summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSergei Golubchik <serg@mariadb.org>2015-03-31 19:32:35 +0200
committerSergei Golubchik <serg@mariadb.org>2015-04-09 18:42:43 +0200
commitbb1b61b312088ba9f5f2cb606594b6f33c284402 (patch)
treec5b433d19434e194fb82d2407adbbfee759dfd31
parent9ccafffc29526ea30151eb3e62901bfdb77aaf84 (diff)
downloadmariadb-git-bb1b61b312088ba9f5f2cb606594b6f33c284402.tar.gz
encryption plugin controls the encryption
* no --encryption-algorithm option anymore * encrypt/decrypt methods in the encryption plugin * ecnrypt/decrypt methods in the encryption_km service * file_km plugin has --file-key-management-encryption-algorithm * debug_km always uses aes_cbc * example_km changes between aes_cbc and aes_ecb for different key versions
Diffstat
-rw-r--r--include/my_aes.h80
-rw-r--r--include/my_crypt.h72
-rw-r--r--include/mysql/plugin_audit.h.pp17
-rw-r--r--include/mysql/plugin_auth.h.pp17
-rw-r--r--include/mysql/plugin_encryption.h8
-rw-r--r--include/mysql/plugin_encryption.h.pp19
-rw-r--r--include/mysql/plugin_ftparser.h.pp17
-rw-r--r--include/mysql/plugin_password_validation.h.pp17
-rw-r--r--include/mysql/service_encryption_keys.h25
-rw-r--r--mysql-test/include/encryption_algorithms.combinations7
-rw-r--r--mysql-test/include/have_example_key_management_plugin.inc2
-rw-r--r--mysql-test/include/have_file_key_management_plugin.inc2
-rw-r--r--mysql-test/r/mysqld--help.result5
-rw-r--r--mysql-test/suite/plugins/t/filekeys_plugin.opt1
-rw-r--r--mysql-test/suite/sys_vars/r/encryption_algorithm_basic.result7
-rw-r--r--mysql-test/suite/sys_vars/r/sysvars_server_embedded.result14
-rw-r--r--mysql-test/suite/sys_vars/r/sysvars_server_notembedded.result14
-rw-r--r--mysql-test/suite/sys_vars/t/encryption_algorithm_basic.test13
-rw-r--r--mysys_ssl/my_aes.cc154
-rw-r--r--mysys_ssl/my_crypt.cc78
-rw-r--r--plugin/debug_key_management/debug_key_management_plugin.cc3
-rw-r--r--plugin/example_key_management/example_key_management_plugin.cc48
-rw-r--r--plugin/file_key_management/file_key_management_plugin.cc55
-rw-r--r--sql/encryption_keys.cc51
-rw-r--r--sql/item_strfunc.h4
-rw-r--r--sql/mysqld.cc8
-rw-r--r--sql/sql_plugin_services.h4
-rw-r--r--sql/sys_vars.cc8
-rw-r--r--storage/innobase/fil/fil0crypt.cc16
-rw-r--r--storage/innobase/include/log0crypt.h2
-rw-r--r--storage/innobase/log/log0crypt.cc20
-rw-r--r--storage/maria/ma_check_standalone.h35
-rw-r--r--storage/maria/ma_crypt.c21
-rw-r--r--storage/xtradb/fil/fil0crypt.cc16
-rw-r--r--storage/xtradb/include/log0crypt.h2
-rw-r--r--storage/xtradb/log/log0crypt.cc20
36 files changed, 405 insertions, 477 deletions
diff --git a/include/my_aes.h b/include/my_aes.h
index 824fa5540ef..b5df86fb5ab 100644
--- a/include/my_aes.h
+++ b/include/my_aes.h
@@ -24,8 +24,6 @@
#include <my_global.h>
-typedef int Crypt_result;
-
#define AES_OK 0
#define AES_BAD_DATA -1
#define AES_BAD_IV -2
@@ -49,84 +47,6 @@ typedef int Crypt_result;
C_MODE_START
-/**
- Crypt buffer with AES dynamic (defined at startup) encryption algorithm.
-
- SYNOPSIS
- my_aes_encrypt_dynamic()
- @param source [in] Pointer to data for encryption
- @param source_length [in] Size of encryption data
- @param dest [out] Buffer to place encrypted data (must be large enough)
- @param dest_length [out] Pointer to size of encrypted data
- @param key [in] Key to be used for encryption
- @param key_length [in] Length of the key. 16, 24 or 32
- @param iv [in] Iv to be used for encryption
- @param iv_length [in] Length of the iv. should be 16.
- @param noPadding [in] if set, algorithm specific padding behaviour is used
-
- Method used defined by calling my_aes_init_dynamic_encrypt() at startup.
