diff options
author | Jan Lindström <jan.lindstrom@mariadb.com> | 2018-04-06 12:55:43 +0300 |
---|---|---|
committer | Jan Lindström <jan.lindstrom@mariadb.com> | 2018-04-06 12:59:43 +0300 |
commit | 81075d45c6c7a63f43ea7268c3517bfa55ce2017 (patch) | |
tree | 7c4203caade557987f899af5e6aa0393667d97d2 /storage/innobase/fil | |
parent | 3be6cef59364e6673f861b5ae0bf4fb4da8b8751 (diff) | |
download | mariadb-git-81075d45c6c7a63f43ea7268c3517bfa55ce2017.tar.gz |
MDEV-15566: System tablespace does not easily key rotate to unencrypted
Problem was that key rotation from encrypted to unecrypted was skipped
when encryption is disabled (i.e. set global innodb-encrypt-tables=OFF).
fil_crypt_needs_rotation
If encryption is disabled (i.e. innodb-encrypt-tables=off)
and there is tablespaces using default encryption (e.g.
system tablespace) that are still encrypted state we need
to rotate them from encrypted state to unencrypted state.
Diffstat (limited to 'storage/innobase/fil')
-rw-r--r-- | storage/innobase/fil/fil0crypt.cc | 46 |
1 files changed, 28 insertions, 18 deletions
diff --git a/storage/innobase/fil/fil0crypt.cc b/storage/innobase/fil/fil0crypt.cc index 3095503cfc5..a9e887ad10c 100644 --- a/storage/innobase/fil/fil0crypt.cc +++ b/storage/innobase/fil/fil0crypt.cc @@ -1,6 +1,6 @@ /***************************************************************************** Copyright (C) 2013, 2015, Google Inc. All Rights Reserved. -Copyright (c) 2014, 2017, MariaDB Corporation. All Rights Reserved. +Copyright (c) 2014, 2018, MariaDB Corporation. All Rights Reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software @@ -114,17 +114,17 @@ extern my_bool srv_background_scrub_data_compressed; /*********************************************************************** Check if a key needs rotation given a key_state -@param[in] encrypt_mode Encryption mode +@param[in] crypt_data Encryption information @param[in] key_version Current key version @param[in] latest_key_version Latest key version @param[in] rotate_key_age when to rotate @return true if key needs rotation, false if not */ static bool fil_crypt_needs_rotation( - fil_encryption_t encrypt_mode, - uint key_version, - uint latest_key_version, - uint rotate_key_age) + const fil_space_crypt_t* crypt_data, + uint key_version, + uint latest_key_version, + uint rotate_key_age) MY_ATTRIBUTE((warn_unused_result)); /********************************************************************* @@ -187,7 +187,8 @@ fil_crypt_get_latest_key_version( if (crypt_data->is_key_found()) { - if (fil_crypt_needs_rotation(crypt_data->encryption, + if (fil_crypt_needs_rotation( + crypt_data, crypt_data->min_key_version, key_version, srv_fil_crypt_rotate_key_age)) { @@ -963,17 +964,17 @@ fil_crypt_get_key_state( /*********************************************************************** Check if a key needs rotation given a key_state -@param[in] encrypt_mode Encryption mode +@param[in] crypt_data Encryption information @param[in] key_version Current key version @param[in] latest_key_version Latest key version @param[in] rotate_key_age when to rotate @return true if key needs rotation, false if not */ static bool fil_crypt_needs_rotation( - fil_encryption_t encrypt_mode, - uint key_version, - uint latest_key_version, - uint rotate_key_age) + const fil_space_crypt_t* crypt_data, + uint key_version, + uint latest_key_version, + uint rotate_key_age) { if (key_version == ENCRYPTION_KEY_VERSION_INVALID) { return false; @@ -986,13 +987,20 @@ fil_crypt_needs_rotation( } if (latest_key_version == 0 && key_version != 0) { - if (encrypt_mode == FIL_ENCRYPTION_DEFAULT) { + if (crypt_data->encryption == FIL_ENCRYPTION_DEFAULT) { /* this is rotation encrypted => unencrypted */ return true; } return false; } + if (crypt_data->encryption == FIL_ENCRYPTION_DEFAULT + && crypt_data->type == CRYPT_SCHEME_1 + && srv_encrypt_tables == 0 ) { + /* This is rotation encrypted => unencrypted */ + return true; + } + /* this is rotation encrypted => encrypted, * only reencrypt if key is sufficiently old */ if (key_version + rotate_key_age < latest_key_version) { @@ -1272,9 +1280,10 @@ fil_crypt_space_needs_rotation( } bool need_key_rotation = fil_crypt_needs_rotation( - crypt_data->encryption, + crypt_data, crypt_data->min_key_version, - key_state->key_version, key_state->rotate_key_age); + key_state->key_version, + key_state->rotate_key_age); crypt_data->rotate_state.scrubbing.is_active = btr_scrub_start_space(space->id, &state->scrub_data); @@ -1862,9 +1871,10 @@ fil_crypt_rotate_page( ut_ad(kv == 0); ut_ad(page_get_space_id(frame) == 0); } else if (fil_crypt_needs_rotation( - crypt_data->encryption, - kv, key_state->key_version, - key_state->rotate_key_age)) { + crypt_data, + kv, + key_state->key_version, + key_state->rotate_key_age)) { modified = true; |