diff options
36 files changed, 405 insertions, 477 deletions
diff --git a/include/my_aes.h b/include/my_aes.h index 824fa5540ef..b5df86fb5ab 100644 --- a/include/my_aes.h +++ b/include/my_aes.h @@ -24,8 +24,6 @@ #include <my_global.h> -typedef int Crypt_result; - #define AES_OK 0 #define AES_BAD_DATA -1 #define AES_BAD_IV -2 @@ -49,84 +47,6 @@ typedef int Crypt_result; C_MODE_START -/** - Crypt buffer with AES dynamic (defined at startup) encryption algorithm. - - SYNOPSIS - my_aes_encrypt_dynamic() - @param source [in] Pointer to data for encryption - @param source_length [in] Size of encryption data - @param dest [out] Buffer to place encrypted data (must be large enough) - @param dest_length [out] Pointer to size of encrypted data - @param key [in] Key to be used for encryption - @param key_length [in] Length of the key. 16, 24 or 32 - @param iv [in] Iv to be used for encryption - @param iv_length [in] Length of the iv. should be 16. - @param noPadding [in] if set, algorithm specific padding behaviour is used - - Method used defined by calling my_aes_init_dynamic_encrypt() at startup. - - @return - != 0 error - 0 no error -*/ - -typedef int (*my_aes_encrypt_dynamic_type)(const uchar* source, uint32 source_length, - uchar* dest, uint32* dest_length, - const uchar* key, uint8 key_length, - const uchar* iv, uint8 iv_length, - uint noPadding); - -extern MYSQL_PLUGIN_IMPORT my_aes_encrypt_dynamic_type my_aes_encrypt_dynamic; - -/** - AES decryption AES dynamic (defined at startup) encryption algorithm. - - SYNOPSIS - my_aes_decrypt_dynamic() - @param source [in] Pointer to data to decrypt - @param source_length [in] Size of data - @param dest [out] Buffer to place decrypted data (must be large enough) - @param dest_length [out] Pointer to size of decrypted data - @param key [in] Key to be used for decryption - @param key_length [in] Length of the key. 16, 24 or 32 - @param iv [in] Iv to be used for encryption - @param iv_length [in] Length of the iv. should be 16. - @param noPadding [in] if set, algorithm specific padding behaviour is used - - @return - != 0 error - 0 no error - - Method used defined by calling my_aes_init_dynamic_encrypt() at startup. -*/ - -typedef int (*my_aes_decrypt_dynamic_type)(const uchar *source, - uint32 source_length, - uchar *dest, uint32 *dest_length, - const uchar *key, uint8 key_length, - const uchar *iv, uint8 iv_length, - uint noPadding); -extern MYSQL_PLUGIN_IMPORT my_aes_decrypt_dynamic_type my_aes_decrypt_dynamic; - -/** - Initialize dynamic crypt functions -*/ - -enum enum_my_aes_encryption_algorithm -{ - MY_AES_ALGORITHM_NONE, MY_AES_ALGORITHM_ECB, MY_AES_ALGORITHM_CBC, - MY_AES_ALGORITHM_CTR -}; - -my_aes_decrypt_dynamic_type get_aes_decrypt_func(enum enum_my_aes_encryption_algorithm method); -my_aes_encrypt_dynamic_type get_aes_encrypt_func(enum enum_my_aes_encryption_algorithm method); - - -my_bool my_aes_init_dynamic_encrypt(enum enum_my_aes_encryption_algorithm method); - -extern MYSQL_PLUGIN_IMPORT enum enum_my_aes_encryption_algorithm current_aes_dynamic_method; - int my_aes_get_size(int source_length); C_MODE_END diff --git a/include/my_crypt.h b/include/my_crypt.h index 83665659178..c6cddbd99e3 100644 --- a/include/my_crypt.h +++ b/include/my_crypt.h @@ -26,45 +26,45 @@ C_MODE_START #ifdef HAVE_EncryptAes128Ctr -Crypt_result my_aes_encrypt_ctr(const uchar* source, uint32 source_length, - uchar* dest, uint32* dest_length, - const unsigned char* key, uint8 key_length, - const unsigned char* iv, uint8 iv_length, - uint no_padding); - -Crypt_result my_aes_decrypt_ctr(const uchar* source, uint32 source_length, - uchar* dest, uint32* dest_length, - const unsigned char* key, uint8 key_length, - const unsigned char* iv, uint8 iv_length, - uint no_padding); +int my_aes_encrypt_ctr(const uchar* source, uint source_length, + uchar* dest, uint* dest_length, + const unsigned char* key, uint key_length, + const unsigned char* iv, uint iv_length, + int no_padding); + +int my_aes_decrypt_ctr(const uchar* source, uint source_length, + uchar* dest, uint* dest_length, + const unsigned char* key, uint key_length, + const unsigned char* iv, uint iv_length, + int no_padding); #endif -Crypt_result my_aes_encrypt_cbc(const uchar* source, uint32 source_length, - uchar* dest, uint32* dest_length, - const unsigned char* key, uint8 key_length, - const unsigned char* iv, uint8 iv_length, - uint no_padding); - -Crypt_result my_aes_decrypt_cbc(const uchar* source, uint32 source_length, - uchar* dest, uint32* dest_length, - const unsigned char* key, uint8 key_length, - const unsigned char* iv, uint8 iv_length, - uint no_padding); - -Crypt_result my_aes_encrypt_ecb(const uchar* source, uint32 source_length, - uchar* dest, uint32* dest_length, - const unsigned char* key, uint8 key_length, - const unsigned char* iv, uint8 iv_length, - uint no_padding); - -Crypt_result my_aes_decrypt_ecb(const uchar* source, uint32 source_length, - uchar* dest, uint32* dest_length, - const unsigned char* key, uint8 key_length, - const unsigned char* iv, uint8 iv_length, - uint no_padding); - -Crypt_result my_random_bytes(uchar* buf, int num); +int my_aes_encrypt_cbc(const uchar* source, uint source_length, + uchar* dest, uint* dest_length, + const unsigned char* key, uint key_length, + const unsigned char* iv, uint iv_length, + int no_padding); + +int my_aes_decrypt_cbc(const uchar* source, uint source_length, + uchar* dest, uint* dest_length, + const unsigned char* key, uint key_length, + const unsigned char* iv, uint iv_length, + int no_padding); + +int my_aes_encrypt_ecb(const uchar* source, uint source_length, + uchar* dest, uint* dest_length, + const unsigned char* key, uint key_length, + const unsigned char* iv, uint iv_length, + int no_padding); + +int my_aes_decrypt_ecb(const uchar* source, uint source_length, + uchar* dest, uint* dest_length, + const unsigned char* key, uint key_length, + const unsigned char* iv, uint iv_length, + int no_padding); + +int my_random_bytes(uchar* buf, int num); C_MODE_END diff --git a/include/mysql/plugin_audit.h.pp b/include/mysql/plugin_audit.h.pp index c4661e2b383..30647a7c331 100644 --- a/include/mysql/plugin_audit.h.pp +++ b/include/mysql/plugin_audit.h.pp @@ -198,14 +198,31 @@ void thd_key_delete(MYSQL_THD_KEY_T *key); void* thd_getspecific(void* thd, MYSQL_THD_KEY_T key); int thd_setspecific(void* thd, MYSQL_THD_KEY_T key, void *value); #include <mysql/service_encryption_keys.h> +typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen, + unsigned char* dst, unsigned int* dlen, + const unsigned char* key, unsigned int klen, + const unsigned char* iv, unsigned int ivlen, + int no_padding, unsigned int key_version); extern struct encryption_keys_service_st { unsigned int (*get_latest_encryption_key_version_func)(); unsigned