-
- @return
- != 0 error
- 0 no error
-*/
-
-typedef int (*my_aes_encrypt_dynamic_type)(const uchar* source, uint32 source_length,
- uchar* dest, uint32* dest_length,
- const uchar* key, uint8 key_length,
- const uchar* iv, uint8 iv_length,
- uint noPadding);
-
-extern MYSQL_PLUGIN_IMPORT my_aes_encrypt_dynamic_type my_aes_encrypt_dynamic;
-
-/**
- AES decryption AES dynamic (defined at startup) encryption algorithm.
-
- SYNOPSIS
- my_aes_decrypt_dynamic()
- @param source [in] Pointer to data to decrypt
- @param source_length [in] Size of data
- @param dest [out] Buffer to place decrypted data (must be large enough)
- @param dest_length [out] Pointer to size of decrypted data
- @param key [in] Key to be used for decryption
- @param key_length [in] Length of the key. 16, 24 or 32
- @param iv [in] Iv to be used for encryption
- @param iv_length [in] Length of the iv. should be 16.
- @param noPadding [in] if set, algorithm specific padding behaviour is used
-
- @return
- != 0 error
- 0 no error
-
- Method used defined by calling my_aes_init_dynamic_encrypt() at startup.
-*/
-
-typedef int (*my_aes_decrypt_dynamic_type)(const uchar *source,
- uint32 source_length,
- uchar *dest, uint32 *dest_length,
- const uchar *key, uint8 key_length,
- const uchar *iv, uint8 iv_length,
- uint noPadding);
-extern MYSQL_PLUGIN_IMPORT my_aes_decrypt_dynamic_type my_aes_decrypt_dynamic;
-
-/**
- Initialize dynamic crypt functions
-*/
-
-enum enum_my_aes_encryption_algorithm
-{
- MY_AES_ALGORITHM_NONE, MY_AES_ALGORITHM_ECB, MY_AES_ALGORITHM_CBC,
- MY_AES_ALGORITHM_CTR
-};
-
-my_aes_decrypt_dynamic_type get_aes_decrypt_func(enum enum_my_aes_encryption_algorithm method);
-my_aes_encrypt_dynamic_type get_aes_encrypt_func(enum enum_my_aes_encryption_algorithm method);
-
-
-my_bool my_aes_init_dynamic_encrypt(enum enum_my_aes_encryption_algorithm method);
-
-extern MYSQL_PLUGIN_IMPORT enum enum_my_aes_encryption_algorithm current_aes_dynamic_method;
-
int my_aes_get_size(int source_length);
C_MODE_END
diff --git a/include/my_crypt.h b/include/my_crypt.h
index 83665659178..c6cddbd99e3 100644
--- a/include/my_crypt.h
+++ b/include/my_crypt.h
@@ -26,45 +26,45 @@ C_MODE_START
#ifdef HAVE_EncryptAes128Ctr
-Crypt_result my_aes_encrypt_ctr(const uchar* source, uint32 source_length,
- uchar* dest, uint32* dest_length,
- const unsigned char* key, uint8 key_length,
- const unsigned char* iv, uint8 iv_length,
- uint no_padding);
-
-Crypt_result my_aes_decrypt_ctr(const uchar* source, uint32 source_length,
- uchar* dest, uint32* dest_length,
- const unsigned char* key, uint8 key_length,
- const unsigned char* iv, uint8 iv_length,
- uint no_padding);
+int my_aes_encrypt_ctr(const uchar* source, uint source_length,
+ uchar* dest, uint* dest_length,
+ const unsigned char* key, uint key_length,
+ const unsigned char* iv, uint iv_length,
+ int no_padding);
+
+int my_aes_decrypt_ctr(const uchar* source, uint source_length,
+ uchar* dest, uint* dest_length,
+ const unsigned char* key, uint key_length,
+ const unsigned char* iv, uint iv_length,
+ int no_padding);
#endif
-Crypt_result my_aes_encrypt_cbc(const uchar* source, uint32 source_length,
- uchar* dest, uint32* dest_length,
- const unsigned char* key, uint8 key_length,
- const unsigned char* iv, uint8 iv_length,
- uint no_padding);
-
-Crypt_result my_aes_decrypt_cbc(const uchar* source, uint32 source_length,
- uchar* dest, uint32* dest_length,
- const unsigned char* key, uint8 key_length,
- const unsigned char* iv, uint8 iv_length,
- uint no_padding);
-
-Crypt_result my_aes_encrypt_ecb(const uchar* source, uint32 source_length,
- uchar* dest, uint32* dest_length,
- const unsigned char* key, uint8 key_length,
- const unsigned char* iv, uint8 iv_length,
- uint no_padding);
-
-Crypt_result my_aes_decrypt_ecb(const uchar* source, uint32 source_length,
- uchar* dest, uint32* dest_length,
- const unsigned char* key, uint8 key_length,
- const unsigned char* iv, uint8 iv_length,
- uint no_padding);
-
-Crypt_result my_random_bytes(uchar* buf, int num);
+int my_aes_encrypt_cbc(const uchar* source, uint source_length,
+ uchar* dest, uint* dest_length,
+ const unsigned char* key, uint key_length,
+ const unsigned char* iv, uint iv_length,
