diff options
-rw-r--r-- | mysql-test/std_data/logkey.txt | 2 | ||||
-rw-r--r-- | mysql-test/suite/encryption/r/innodb-log-encrypt.result | 55 | ||||
-rw-r--r-- | mysql-test/suite/encryption/t/innodb-log-encrypt.opt | 6 | ||||
-rw-r--r-- | mysql-test/suite/encryption/t/innodb-log-encrypt.test | 112 | ||||
-rw-r--r-- | storage/innobase/log/log0crypt.cc | 18 | ||||
-rw-r--r-- | storage/xtradb/log/log0crypt.cc | 18 |
6 files changed, 195 insertions, 16 deletions
diff --git a/mysql-test/std_data/logkey.txt b/mysql-test/std_data/logkey.txt new file mode 100644 index 00000000000..cf470c15201 --- /dev/null +++ b/mysql-test/std_data/logkey.txt @@ -0,0 +1,2 @@ +1;36D6CB74CA7D4586CCC7261E174079CC5639E5F681D500ADFA887C165AD49301 +2;F51F5108CF6048B4C9C88BA6CE1C13F9F1CBEE82080F7FA0F979DEF5D4B94509 diff --git a/mysql-test/suite/encryption/r/innodb-log-encrypt.result b/mysql-test/suite/encryption/r/innodb-log-encrypt.result new file mode 100644 index 00000000000..3e281efd08a --- /dev/null +++ b/mysql-test/suite/encryption/r/innodb-log-encrypt.result @@ -0,0 +1,55 @@ +SET GLOBAL innodb_file_format = `Barracuda`; +SET GLOBAL innodb_file_per_table = ON; +create table t1(c1 bigint not null, b char(200), c varchar(200)) engine=innodb encrypted=yes encryption_key_id=1; +show warnings; +Level Code Message +create procedure innodb_insert_proc (repeat_count int) +begin +declare current_num int; +set current_num = 0; +while current_num < repeat_count do +insert into t1 values(current_num, substring(MD5(RAND()), -64), REPEAT('secredsecredsecred',10)); +set current_num = current_num + 1; +end while; +end// +commit; +set autocommit=0; +call innodb_insert_proc(2000); +commit; +set autocommit=1; +update t1 set c1 = c1 +1; +select count(*) from t1; +count(*) +2000 +# ibdata1 yes on expecting NOT FOUND +NOT FOUND /secredsecred/ in ibdata1 +# t1 yes on expecting NOT FOUND +NOT FOUND /secredsecred/ in t1.ibd +# log0 yes on expecting NOT FOUND +NOT FOUND /secredsecred/ in ib_logfile0 +# log1 yes on expecting NOT FOUND +NOT FOUND /secredsecred/ in ib_logfile1 +# Restart mysqld --innodb_encrypt_log=0 +insert into t1 values(5000, substring(MD5(RAND()), -64), REPEAT('notsecred',10)); +insert into t1 values(5001, substring(MD5(RAND()), -64), REPEAT('notsecred',10)); +insert into t1 values(5002, substring(MD5(RAND()), -64), REPEAT('notsecred',10)); +insert into t1 values(5003, substring(MD5(RAND()), -64), REPEAT('notsecred',10)); +insert into t1 values(5004, substring(MD5(RAND()), -64), REPEAT('notsecred',10)); +# ibdata1 yes on expecting NOT FOUND +NOT FOUND /secredsecred/ in ibdata1 +# t1 yes on expecting NOT FOUND +NOT FOUND /secredsecred/ in t1.ibd +# log0 yes on expecting NOT FOUND +NOT FOUND /secredsecred/ in ib_logfile0 +# log1 yes on expecting NOT FOUND +NOT FOUND /secredsecred/ in ib_logfile1 +# ibdata1 yes on expecting NOT FOUND +NOT FOUND /notsecred/ in ibdata1 +# t1 yes on expecting NOT FOUND +NOT FOUND /notsecred/ in t1.ibd +# log0 no on expecting FOUND/NOTFOUND depending where insert goes +FOUND /notsecred/ in ib_logfile0 +# log1 no on expecting FOUND/NOTFOUND depending where insert goes +NOT FOUND /notsecred/ in ib_logfile1 +drop procedure innodb_insert_proc; +drop table t1; diff --git a/mysql-test/suite/encryption/t/innodb-log-encrypt.opt b/mysql-test/suite/encryption/t/innodb-log-encrypt.opt new file mode 100644 index 00000000000..eb8476a3756 --- /dev/null +++ b/mysql-test/suite/encryption/t/innodb-log-encrypt.opt @@ -0,0 +1,6 @@ +--innodb-encrypt-log=ON +--innodb-encrypt-tables=FORCE +--plugin-load-add=$FILE_KEY_MANAGEMENT_SO +--loose-file-key-management +--loose-file-key-management-filename=$MYSQL_TEST_DIR/std_data/logkey.txt +--file-key-management-encryption-algorithm=aes_ctr diff --git a/mysql-test/suite/encryption/t/innodb-log-encrypt.test b/mysql-test/suite/encryption/t/innodb-log-encrypt.test new file mode 100644 index 00000000000..b2abfadccc2 --- /dev/null +++ b/mysql-test/suite/encryption/t/innodb-log-encrypt.test @@ -0,0 +1,112 @@ +-- source include/have_innodb.inc +-- source include/not_embedded.inc +-- source filekeys_plugin.inc + +# +# MDEV-9011: Redo log encryption does not work +# + +--disable_query_log +let $innodb_file_format_orig = `SELECT @@innodb_file_format`; +let $innodb_file_per_table_orig = `SELECT @@innodb_file_per_table`; +--enable_query_log + +--disable_query_log +let $innodb_file_format_orig = `SELECT @@innodb_file_format`; +let $innodb_file_per_table_orig = `SELECT @@innodb_file_per_table`; +--enable_query_log + +SET GLOBAL innodb_file_format = `Barracuda`; +SET GLOBAL innodb_file_per_table = ON; + +create table t1(c1 bigint not null, b char(200), c varchar(200)) engine=innodb encrypted=yes encryption_key_id=1; +show warnings; + +delimiter //; +create procedure innodb_insert_proc (repeat_count int) +begin + declare current_num int; + set current_num = 0; + while current_num < repeat_count do + insert into t1 values(current_num, substring(MD5(RAND()), -64), REPEAT('secredsecredsecred',10)); + set current_num = current_num + 1; + end while; +end// +delimiter ;// +commit; + +set autocommit=0; +call innodb_insert_proc(2000); +commit; +set autocommit=1; + +update t1 set c1 = c1 +1; +select count(*) from t1; + +--let $MYSQLD_DATADIR=`select @@datadir` +--let ib1_IBD = $MYSQLD_DATADIR/ibdata1 +--let t1_IBD = $MYSQLD_DATADIR/test/t1.ibd +--let log0 = $MYSQLD_DATADIR/ib_logfile0 +--let log1 = $MYSQLD_DATADIR/ib_logfile1 +--let SEARCH_RANGE = 10000000 +--let SEARCH_PATTERN=secredsecred + +--echo # ibdata1 yes on expecting NOT FOUND +-- let SEARCH_FILE=$ib1_IBD +-- source include/search_pattern_in_file.inc +--echo # t1 yes on expecting NOT FOUND +-- let SEARCH_FILE=$t1_IBD +-- source include/search_pattern_in_file.inc +--echo # log0 yes on expecting NOT FOUND +-- let SEARCH_FILE=$log0 +-- source include/search_pattern_in_file.inc +--echo # log1 yes on expecting NOT FOUND +-- let SEARCH_FILE=$log1 +-- source include/search_pattern_in_file.inc + +--echo # Restart mysqld --innodb_encrypt_log=0 +-- let $restart_parameters=--innodb_encrypt_log=0 +-- source include/restart_mysqld.inc + +insert into t1 values(5000, substring(MD5(RAND()), -64), REPEAT('notsecred',10)); +insert into t1 values(5001, substring(MD5(RAND()), -64), REPEAT('notsecred',10)); +insert into t1 values(5002, substring(MD5(RAND()), -64), REPEAT('notsecred',10)); +insert into t1 values(5003, substring(MD5(RAND()), -64), REPEAT('notsecred',10)); +insert into t1 values(5004, substring(MD5(RAND()), -64), REPEAT('notsecred',10)); + +--let SEARCH_PATTERN=secredsecred +--echo # ibdata1 yes on expecting NOT FOUND +-- let SEARCH_FILE=$ib1_IBD +-- source include/search_pattern_in_file.inc +--echo # t1 yes on expecting NOT FOUND +-- let SEARCH_FILE=$t1_IBD +-- source include/search_pattern_in_file.inc +--echo # log0 yes on expecting NOT FOUND +-- let SEARCH_FILE=$log0 +-- source include/search_pattern_in_file.inc +--echo # log1 yes on expecting NOT FOUND +-- let SEARCH_FILE=$log1 +-- source include/search_pattern_in_file.inc + +--let SEARCH_PATTERN=notsecred +--echo # ibdata1 yes on expecting NOT FOUND +-- let SEARCH_FILE=$ib1_IBD +-- source include/search_pattern_in_file.inc +--echo # t1 yes on expecting NOT FOUND +-- let SEARCH_FILE=$t1_IBD +-- source include/search_pattern_in_file.inc +--echo # log0 no on expecting FOUND/NOTFOUND