int (*has_encryption_key_func)(unsigned int); unsigned int (*get_encryption_key_func)(unsigned int, unsigned char*, unsigned int*); + encrypt_decrypt_func encrypt_data_func; + encrypt_decrypt_func decrypt_data_func; } *encryption_keys_service; unsigned int get_latest_encryption_key_version(); unsigned int has_encryption_key(unsigned int version); unsigned int get_encryption_key(unsigned int version, unsigned char* key, unsigned int *keybufsize); +int encrypt_data(const unsigned char* src, unsigned int slen, + unsigned char* dst, unsigned int* dlen, + const unsigned char* key, unsigned int klen, + const unsigned char* iv, unsigned int ivlen, + int no_padding, unsigned int key_version); +int decrypt_data(const unsigned char* src, unsigned int slen, + unsigned char* dst, unsigned int* dlen, + const unsigned char* key, unsigned int klen, + const unsigned char* iv, unsigned int ivlen, + int no_padding, unsigned int key_version); struct st_mysql_xid { long formatID; long gtrid_length; diff --git a/include/mysql/plugin_auth.h.pp b/include/mysql/plugin_auth.h.pp index 09986993139..e821a7d1bfb 100644 --- a/include/mysql/plugin_auth.h.pp +++ b/include/mysql/plugin_auth.h.pp @@ -198,14 +198,31 @@ void thd_key_delete(MYSQL_THD_KEY_T *key); void* thd_getspecific(void* thd, MYSQL_THD_KEY_T key); int thd_setspecific(void* thd, MYSQL_THD_KEY_T key, void *value); #include <mysql/service_encryption_keys.h> +typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen, + unsigned char* dst, unsigned int* dlen, + const unsigned char* key, unsigned int klen, + const unsigned char* iv, unsigned int ivlen, + int no_padding, unsigned int key_version); extern struct encryption_keys_service_st { unsigned int (*get_latest_encryption_key_version_func)(); unsigned int (*has_encryption_key_func)(unsigned int); unsigned int (*get_encryption_key_func)(unsigned int, unsigned char*, unsigned int*); + encrypt_decrypt_func encrypt_data_func; + encrypt_decrypt_func decrypt_data_func; } *encryption_keys_service; unsigned int get_latest_encryption_key_version(); unsigned int has_encryption_key(unsigned int version); unsigned int get_encryption_key(unsigned int version, unsigned char* key, unsigned int *keybufsize); +int encrypt_data(const unsigned char* src, unsigned int slen, + unsigned char* dst, unsigned int* dlen, + const unsigned char* key, unsigned int klen, + const unsigned char* iv, unsigned int ivlen, + int no_padding, unsigned int key_version); +int decrypt_data(const unsigned char* src, unsigned int slen, + unsigned char* dst, unsigned int* dlen, + const unsigned char* key, unsigned int klen, + const unsigned char* iv, unsigned int ivlen, + int no_padding, unsigned int key_version); struct st_mysql_xid { long formatID; long gtrid_length; diff --git a/include/mysql/plugin_encryption.h b/include/mysql/plugin_encryption.h index 43697096f04..a91a53c8ad5 100644 --- a/include/mysql/plugin_encryption.h +++ b/include/mysql/plugin_encryption.h @@ -1,5 +1,5 @@ #ifndef MYSQL_PLUGIN_ENCRYPTION_INCLUDED -/* Copyright (C) 2014 Sergei Golubchik and MariaDB +/* Copyright (C) 2014, 2015 Sergei Golubchik and MariaDB This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -29,9 +29,6 @@ #define MariaDB_ENCRYPTION_INTERFACE_VERSION 0x0200 -#define BAD_ENCRYPTION_KEY_VERSION (~(unsigned int)0) -#define KEY_BUFFER_TOO_SMALL (100) - /** Encryption plugin descriptor */ @@ -68,6 +65,9 @@ struct st_mariadb_encryption */ unsigned int (*get_key)(unsigned int version, unsigned char *key, unsigned int *key_length); + + encrypt_decrypt_func encrypt; + encrypt_decrypt_func decrypt; }; #endif diff --git a/include/mysql/plugin_encryption.h.pp b/include/mysql/plugin_encryption.h.pp index a09e0e0543b..100928f0b19 100644 --- a/include/mysql/plugin_encryption.h.pp +++ b/include/mysql/plugin_encryption.h.pp @@ -198,14 +198,31 @@ void thd_key_delete(MYSQL_THD_KEY_T *key); void* thd_getspecific(void* thd, MYSQL_THD_KEY_T key); int thd_setspecific(void* thd, MYSQL_THD_KEY_T key, void *value); #include <mysql/service_encryption_keys.h> +typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen, + unsigned char* dst, unsigned int* dlen, + const unsigned char* key, unsigned int klen, + const unsigned char* iv, unsigned int ivlen, + int no_padding, unsigned int key_version); extern struct encryption_keys_service_st { unsigned int (*get_latest_encryption_key_version_func)(); unsigned int (*has_encryption_key_func)(unsigned int); unsigned int (*get_encryption_key_func)(unsigned int, unsigned char*, unsigned int*); + encrypt_decrypt_func encrypt_data_func; + encrypt_decrypt_func decrypt_data_func; } *encryption_keys_service; unsigned int get_latest_encryption_key_version(); unsigned int has_encryption_key(unsigned int version); unsigned int get_encryption_key(unsigned int version, unsigned char* key, unsigned int *keybufsize); +int encrypt_data(const unsigned char* src, unsigned int slen, + unsigned char* dst, unsigned int* dlen, + const unsigned char* key, unsigned int klen, + const unsigned char* iv, unsigned int ivlen, + int no_padding, unsigned int key_version); +int decrypt_data(const unsigned char* src, unsigned int slen, + unsigned char* dst, unsigned int* dlen, + const unsigned char* key, unsigned int klen, + const unsigned char* iv, unsigned int ivlen, + int no_padding, unsigned int key_version); struct st_mysql_xid { long formatID; long gtrid_length; @@ -368,4 +385,6 @@ struct st_mariadb_encryption unsigned int (*get_latest_key_version)(); unsigned int (*get_key)(unsigned int version, unsigned char *key, unsigned int *key_length); + encrypt_decrypt_func encrypt; + encrypt_decrypt_func decrypt; }; diff --git a/include/mysql/plugin_ftparser.h.pp b/include/mysql/plugin_ftparser.h.pp index e9315f4fe83..0c58e6912ca 100644 --- a/include/mysql/plugin_ftparser.h.pp +++ b/include/mysql/plugin_ftparser.h.pp @@ -198,14 +198,31 @@ void thd_key_delete(MYSQL_THD_KEY_T *key); void* thd_getspecific(void* thd, MYSQL_THD_KEY_T key); int thd_setspecific(void* thd, MYSQL_THD_KEY_T key, void *value); #include <mysql/service_encryption_keys.h> +typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen, + unsigned char* dst, unsigned int* dlen, + const unsigned char* key, unsigned int klen, + const unsigned char* iv, unsigned int ivlen, + int no_padding, unsigned int key_version); extern struct encryption_keys_service_st { unsigned int (*get_latest_encryption_key_version_func)(); unsigned int (*has_encryption_key_func)(unsigned int); unsigned int (*get_encryption_key_func)(unsigned int, unsigned char*, unsigned int*); + encrypt_decrypt_func encrypt_data_func; + encrypt_decrypt_func decrypt_data_func; } *encryption_keys_service; unsigned int get_latest_encryption_key_version(); unsigned int has_encryption_key(unsigned int version); unsigned