.pseudo_slave_mode;