depending where insert goes +-- let SEARCH_FILE=$log0 +-- source include/search_pattern_in_file.inc +--echo # log1 no on expecting FOUND/NOTFOUND depending where insert goes +-- let SEARCH_FILE=$log1 +-- source include/search_pattern_in_file.inc + +drop procedure innodb_insert_proc; +drop table t1; + +# reset system +--disable_query_log +EVAL SET GLOBAL innodb_file_per_table = $innodb_file_per_table_orig; +EVAL SET GLOBAL innodb_file_format = $innodb_file_format_orig; +--enable_query_log diff --git a/storage/innobase/log/log0crypt.cc b/storage/innobase/log/log0crypt.cc index 8c4fd623fc6..e90533c2e76 100644 --- a/storage/innobase/log/log0crypt.cc +++ b/storage/innobase/log/log0crypt.cc @@ -209,30 +209,32 @@ init_crypt_key( return true; } - byte mysqld_key[MY_AES_BLOCK_SIZE] = {0}; + byte mysqld_key[MY_AES_MAX_KEY_LENGTH] = {0}; uint keylen= sizeof(mysqld_key); + uint rc; - if (encryption_key_get(LOG_DEFAULT_ENCRYPTION_KEY, info->key_version, mysqld_key, &keylen)) - { + rc = encryption_key_get(LOG_DEFAULT_ENCRYPTION_KEY, info->key_version, mysqld_key, &keylen); + + if (rc) { ib_logf(IB_LOG_LEVEL_ERROR, "Redo log crypto: getting mysqld crypto key " - "from key version failed. Reason could be that requested" + "from key version failed err = %u. Reason could be that requested" " key_version %u is not found or required encryption " - " key management is not found.", info->key_version); + " key management is not found.", rc, info->key_version); return false; } uint dst_len; - int rc= my_aes_crypt(MY_AES_ECB, ENCRYPTION_FLAG_NOPAD|ENCRYPTION_FLAG_ENCRYPT, + int err= my_aes_crypt(MY_AES_ECB, ENCRYPTION_FLAG_NOPAD|ENCRYPTION_FLAG_ENCRYPT, info->crypt_msg, sizeof(info->crypt_msg), //src, srclen info->crypt_key, &dst_len, //dst, &dstlen (unsigned char*)&mysqld_key, sizeof(mysqld_key), NULL, 0); - if (rc != MY_AES_OK || dst_len != MY_AES_BLOCK_SIZE) { + if (err != MY_AES_OK || dst_len != MY_AES_BLOCK_SIZE) { fprintf(stderr, "\nInnodb redo log crypto: getting redo log crypto key " - "failed.\n"); + "failed err = %d len = %u.\n", err, dst_len); return false; } diff --git a/storage/xtradb/log/log0crypt.cc b/storage/xtradb/log/log0crypt.cc index 8c4fd623fc6..e90533c2e76 100644 --- a/storage/xtradb/log/log0crypt.cc +++ b/storage/xtradb/log/log0crypt.cc @@ -209,30 +209,32 @@ init_crypt_key( return true; } - byte mysqld_key[MY_AES_BLOCK_SIZE] = {0}; + byte mysqld_key[MY_AES_MAX_KEY_LENGTH] = {0}; uint keylen= sizeof(mysqld_key); + uint rc; - if (encryption_key_get(LOG_DEFAULT_ENCRYPTION_KEY, info->key_version, mysqld_key, &keylen)) - { + rc = encryption_key_get(LOG_DEFAULT_ENCRYPTION_KEY, info->key_version, mysqld_key, &keylen); + + if (rc) { ib_logf(IB_LOG_LEVEL_ERROR, "Redo log crypto: getting mysqld crypto key " - "from key version failed. Reason could be that requested" + "from key version failed err = %u. Reason could be that requested" " key_version %u is not found or required encryption " - " key management is not found.", info->key_version); + " key management is not found.", rc, info->key_version); return false; } uint dst_len; - int rc= my_aes_crypt(MY_AES_ECB, ENCRYPTION_FLAG_NOPAD|ENCRYPTION_FLAG_ENCRYPT, + int err= my_aes_crypt(MY_AES_ECB, ENCRYPTION_FLAG_NOPAD|ENCRYPTION_FLAG_ENCRYPT, info->crypt_msg, sizeof(info->crypt_msg), //src, srclen info->crypt_key, &dst_len, //dst, &dstlen (unsigned char*)&mysqld_key, sizeof(mysqld_key), NULL, 0); - if (rc != MY_AES_OK || dst_len != MY_AES_BLOCK_SIZE) { + if (err != MY_AES_OK || dst_len != MY_AES_BLOCK_SIZE) { fprintf(stderr, "\nInnodb redo log crypto: getting redo log crypto key " - "failed.\n"); + "failed err = %d len = %u.\n", err, dst_len); return false; } |