int get_encryption_key(unsigned int version, unsigned char* key, unsigned int *keybufsize); +int encrypt_data(const unsigned char* src, unsigned int slen, + unsigned char* dst, unsigned int* dlen, + const unsigned char* key, unsigned int klen, + const unsigned char* iv, unsigned int ivlen, + int no_padding, unsigned int key_version); +int decrypt_data(const unsigned char* src, unsigned int slen, + unsigned char* dst, unsigned int* dlen, + const unsigned char* key, unsigned int klen, + const unsigned char* iv, unsigned int ivlen, + int no_padding, unsigned int key_version); struct st_mysql_xid { long formatID; long gtrid_length; diff --git a/include/mysql/plugin_password_validation.h.pp b/include/mysql/plugin_password_validation.h.pp index a82d5fd9150..8ab0f680815 100644 --- a/include/mysql/plugin_password_validation.h.pp +++ b/include/mysql/plugin_password_validation.h.pp @@ -198,14 +198,31 @@ void thd_key_delete(MYSQL_THD_KEY_T *key); void* thd_getspecific(void* thd, MYSQL_THD_KEY_T key); int thd_setspecific(void* thd, MYSQL_THD_KEY_T key, void *value); #include <mysql/service_encryption_keys.h> +typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen, + unsigned char* dst, unsigned int* dlen, + const unsigned char* key, unsigned int klen, + const unsigned char* iv, unsigned int ivlen, + int no_padding, unsigned int key_version); extern struct encryption_keys_service_st { unsigned int (*get_latest_encryption_key_version_func)(); unsigned int (*has_encryption_key_func)(unsigned int); unsigned int (*get_encryption_key_func)(unsigned int, unsigned char*, unsigned int*); + encrypt_decrypt_func encrypt_data_func; + encrypt_decrypt_func decrypt_data_func; } *encryption_keys_service; unsigned int get_latest_encryption_key_version(); unsigned int has_encryption_key(unsigned int version); unsigned int get_encryption_key(unsigned int version, unsigned char* key, unsigned int *keybufsize); +int encrypt_data(const unsigned char* src, unsigned int slen, + unsigned char* dst, unsigned int* dlen, + const unsigned char* key, unsigned int klen, + const unsigned char* iv, unsigned int ivlen, + int no_padding, unsigned int key_version); +int decrypt_data(const unsigned char* src, unsigned int slen, + unsigned char* dst, unsigned int* dlen, + const unsigned char* key, unsigned int klen, + const unsigned char* iv, unsigned int ivlen, + int no_padding, unsigned int key_version); struct st_mysql_xid { long formatID; long gtrid_length; diff --git a/include/mysql/service_encryption_keys.h b/include/mysql/service_encryption_keys.h index f162bba3cff..105146d00a5 100644 --- a/include/mysql/service_encryption_keys.h +++ b/include/mysql/service_encryption_keys.h @@ -25,10 +25,21 @@ extern "C" { #endif +#define BAD_ENCRYPTION_KEY_VERSION (~(unsigned int)0) +#define KEY_BUFFER_TOO_SMALL (100) + +typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen, + unsigned char* dst, unsigned int* dlen, + const unsigned char* key, unsigned int klen, + const unsigned char* iv, unsigned int ivlen, + int no_padding, unsigned int key_version); + extern struct encryption_keys_service_st { unsigned int (*get_latest_encryption_key_version_func)(); unsigned int (*has_encryption_key_func)(unsigned int); unsigned int (*get_encryption_key_func)(unsigned int, unsigned char*, unsigned int*); + encrypt_decrypt_func encrypt_data_func; + encrypt_decrypt_func decrypt_data_func; } *encryption_keys_service; #ifdef MYSQL_DYNAMIC_PLUGIN @@ -36,13 +47,23 @@ extern struct encryption_keys_service_st { #define get_latest_encryption_key_version() encryption_keys_service->get_latest_encryption_key_version_func() #define has_encryption_key(V) encryption_keys_service->has_encryption_key_func(V) #define get_encryption_key(V,K,S) encryption_keys_service->get_encryption_key_func((V), (K), (S)) - +#define encrypt_data(S,SL,D,DL,K,KL,I,IL,NP,KV) encryption_keys_service->encrypt_data_func(S,SL,D,DL,K,KL,I,IL,NP,KV) +#define decrypt_data(S,SL,D,DL,K,KL,I,IL,NP,KV) encryption_keys_service->decrypt_data_func(S,SL,D,DL,K,KL,I,IL,NP,KV) #else unsigned int get_latest_encryption_key_version(); unsigned int has_encryption_key(unsigned int version); unsigned int get_encryption_key(unsigned int version, unsigned char* key, unsigned int *keybufsize); - +int encrypt_data(const unsigned char* src, unsigned int slen, + unsigned char* dst, unsigned int* dlen, + const unsigned char* key, unsigned int klen, + const unsigned char* iv, unsigned int ivlen, + int no_padding, unsigned int key_version); +int decrypt_data(const unsigned char* src, unsigned int slen, + unsigned char* dst, unsigned int* dlen, + const unsigned char* key, unsigned int klen, + const unsigned char* iv, unsigned int ivlen, + int no_padding, unsigned int key_version); #endif #ifdef __cplusplus diff --git a/mysql-test/include/encryption_algorithms.combinations b/mysql-test/include/encryption_algorithms.combinations index 09c1e91e1cd..f8598401e5f 100644 --- a/mysql-test/include/encryption_algorithms.combinations +++ b/mysql-test/include/encryption_algorithms.combinations @@ -1,8 +1,5 @@ [cbc] -encryption-algorithm=aes_cbc - -[ecb] -encryption-algorithm=aes_ecb +file-key-management-encryption-algorithm=aes_cbc [ctr] -encryption-algorithm=aes_ctr +file-key-management-encryption-algorithm=aes_ctr diff --git a/mysql-test/include/have_example_key_management_plugin.inc b/mysql-test/include/have_example_key_management_plugin.inc index d04aad2532f..a87d3256ee0 100644 --- a/mysql-test/include/have_example_key_management_plugin.inc +++ b/mysql-test/include/have_example_key_management_plugin.inc @@ -1,5 +1,3 @@ --- source encryption_algorithms.inc - if (!$EXAMPLE_KEY_MANAGEMENT_SO) { --skip Needs example_key_management diff --git a/mysql-test/include/have_file_key_management_plugin.inc b/mysql-test/include/have_file_key_management_plugin.inc index f85214332f7..baada3a7d47 100644 --- a/mysql-test/include/have_file_key_management_plugin.inc +++ b/mysql-test/include/have_file_key_management_plugin.inc @@ -1,4 +1,4 @@ --- source encryption_algorithms.inc +--source encryption_algorithms.inc if (!$FILE_KEY_MANAGEMENT_SO) { diff --git a/mysql-test/r/mysqld--help.result b/mysql-test/r/mysqld--help.result index 7d59ecd1dc2..3bd5e296ec9 100644 --- a/mysql-test/r/mysqld--help.result +++ b/mysql-test/r/mysqld--help.result @@ -165,10 +165,6 @@ The following options may be given as the first argument: --encrypt-tmp-disk-tables Encrypt tmp disk tables (created as part of query execution) - --encryption-algorithm=name - Which encryption algorithm to use for table encryption. - aes_cbc is the recommended one.. One of: none, aes_ecb, - aes_cbc, aes_ctr --enforce-storage-engine=name Force the use of a storage engine for new tables --event-scheduler[=name] @@ -1151,7 +1147,6 @@ delayed-insert-timeout 300 delayed-queue-size 1000 div-precision-increment 4 encrypt-tmp-disk-tables FALSE -encryption-algorithm none enforce-storage-engine (No default value) event-scheduler OFF expensive-subquery-limit 100 diff --git a/mysql-test/suite/plugins/t/filekeys_plugin.opt b/mysql-test/suite/plugins/t/filekeys_plugin.opt index 43d00186d59..b42e6266e66 100644 --- a/mysql-test/suite/plugins/t/filekeys_plugin.opt +++ b/mysql-test/suite/plugins/t/filekeys_plugin.opt @@ -1,2 +1 @@ --plugin-load-add=$FILE_KEY_MANAGEMENT_SO ---encryption-algorithm=aes_cbc diff --git a/mysql-test/suite/sys_vars/r/encryption_algorithm_basic.result b/mysql-test/suite/sys_vars/r/encryption_algorithm_basic.result deleted file mode 100644 index a9101b0f950..00000000000 --- a/mysql-test/suite/sys_vars/r/encryption_algorithm_basic.result +++ /dev/null @@ -1,7 +0,0 @@ -select @@global.encryption_algorithm; -@@global.encryption_algorithm -none -select @@session.encryption_algorithm; -ERROR HY000: Variable 'encryption_algorithm' is a GLOBAL variable -set global encryption_algorithm="none"; -ERROR HY000: Variable 'encryption_algorithm' is a read only variable diff --git a/mysql-test/suite/sys_vars/r/sysvars_server_embedded.result b/mysql-test/suite/sys_vars/r/sysvars_server_embedded.result index e72678c5243..21d4ea85dd9 100644 --- a/mysql-test/suite/sys_vars/r/sysvars_server_embedded.result +++ b/mysql-test/suite/sys_vars/r/sysvars_server_embedded.result @@ -681,20 +681,6 @@ NUMERIC_BLOCK_SIZE 1 ENUM_VALUE_LIST NULL READ_ONLY NO COMMAND_LINE_ARGUMENT REQUIRED -VARIABLE_NAME ENCRYPTION_ALGORITHM -SESSION_VALUE NULL -GLOBAL_VALUE none -GLOBAL_VALUE_ORIGIN COMPILE-TIME -DEFAULT_VALUE none -VARIABLE_SCOPE GLOBAL -VARIABLE_TYPE ENUM -VARIABLE_COMMENT Which encryption algorithm to use for table encryption. aes_cbc is the recommended one. -NUMERIC_MIN_VALUE NULL -NUMERIC_MAX_VALUE NULL -NUMERIC_BLOCK_SIZE NULL -ENUM_VALUE_LIST none,aes_ecb,aes_cbc,aes_ctr -READ_ONLY YES -COMMAND_LINE_ARGUMENT REQUIRED VARIABLE_NAME ENCRYPT_TMP_DISK_TABLES SESSION_VALUE NULL GLOBAL_VALUE OFF diff --git a/mysql-test/suite/sys_vars/r/sysvars_server_notembedded.result b/mysql-test/suite/sys_vars/r/sysvars_server_notembedded.result index 7908300bf8f..ea4019e65cc 100644 --- a/mysql-test/suite/sys_vars/r/sysvars_server_notembedded.result +++ b/mysql-test/suite/sys_vars/r/sysvars_server_notembedded.result @@ -695,20 +695,6 @@ NUMERIC_BLOCK_SIZE 1 ENUM_VALUE_LIST NULL READ_ONLY NO COMMAND_LINE_ARGUMENT REQUIRED -VARIABLE_NAME ENCRYPTION_ALGORITHM -SESSION_VALUE NULL -GLOBAL_VALUE none -GLOBAL_VALUE_ORIGIN COMPILE-TIME -DEFAULT_VALUE none -VARIABLE_SCOPE GLOBAL -VARIABLE_TYPE ENUM -VARIABLE_COMMENT Which encryption algorithm to use for table encryption. aes_cbc is the recommended one. -NUMERIC_MIN_VALUE NULL -NUMERIC_MAX_VALUE NULL -NUMERIC_BLOCK_SIZE NULL -ENUM_VALUE_LIST none,aes_ecb,aes_cbc,aes_ctr -READ_ONLY YES -COMMAND_LINE_ARGUMENT REQUIRED VARIABLE_NAME ENCRYPT_TMP_DISK_TABLES SESSION_VALUE NULL GLOBAL_VALUE OFF diff --git a/mysql-test/suite/sys_vars/t/encryption_algorithm_basic.test b/mysql-test/suite/sys_vars/t/encryption_algorithm_basic.test deleted file mode 100644 index 065453eba34..00000000000 --- a/mysql-test/suite/sys_vars/t/encryption_algorithm_basic.test +++ /dev/null @@ -1,13 +0,0 @@ -# bool global - -# exists as global only -# -select @@global.encryption_algorithm; ---error ER_INCORRECT_GLOBAL_LOCAL_VAR -select @@session.encryption_algorithm; - -# -# show that it's not writable -# ---error 1238 -set global encryption_algorithm="none"; diff --git a/mysys_ssl/my_aes.cc b/mysys_ssl/my_aes.cc index 97af3c39381..069d8d74ab2 100644 --- a/mysys_ssl/my_aes.cc +++ b/mysys_ssl/my_aes.cc @@ -19,163 +19,9 @@ #include <my_crypt.h> /** - Encryption interface that doesn't do anything (for testing) - - SYNOPSIS - my_aes_encrypt_none() - @param source [in] Pointer to data for encryption - @param source_length [in] Size of encryption data - @param dest [out] Buffer to place encrypted data (must be large enough) - @param dest_length [out] Pointer to size of encrypted data - @param key [in] Key to be used for encryption - @param key_length [in] Length of the key. 16, 24 or 32 - @param iv [in] Iv to be used for encryption - @param iv_length [in] Length of the iv. should be 16. - @param noPadding [in] unused - @return - != 0 error - 0 no error -*/ - -static int my_aes_encrypt_none(const uchar* source, uint32 source_length, - uchar* dest, uint32* dest_length, - const unsigned char* key, uint8 key_length, - const unsigned char* iv, uint8 iv_length, - uint noPadding) -{ - memcpy(dest, source, source_length); - *dest_length= source_length; - return 0; -} - - -/** - Decryption interface that doesn't do anything (for testing) - - SYNOPSIS - my_aes_decrypt_none() - @param source [in] Pointer to data to decrypt - @param source_length [in] Size of data - @param dest [out] Buffer to place decrypted data (must be large enough) - @param dest_length [out] Pointer to size of decrypted data - @param key [in] Key to be used for decryption - @param key_length [in] Length of the key. 16, 24 or 32 - @param iv [in] Iv to be used for encryption - @param iv_length [in] Length of the iv. should be 16. - @param noPadding [in] unused - - @return - != 0 error - 0 no error -*/ - -int my_aes_decrypt_none(const uchar* source, uint32 source_length, - uchar* dest, uint32 *dest_length, - const unsigned char* key, uint8 key_length, - const unsigned char* iv, uint8 iv_length, - uint noPadding) -{ - memcpy(dest, source, source_length); - *dest_length= source_length; - return 0; -} - -/** Initialize encryption methods */ -my_aes_decrypt_dynamic_type my_aes_decrypt_dynamic= my_aes_decrypt_none; -my_aes_encrypt_dynamic_type my_aes_encrypt_dynamic= my_aes_encrypt_none; -enum_my_aes_encryption_algorithm current_aes_dynamic_method= MY_AES_ALGORITHM_NONE; - -my_bool my_aes_init_dynamic_encrypt(enum_my_aes_encryption_algorithm method) -{ - switch (method) - { - /* used for encrypting tables */ - case MY_AES_ALGORITHM_ECB: - my_aes_encrypt_dynamic= my_aes_encrypt_ecb; - my_aes_decrypt_dynamic= my_aes_decrypt_ecb; - break; - case MY_AES_ALGORITHM_CBC: - my_aes_encrypt_dynamic= my_aes_encrypt_cbc; - my_aes_decrypt_dynamic= my_aes_decrypt_cbc; - break; -#ifdef HAVE_EncryptAes128Ctr - /* encrypt everything, with a set of keys */ - case MY_AES_ALGORITHM_CTR: - my_aes_encrypt_dynamic= my_aes_encrypt_ctr; - my_aes_decrypt_dynamic= my_aes_decrypt_ctr; - break; -#endif - /* Simulate encrypting interface */ - case MY_AES_ALGORITHM_NONE: - my_aes_encrypt_dynamic= my_aes_encrypt_none; - my_aes_decrypt_dynamic= my_aes_decrypt_none; - break; - default: - return 1; - } - current_aes_dynamic_method= method; - return 0; -} - -my_aes_decrypt_dynamic_type -get_aes_decrypt_func(enum_my_aes_encryption_algorithm method) -{ - switch (method) - { - /* used for encrypting tables */ - case MY_AES_ALGORITHM_ECB: - return my_aes_decrypt_ecb; - break; - case MY_AES_ALGORITHM_CBC: - return my_aes_decrypt_cbc; - break; -#ifdef HAVE_EncryptAes128Ctr - /* encrypt everything, with a set of keys */ - case MY_AES_ALGORITHM_CTR: - return my_aes_decrypt_ctr; - break; -#endif - /* Simulate encrypting interface */ - case MY_AES_ALGORITHM_NONE: - return my_aes_decrypt_none; - break; - default: - return NULL; - } - return NULL; -} - -my_aes_encrypt_dynamic_type -get_aes_encrypt_func(enum_my_aes_encryption_algorithm method) -{ - switch (method) - { - /* used for encrypting tables */ - case MY_AES_ALGORITHM_ECB: - return my_aes_encrypt_ecb; - break; - case MY_AES_ALGORITHM_CBC: - return my_aes_encrypt_cbc; - break; -#ifdef HAVE_EncryptAes128Ctr - /* encrypt everything, with a set of keys */ - case MY_AES_ALGORITHM_CTR: - return my_aes_encrypt_ctr; - break; -#endif - /* Simulate encrypting interface */ - case MY_AES_ALGORITHM_NONE: - return my_aes_encrypt_none; - break; - default: - return NULL; - } - return NULL; -} - /** Get size of buffer which will be large enough for encrypted data diff --git a/mysys_ssl/my_crypt.cc b/mysys_ssl/my_crypt.cc index 60072a5bbaf..1709ae5e5eb 100644 --- a/mysys_ssl/my_crypt.cc +++ b/mysys_ssl/my_crypt.cc @@ -26,8 +26,8 @@ static const Dir CRYPT_ENCRYPT = TaoCrypt::ENCRYPTION; static const Dir CRYPT_DECRYPT = TaoCrypt::DECRYPTION; typedef TaoCrypt::Mode CipherMode; -static inline CipherMode aes_ecb(uint8) { return TaoCrypt::ECB; } -static inline CipherMode aes_cbc(uint8) { return TaoCrypt::CBC; } +static inline CipherMode aes_ecb(uint) { return TaoCrypt::ECB; } +static inline CipherMode aes_cbc(uint) { return TaoCrypt::CBC; } typedef TaoCrypt::byte KeyByte; @@ -42,7 +42,7 @@ static const Dir CRYPT_DECRYPT = 0; typedef const EVP_CIPHER *CipherMode; #define make_aes_dispatcher(mode) \ - static inline CipherMode aes_ ## mode(uint8 key_length) \ + static inline CipherMode aes_ ## mode(uint key_length) \ { \ switch (key_length) { \ case 16: return EVP_aes_128_ ## mode(); \ @@ -67,10 +67,10 @@ struct MyCTX : EVP_CIPHER_CTX { #endif static int do_crypt(CipherMode cipher, Dir dir, - const uchar* source, uint32 source_length, - uchar* dest, uint32* dest_length, - const KeyByte *key, uint8 key_length, - const KeyByte *iv, uint8 iv_length, int no_padding) + const uchar* source, uint source_length, + uchar* dest, uint* dest_length, + const KeyByte *key, uint key_length, + const KeyByte *iv, uint iv_length, int no_padding) { int tail= source_length % MY_AES_BLOCK_SIZE; @@ -123,8 +123,8 @@ static int do_crypt(CipherMode cipher, Dir dir, EVP_CIPHER_CTX_set_padding(&ctx, !no_padding); - DBUG_ASSERT(EVP_CIPHER_CTX_key_length(&ctx) == key_length); - DBUG_ASSERT(EVP_CIPHER_CTX_iv_length(&ctx) == iv_length); + DBUG_ASSERT(EVP_CIPHER_CTX_key_length(&ctx) == (int)key_length); + DBUG_ASSERT(EVP_CIPHER_CTX_iv_length(&ctx) == (int)iv_length); DBUG_ASSERT(EVP_CIPHER_CTX_block_size(&ctx) == MY_AES_BLOCK_SIZE || !no_padding); /* use built-in OpenSSL padding, if possible */ @@ -164,11 +164,11 @@ C_MODE_START #ifdef HAVE_EncryptAes128Ctr -int my_aes_encrypt_ctr(const uchar* source, uint32 source_length, - uchar* dest, uint32* dest_length, - const uchar* key, uint8 key_length, - const uchar* iv, uint8 iv_length, - uint no_padding) +int my_aes_encrypt_ctr(const uchar* source, uint source_length, + uchar* dest, uint* dest_length, + const uchar* key, uint key_length, + const uchar* iv, uint iv_length, + int no_padding) { /* CTR is a stream cipher mode, it needs no special padding code */ return do_crypt(aes_ctr(key_length), CRYPT_ENCRYPT, source, source_length, @@ -176,11 +176,11 @@ int my_aes_encrypt_ctr(const uchar* source, uint32 source_length, } -int my_aes_decrypt_ctr(const uchar* source, uint32 source_length, - uchar* dest, uint32* dest_length, - const uchar* key, uint8 key_length, - const uchar* iv, uint8 iv_length, - uint no_padding) +int my_aes_decrypt_ctr(const uchar* source, uint source_length, + uchar* dest, uint* dest_length, + const uchar* key, uint key_length, + const uchar* iv, uint iv_length, + int no_padding) { return do_crypt(aes_ctr(key_length), CRYPT_DECRYPT, source, source_length, dest, dest_length, key, key_length, iv, iv_length, 0); @@ -188,41 +188,41 @@ int my_aes_decrypt_ctr(const uchar* source, uint32 source_length, #endif /* HAVE_EncryptAes128Ctr */ -int my_aes_encrypt_ecb(const uchar* source, uint32 source_length, - uchar* dest, uint32* dest_length, - const uchar* key, uint8 key_length, - const uchar* iv, uint8 iv_length, - uint no_padding) +int my_aes_encrypt_ecb(const uchar* source, uint source_length, + uchar* dest, uint* dest_length, + const uchar* key, uint key_length, + const uchar* iv, uint iv_length, + int no_padding) { return do_crypt(aes_ecb(key_length), CRYPT_ENCRYPT, source, source_length, dest, dest_length, key, key_length, 0, 0, no_padding); } -int my_aes_decrypt_ecb(const uchar* source, uint32 source_length, - uchar* dest, uint32* dest_length, - const uchar* key, uint8 key_length, - const uchar* iv, uint8 iv_length, - uint no_padding) +int my_aes_decrypt_ecb(const uchar* source, uint source_length, + uchar* dest, uint* dest_length, + const uchar* key, uint key_length, + const uchar* iv, uint iv_length, + int no_padding) { return do_crypt(aes_ecb(key_length), CRYPT_DECRYPT, source, source_length, dest, dest_length, key, key_length, 0, 0, no_padding); } -int my_aes_encrypt_cbc(const uchar* source, uint32 source_length, - uchar* dest, uint32* dest_length, - const uchar* key, uint8 key_length, - const uchar* iv, uint8 iv_length, - uint no_padding) +int my_aes_encrypt_cbc(const uchar* source, uint source_length, + uchar* dest, uint* dest_length, + const uchar* key, uint key_length, + const uchar* iv, uint iv_length, + int no_padding) { return do_crypt(aes_cbc(key_length), CRYPT_ENCRYPT, source, source_length, dest, dest_length, key, key_length, iv, iv_length, no_padding); } -int my_aes_decrypt_cbc(const uchar* source, uint32 source_length, - uchar* dest, uint32* dest_length, - const uchar* key, uint8 key_length, - const uchar* iv, uint8 iv_length, - uint no_padding) +int my_aes_decrypt_cbc(const uchar* source, uint source_length, + uchar* dest, uint* dest_length, + const uchar* key, uint key_length, + const uchar* iv, uint iv_length, + int no_padding) { return do_crypt(aes_cbc(key_length), CRYPT_DECRYPT, source, source_length, dest, dest_length, key, key_length, iv, iv_length, no_padding); diff --git a/plugin/debug_key_management/debug_key_management_plugin.cc b/plugin/debug_key_management/debug_key_management_plugin.cc index 9843c08d8bf..5b42c70c772 100644 --- a/plugin/debug_key_management/debug_key_management_plugin.cc +++ b/plugin/debug_key_management/debug_key_management_plugin.cc @@ -64,7 +64,8 @@ static unsigned int get_key(unsigned int version, unsigned char* dstbuf, unsigne struct st_mariadb_encryption debug_key_management_plugin= { MariaDB_ENCRYPTION_INTERFACE_VERSION, get_latest_key_version, - get_key + get_key, + 0, 0 // use default encrypt/decrypt functions }; /* diff --git a/plugin/example_key_management/example_key_management_plugin.cc b/plugin/example_key_management/example_key_management_plugin.cc index 5ced65a7088..dd8416504a0 100644 --- a/plugin/example_key_management/example_key_management_plugin.cc +++ b/plugin/example_key_management/example_key_management_plugin.cc @@ -27,11 +27,9 @@ #include <my_global.h> #include <my_pthread.h> -#include <my_aes.h> #include <mysql/plugin_encryption.h> -#include <my_md5.h> #include <my_rnd.h> -#include "sql_class.h" +#include <my_crypt.h> /* rotate key randomly between 45 and 90 seconds */ #define KEY_ROTATION_MIN 45 @@ -61,12 +59,12 @@ get_latest_key_version() static unsigned int get_key(unsigned int version, unsigned char* dstbuf, unsigned *buflen) { - if (*buflen < MD5_HASH_SIZE) + if (*buflen < MY_MD5_HASH_SIZE) { - *buflen= MD5_HASH_SIZE; + *buflen= MY_MD5_HASH_SIZE; return KEY_BUFFER_TOO_SMALL; } - *buflen= MD5_HASH_SIZE; + *buflen= MY_MD5_HASH_SIZE; if (!dstbuf) return 0; @@ -75,21 +73,35 @@ get_key(unsigned int version, unsigned char* dstbuf, unsigned *buflen) return 0; } +/* + for the sake of an example, let's use different encryption algorithms/modes + for different keys. +*/ +int encrypt(const unsigned char* src, unsigned int slen, + unsigned char* dst, unsigned int* dlen, + const unsigned char* key, unsigned int klen, + const unsigned char* iv, unsigned int ivlen, + int no_padding, unsigned int key_version) +{ + return ((key_version & 1) ? my_aes_encrypt_cbc : my_aes_encrypt_ecb) + (src, slen, dst, dlen, key, klen, iv, ivlen, no_padding); +} + +int decrypt(const unsigned char* src, unsigned int slen, + unsigned char* dst, unsigned int* dlen, + const unsigned char* key, unsigned int klen, + const unsigned char* iv, unsigned int ivlen, + int no_padding, unsigned int key_version) +{ + return ((key_version & 1) ? my_aes_decrypt_cbc : my_aes_decrypt_ecb) + (src, slen, dst, dlen, key, klen, iv, ivlen, no_padding); +} + static int example_key_management_plugin_init(void *p) { /* init */ my_rnd_init(&seed, time(0), 0); get_latest_key_version(); - - if (current_aes_dynamic_method == MY_AES_ALGORITHM_NONE) - { - sql_print_error("No encryption method choosen with --encryption-algorithm. " - "example_key_management_plugin disabled"); - return 1; - } - - my_aes_init_dynamic_encrypt(current_aes_dynamic_method); - pthread_mutex_init(&mutex, NULL); return 0; @@ -104,7 +116,9 @@ static int example_key_management_plugin_deinit(void *p) struct st_mariadb_encryption example_key_management_plugin= { MariaDB_ENCRYPTION_INTERFACE_VERSION, get_latest_key_version, - get_key + get_key, + encrypt, + decrypt }; /* diff --git a/plugin/file_key_management/file_key_management_plugin.cc b/plugin/file_key_management/file_key_management_plugin.cc index be623706051..d7edeb73665 100644 --- a/plugin/file_key_management/file_key_management_plugin.cc +++ b/plugin/file_key_management/file_key_management_plugin.cc @@ -15,12 +15,28 @@ #include "parser.h" -#include <mysql_version.h> #include <mysql/plugin_encryption.h> #include <string.h> static char* filename; static char* filekey; +static unsigned long encryption_algorithm; + +static const char *encryption_algorithm_names[]= +{ + "aes_cbc", +#ifdef HAVE_EncryptAes128Ctr + "aes_ctr", +#endif + 0 +}; + +static TYPELIB encryption_algorithm_typelib= +{ + array_elements(encryption_algorithm_names)-1,"", + encryption_algorithm_names, NULL +}; + static MYSQL_SYSVAR_STR(filename, filename, PLUGIN_VAR_RQCMDARG | PLUGIN_VAR_READONLY, @@ -32,9 +48,15 @@ static MYSQL_SYSVAR_STR(filekey, filekey, "Key to encrypt / decrypt the keyfile.", NULL, NULL, ""); +static MYSQL_SYSVAR_ENUM(encryption_algorithm, encryption_algorithm, + PLUGIN_VAR_RQCMDARG | PLUGIN_VAR_READONLY, + "Encryption algorithm to use.", + NULL, NULL, 0, &encryption_algorithm_typelib); + static struct st_mysql_sys_var* settings[] = { MYSQL_SYSVAR(filename), MYSQL_SYSVAR(filekey), + MYSQL_SYSVAR(encryption_algorithm), NULL }; @@ -88,18 +110,37 @@ static unsigned int get_key_from_key_file(unsigned int key_id, return 0; } +struct st_mariadb_encryption file_key_management_plugin= { + MariaDB_ENCRYPTION_INTERFACE_VERSION, + get_highest_key_used_in_key_file, + get_key_from_key_file, + 0,0 +}; + static int file_key_management_plugin_init(void *p) { Parser parser(filename, filekey); + switch (encryption_algorithm) { + case 0: // AES_CBC + file_key_management_plugin.encrypt= + (encrypt_decrypt_func)my_aes_encrypt_cbc; + file_key_management_plugin.decrypt= + (encrypt_decrypt_func)my_aes_decrypt_cbc; + break; +#ifdef HAVE_EncryptAes128Ctr + case 1: // AES_CTR + file_key_management_plugin.encrypt= + (encrypt_decrypt_func)my_aes_encrypt_ctr; + file_key_management_plugin.decrypt= + (encrypt_decrypt_func)my_aes_decrypt_ctr; + break; +#endif + default: + return 1; // cannot happen + } return parser.parse(&keys); } -struct st_mariadb_encryption file_key_management_plugin= { - MariaDB_ENCRYPTION_INTERFACE_VERSION, - get_highest_key_used_in_key_file, - get_key_from_key_file -}; - /* Plugin library descriptor */ diff --git a/sql/encryption_keys.cc b/sql/encryption_keys.cc index b31ec270a8f..8a9a17a5452 100644 --- a/sql/encryption_keys.cc +++ b/sql/encryption_keys.cc @@ -1,7 +1,23 @@ +/* Copyright (C) 2015 MariaDB + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ + #include <my_global.h> #include <mysql/plugin_encryption.h> #include "log.h" #include "sql_plugin.h" +#include <my_crypt.h> /* there can be only one encryption plugin enabled */ static plugin_ref encryption_key_manager= 0; @@ -34,6 +50,34 @@ uint get_encryption_key(uint version, uchar* key, uint *size) return BAD_ENCRYPTION_KEY_VERSION; } +int encrypt_data(const uchar* source, uint source_length, + uchar* dest, uint* dest_length, + const uchar* key, uint key_length, + const uchar* iv, uint iv_length, + int no_padding, uint key_version) +{ + if (encryption_key_manager) + return handle->encrypt(source, source_length, + dest, dest_length, key, key_length, + iv, iv_length, no_padding, key_version); + return 1; +} + + +int decrypt_data(const uchar* source, uint source_length, + uchar* dest, uint* dest_length, + const uchar* key, uint key_length, + const uchar* iv, uint iv_length, + int no_padding, uint key_version) +{ + if (encryption_key_manager) + return handle->decrypt(source, source_length, + dest, dest_length, key, key_length, + iv, iv_length, no_padding, key_version); + return 1; +} + + int initialize_encryption_plugin(st_plugin_int *plugin) { if (encryption_key_manager) @@ -49,6 +93,13 @@ int initialize_encryption_plugin(st_plugin_int *plugin) encryption_key_manager= plugin_lock(NULL, plugin_int_to_ref(plugin)); handle= (struct st_mariadb_encryption*) plugin->plugin->info; + + /* default encryption algorithm */ + if (!handle->encrypt) + handle->encrypt= (encrypt_decrypt_func)my_aes_encrypt_cbc; + if (!handle->decrypt) + handle->decrypt= (encrypt_decrypt_func)my_aes_decrypt_cbc; + return 0; } diff --git a/sql/item_strfunc.h b/sql/item_strfunc.h index e11d2c41bc6..ca699b28245 100644 --- a/sql/item_strfunc.h +++ b/sql/item_strfunc.h @@ -142,7 +142,9 @@ class Item_aes_crypt :public Item_str_func void create_key(String *user_key, uchar* key); protected: - my_aes_encrypt_dynamic_type crypt; + int (*crypt)(const uchar* src, uint slen, uchar* dst, uint* dlen, + const uchar* key, uint klen, const uchar* iv, uint ivlen, + int no_padding); public: Item_aes_crypt(Item *a, Item *b) :Item_str_func(a,b) {} diff --git a/sql/mysqld.cc b/sql/mysqld.cc index da432063c0a..c002a9d7d46 100644 --- a/sql/mysqld.cc +++ b/sql/mysqld.cc @@ -630,7 +630,6 @@ char *mysqld_unix_port, *opt_mysql_tmpdir; ulong thread_handling; my_bool encrypt_tmp_disk_tables; -ulong encryption_algorithm; /** name of reference on left expression in rewritten IN subquery */ const char *in_left_expr_name= "<left expr>"; @@ -4804,13 +4803,6 @@ static int init_server_components() my_rnd_init(&sql_rand,(ulong) server_start_time,(ulong) server_start_time/2); setup_fpu(); init_thr_lock(); - if (my_aes_init_dynamic_encrypt((enum_my_aes_encryption_algorithm) - encryption_algorithm)) - { - fprintf(stderr, "Can't initialize encryption algorithm to \"%s\".\nCheck that the program is linked with the right library (openssl?)\n", - encryption_algorithm_names[encryption_algorithm]); - unireg_abort(1); - } #ifndef EMBEDDED_LIBRARY if (init_thr_timer(thread_scheduler->max_threads + extra_max_connections)) diff --git a/sql/sql_plugin_services.h b/sql/sql_plugin_services.h index 4511d8bca59..8deac855a53 100644 --- a/sql/sql_plugin_services.h +++ b/sql/sql_plugin_services.h @@ -143,7 +143,9 @@ static struct encryption_keys_service_st encryption_keys_handler= { get_latest_encryption_key_version, has_encryption_key, - get_encryption_key + get_encryption_key, + encrypt_data, + decrypt_data }; static struct thd_specifics_service_st thd_specifics_handler= diff --git a/sql/sys_vars.cc b/sql/sys_vars.cc index 9cba8739eee..32935f3404e 100644 --- a/sql/sys_vars.cc +++ b/sql/sys_vars.cc @@ -5168,14 +5168,6 @@ static Sys_var_mybool Sys_encrypt_tmp_disk_tables( GLOBAL_VAR(encrypt_tmp_disk_tables), CMD_LINE(OPT_ARG), DEFAULT(FALSE)); -const char *encryption_algorithm_names[]= -{ "none", "aes_ecb", "aes_cbc", "aes_ctr", 0 }; -static Sys_var_enum Sys_encryption_algorithm( - "encryption_algorithm", - "Which encryption algorithm to use for table encryption. aes_cbc is the recommended one.", - READ_ONLY GLOBAL_VAR(encryption_algorithm),CMD_LINE(REQUIRED_ARG), - encryption_algorithm_names, DEFAULT(0)); - static bool check_pseudo_slave_mode(sys_var *self, THD *thd, set_var *var) { longlong previous_val= thd->variables.pseudo_slave_mode; diff --git a/storage/innobase/fil/fil0crypt.cc b/storage/innobase/fil/fil0crypt.cc index 5020d2345b9..57029c684d4 100644 --- a/storage/innobase/fil/fil0crypt.cc +++ b/storage/innobase/fil/fil0crypt.cc @@ -693,11 +693,9 @@ fil_space_encrypt(ulint space, ulint offset, lsn_t lsn, srclen = page_size - FIL_PAGE_DATA; } - int rc = (* my_aes_encrypt_dynamic)(src, srclen, - dst, &dstlen, - (unsigned char*)key, key_length, - (unsigned char*)iv, sizeof(iv), - 1); + int rc = encrypt_data(src, srclen, dst, &dstlen, + (unsigned char*)key, key_length, + (unsigned char*)iv, sizeof(iv), 1, key_version); if (! ((rc == AES_OK) && ((ulint) dstlen == srclen))) { ib_logf(IB_LOG_LEVEL_FATAL, @@ -867,11 +865,9 @@ fil_space_decrypt(fil_space_crypt_t* crypt_data, srclen = pow((double)2, (double)((int)compressed_len)) - FIL_PAGE_DATA; } - int rc = (* my_aes_decrypt_dynamic)(src, srclen, - dst, &dstlen, - (unsigned char*)key, key_length, - (unsigned char*)iv, sizeof(iv), - 1); + int rc = decrypt_data(src, srclen, dst, &dstlen, + (unsigned char*)key, key_length, + (unsigned char*)iv, sizeof(iv), 1, key_version); if (! ((rc == AES_OK) && ((ulint) dstlen == srclen))) { ib_logf(IB_LOG_LEVEL_FATAL, diff --git a/storage/innobase/include/log0crypt.h b/storage/innobase/include/log0crypt.h index 9c7c0229ba4..8d5f8c61dd1 100644 --- a/storage/innobase/include/log0crypt.h +++ b/storage/innobase/include/log0crypt.h @@ -17,6 +17,8 @@ Created 11/25/2013 Minli Zhu #define PURPOSE_BYTE_OFFSET 0 #define UNENCRYPTED_KEY_VER 0 +typedef int Crypt_result; + /* If true, enable redo log encryption. */ extern my_bool srv_encrypt_log; /* Plain text used by AES_ECB to generate redo log crypt key. */ diff --git a/storage/innobase/log/log0crypt.cc b/storage/innobase/log/log0crypt.cc index 4a7474761a3..f2609b9502a 100644 --- a/storage/innobase/log/log0crypt.cc +++ b/storage/innobase/log/log0crypt.cc @@ -32,7 +32,6 @@ Modified Jan Lindström jan.lindstrom@mariadb.com #include "srv0start.h" // for srv_start_lsn #include "log0recv.h" // for recv_sys -#include "mysql/plugin_encryption.h" // for BAD_ENCRYPTION_KEY_VERSION #include "ha_prototypes.h" // IB_LOG_ /* If true, enable redo log encryption. */ @@ -127,12 +126,10 @@ log_init_crypt_key( } uint32 dst_len; - my_aes_encrypt_dynamic_type func= get_aes_encrypt_func(MY_AES_ALGORITHM_ECB); - int rc= (*func)(crypt_msg, MY_AES_BLOCK_SIZE, //src, srclen + int rc= my_aes_encrypt_ecb(crypt_msg, MY_AES_BLOCK_SIZE, //src, srclen key, &dst_len, //dst, &dstlen (unsigned char*)&mysqld_key, sizeof(mysqld_key), - NULL, 0, - 1); + NULL, 0, 1); if (rc != AES_OK || dst_len != MY_AES_BLOCK_SIZE) { @@ -207,11 +204,11 @@ log_blocks_crypt( mach_write_to_4(aes_ctr_counter + 11, log_block_no); bzero(aes_ctr_counter + 15, 1); - int rc = (* my_aes_encrypt_dynamic)(log_block + LOG_BLOCK_HDR_SIZE, src_len, - dst_block + LOG_BLOCK_HDR_SIZE, &dst_len, - (unsigned char*)key, 16, - aes_ctr_counter, MY_AES_BLOCK_SIZE, - 1); + int rc = encrypt_data(log_block + LOG_BLOCK_HDR_SIZE, src_len, + dst_block + LOG_BLOCK_HDR_SIZE, &dst_len, + (unsigned char*)key, 16, + aes_ctr_counter, MY_AES_BLOCK_SIZE, 1, + recv_sys->recv_log_crypt_ver); ut_a(rc == AES_OK); ut_a(dst_len == src_len); @@ -266,8 +263,7 @@ log_crypt_set_ver_and_key( encrypted = true; if (vkey == UNENCRYPTED_KEY_VER || - vkey == BAD_ENCRYPTION_KEY_VERSION || - vkey == (unsigned int)CRYPT_KEY_UNKNOWN) { + vkey == BAD_ENCRYPTION_KEY_VERSION) { encrypted = false; ib_logf(IB_LOG_LEVEL_WARN, diff --git a/storage/maria/ma_check_standalone.h b/storage/maria/ma_check_standalone.h index 241bc7c2739..056d4660a72 100644 --- a/storage/maria/ma_check_standalone.h +++ b/storage/maria/ma_check_standalone.h @@ -23,6 +23,40 @@ void _mi_report_crashed(void *file __attribute__((unused)), { } +unsigned int get_latest_encryption_key_version() +{ + return BAD_ENCRYPTION_KEY_VERSION; +} + +int encrypt_data(const uchar* source __attribute__((unused)), + uint source_length __attribute__((unused)), + uchar* dest __attribute__((unused)), + uint* dest_length __attribute__((unused)), + const uchar* key __attribute__((unused)), + uint key_length __attribute__((unused)), + const uchar* iv __attribute__((unused)), + uint iv_length __attribute__((unused)), + int no_padding __attribute__((unused)), + uint key_version __attribute__((unused))) +{ + return 1; +} + + +int decrypt_data(const uchar* source __attribute__((unused)), + uint source_length __attribute__((unused)), + uchar* dest __attribute__((unused)), + uint* dest_length __attribute__((unused)), + const uchar* key __attribute__((unused)), + uint key_length __attribute__((unused)), + const uchar* iv __attribute__((unused)), + uint iv_length __attribute__((unused)), + int no_padding __attribute__((unused)), + uint key_version __attribute__((unused))) +{ + return 1; +} + /* only those that included myisamchk.h may need and can use the below */ #ifdef _myisamchk_h /* @@ -121,5 +155,6 @@ void _ma_check_print_error(HA_CHECK *param, const char *fmt,...) va_end(args); DBUG_VOID_RETURN; } + #endif diff --git a/storage/maria/ma_crypt.c b/storage/maria/ma_crypt.c index c471a246bbf..fabfbe9d584 100644 --- a/storage/maria/ma_crypt.c +++ b/storage/maria/ma_crypt.c @@ -16,7 +16,6 @@ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ #include <my_global.h> -#include "ma_crypt.h" #include "maria_def.h" #include "ma_blockrec.h" #include <my_crypt.h> @@ -291,7 +290,7 @@ void ma_crypt_set_data_pagecache_callbacks(PAGECACHE_FILE *file, __attribute__((unused))) { /* Only use encryption if we have defined it */ - if (likely(current_aes_dynamic_method != MY_AES_ALGORITHM_NONE)) + if (get_latest_encryption_key_version() != BAD_ENCRYPTION_KEY_VERSION) { file->pre_read_hook= ma_crypt_pre_read_hook; file->post_read_hook= ma_crypt_data_post_read_hook; @@ -411,17 +410,16 @@ static int ma_encrypt(MARIA_CRYPT_DATA *crypt_data, int rc; uint32 dstlen; uchar counter[COUNTER_LEN]; + *key_version= 1; // create counter block memcpy(counter + 0, crypt_data->iv + CRYPT_SCHEME_1_IV_LEN, 4); int4store(counter + 4, pageno); int8store(counter + 8, lsn); - rc = my_aes_encrypt_dynamic(src, size, - dst, &dstlen, - crypt_data->iv, CRYPT_SCHEME_1_IV_LEN, - counter, sizeof(counter), - 1); + rc = encrypt_data(src, size, dst, &dstlen, + crypt_data->iv, CRYPT_SCHEME_1_IV_LEN, + counter, sizeof(counter), 1, *key_version); DBUG_ASSERT(rc == AES_OK); DBUG_ASSERT(dstlen == size); @@ -434,7 +432,6 @@ static int ma_encrypt(MARIA_CRYPT_DATA *crypt_data, return 1; } - *key_version= 1; return 0; } @@ -452,11 +449,9 @@ static int ma_decrypt(MARIA_CRYPT_DATA *crypt_data, int4store(counter + 4, pageno); int8store(counter + 8, lsn); - rc = my_aes_decrypt_dynamic(src, size, - dst, &dstlen, - crypt_data->iv, CRYPT_SCHEME_1_IV_LEN, - counter, sizeof(counter), - 1); + rc =decrypt_data(src, size, dst, &dstlen, + crypt_data->iv, CRYPT_SCHEME_1_IV_LEN, + counter, sizeof(counter), 1, key_version); DBUG_ASSERT(rc == AES_OK); DBUG_ASSERT(dstlen == size); diff --git a/storage/xtradb/fil/fil0crypt.cc b/storage/xtradb/fil/fil0crypt.cc index 24592e6a11d..660cfb9417d 100644 --- a/storage/xtradb/fil/fil0crypt.cc +++ b/storage/xtradb/fil/fil0crypt.cc @@ -693,11 +693,9 @@ fil_space_encrypt(ulint space, ulint offset, lsn_t lsn, srclen = page_size - FIL_PAGE_DATA; } - int rc = (* my_aes_encrypt_dynamic)(src, srclen, - dst, &dstlen, - (unsigned char*)key, key_length, - (unsigned char*)iv, sizeof(iv), - 1); + int rc = encrypt_data(src, srclen, dst, &dstlen, + (unsigned char*)key, key_length, + (unsigned char*)iv, sizeof(iv), 1, key_version); if (! ((rc == AES_OK) && ((ulint) dstlen == srclen))) { ib_logf(IB_LOG_LEVEL_FATAL, @@ -867,11 +865,9 @@ fil_space_decrypt(fil_space_crypt_t* crypt_data, srclen = pow((double)2, (double)((int)compressed_len)) - FIL_PAGE_DATA; } - int rc = (* my_aes_decrypt_dynamic)(src, srclen, - dst, &dstlen, - (unsigned char*)key, key_length, - (unsigned char*)iv, sizeof(iv), - 1); + int rc = decrypt_data(src, srclen, dst, &dstlen, + (unsigned char*)key, key_length, + (unsigned char*)iv, sizeof(iv), 1, key_version); if (! ((rc == AES_OK) && ((ulint) dstlen == srclen))) { ib_logf(IB_LOG_LEVEL_FATAL, diff --git a/storage/xtradb/include/log0crypt.h b/storage/xtradb/include/log0crypt.h index 9c7c0229ba4..8d5f8c61dd1 100644 --- a/storage/xtradb/include/log0crypt.h +++ b/storage/xtradb/include/log0crypt.h @@ -17,6 +17,8 @@ Created 11/25/2013 Minli Zhu #define PURPOSE_BYTE_OFFSET 0 #define UNENCRYPTED_KEY_VER 0 +typedef int Crypt_result; + /* If true, enable redo log encryption. */ extern my_bool srv_encrypt_log; /* Plain text used by AES_ECB to generate redo log crypt key. */ diff --git a/storage/xtradb/log/log0crypt.cc b/storage/xtradb/log/log0crypt.cc index 4a7474761a3..643e3a08ec4 100644 --- a/storage/xtradb/log/log0crypt.cc +++ b/storage/xtradb/log/log0crypt.cc @@ -32,7 +32,6 @@ Modified Jan Lindström jan.lindstrom@mariadb.com #include "srv0start.h" // for srv_start_lsn #include "log0recv.h" // for recv_sys -#include "mysql/plugin_encryption.h" // for BAD_ENCRYPTION_KEY_VERSION #include "ha_prototypes.h" // IB_LOG_ /* If true, enable redo log encryption. */ @@ -127,12 +126,10 @@ log_init_crypt_key( } uint32 dst_len; - my_aes_encrypt_dynamic_type func= get_aes_encrypt_func(MY_AES_ALGORITHM_ECB); - int rc= (*func)(crypt_msg, MY_AES_BLOCK_SIZE, //src, srclen + int rc= my_aes_encrypt_ecb(crypt_msg, MY_AES_BLOCK_SIZE, //src, srclen key, &dst_len, //dst, &dstlen (unsigned char*)&mysqld_key, sizeof(mysqld_key), - NULL, 0, - 1); + NULL, 0, 1); if (rc != AES_OK || dst_len != MY_AES_BLOCK_SIZE) { @@ -207,11 +204,11 @@ log_blocks_crypt( mach_write_to_4(aes_ctr_counter + 11, log_block_no); bzero(aes_ctr_counter + 15, 1); - int rc = (* my_aes_encrypt_dynamic)(log_block + LOG_BLOCK_HDR_SIZE, src_len, - dst_block + LOG_BLOCK_HDR_SIZE, &dst_len, - (unsigned char*)key, 16, - aes_ctr_counter, MY_AES_BLOCK_SIZE, - 1); + int rc = encrypt_data(log_block + LOG_BLOCK_HDR_SIZE, src_len, + dst_block + LOG_BLOCK_HDR_SIZE, &dst_len, + (unsigned char*)key, 16, + aes_ctr_counter, MY_AES_BLOCK_SIZE, 1, + log_sys->redo_log_crypt_ver); ut_a(rc == AES_OK); ut_a(dst_len == src_len); @@ -266,8 +263,7 @@ log_crypt_set_ver_and_key( encrypted = true; if (vkey == UNENCRYPTED_KEY_VER || - vkey == BAD_ENCRYPTION_KEY_VERSION || - vkey == (unsigned int)CRYPT_KEY_UNKNOWN) { + vkey == BAD_ENCRYPTION_KEY_VERSION) { encrypted = false; ib_logf(IB_LOG_LEVEL_WARN, |