+ int no_padding);
+
+int my_aes_decrypt_cbc(const uchar* source, uint source_length,
+ uchar* dest, uint* dest_length,
+ const unsigned char* key, uint key_length,
+ const unsigned char* iv, uint iv_length,
+ int no_padding);
+
+int my_aes_encrypt_ecb(const uchar* source, uint source_length,
+ uchar* dest, uint* dest_length,
+ const unsigned char* key, uint key_length,
+ const unsigned char* iv, uint iv_length,
+ int no_padding);
+
+int my_aes_decrypt_ecb(const uchar* source, uint source_length,
+ uchar* dest, uint* dest_length,
+ const unsigned char* key, uint key_length,
+ const unsigned char* iv, uint iv_length,
+ int no_padding);
+
+int my_random_bytes(uchar* buf, int num);
C_MODE_END
diff --git a/include/mysql/plugin_audit.h.pp b/include/mysql/plugin_audit.h.pp
index c4661e2b383..30647a7c331 100644
--- a/include/mysql/plugin_audit.h.pp
+++ b/include/mysql/plugin_audit.h.pp
@@ -198,14 +198,31 @@ void thd_key_delete(MYSQL_THD_KEY_T *key);
void* thd_getspecific(void* thd, MYSQL_THD_KEY_T key);
int thd_setspecific(void* thd, MYSQL_THD_KEY_T key, void *value);
#include <mysql/service_encryption_keys.h>
+typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen,
+ unsigned char* dst, unsigned int* dlen,
+ const unsigned char* key, unsigned int klen,
+ const unsigned char* iv, unsigned int ivlen,
+ int no_padding, unsigned int key_version);
extern struct encryption_keys_service_st {
unsigned int (*get_latest_encryption_key_version_func)();
unsigned int (*has_encryption_key_func)(unsigned int);
unsigned int (*get_encryption_key_func)(unsigned int, unsigned char*, unsigned int*);
+ encrypt_decrypt_func encrypt_data_func;
+ encrypt_decrypt_func decrypt_data_func;
} *encryption_keys_service;
unsigned int get_latest_encryption_key_version();
unsigned int has_encryption_key(unsigned int version);
unsigned int get_encryption_key(unsigned int version, unsigned char* key, unsigned int *keybufsize);
+int encrypt_data(const unsigned char* src, unsigned int slen,
+ unsigned char* dst, unsigned int* dlen,
+ const unsigned char* key, unsigned int klen,
+ const unsigned char* iv, unsigned int ivlen,
+ int no_padding, unsigned int key_version);
+int decrypt_data(const unsigned char* src, unsigned int slen,
+ unsigned char* dst, unsigned int* dlen,
+ const unsigned char* key, unsigned int klen,
+ const unsigned char* iv, unsigned int ivlen,
+ int no_padding, unsigned int key_version);
struct st_mysql_xid {
long formatID;
long gtrid_length;
diff --git a/include/mysql/plugin_auth.h.pp b/include/mysql/plugin_auth.h.pp
index 09986993139..e821a7d1bfb 100644
--- a/include/mysql/plugin_auth.h.pp
+++ b/include/mysql/plugin_auth.h.pp
@@ -198,14 +198,31 @@ void thd_key_delete(MYSQL_THD_KEY_T *key);
void* thd_getspecific(void* thd, MYSQL_THD_KEY_T key);
int thd_setspecific(void* thd, MYSQL_THD_KEY_T key, void *value);
#include <mysql/service_encryption_keys.h>
+typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen,
+ unsigned char* dst, unsigned int* dlen,
+ const unsigned char* key, unsigned int klen,
+ const unsigned char* iv, unsigned int ivlen,
+ int no_padding, unsigned int key_version);
extern struct encryption_keys_service_st {
unsigned int (*get_latest_encryption_key_version_func)();
unsigned int (*has_encryption_key_func)(unsigned int);
unsigned int (*get_encryption_key_func)(unsigned int, unsigned char*, unsigned int*);
+ encrypt_decrypt_func encrypt_data_func;
+ encrypt_decrypt_func decrypt_data_func;
} *encryption_keys_service;
unsigned int get_latest_encryption_key_version();
unsigned int has_encryption_key(unsigned int version);
unsigned int get_encryption_key(unsigned int version, unsigned char* key, unsigned int *keybufsize);
+int encrypt_data(const unsigned char* src, unsigned int slen,
+ unsigned char* dst, unsigned int* dlen,
+ const unsigned char* key, unsigned int klen,
+ const unsigned char* iv, unsigned int ivlen,
+ int no_padding, unsigned int key_version);
+int decrypt_data(const unsigned char* src, unsigned int slen,
+ unsigned char* dst, unsigned int* dlen,
+ const unsigned char* key, unsigned int klen,
+ const unsigned char* iv, unsigned int ivlen,
+ int no_padding, unsigned int key_version);
struct st_mysql_xid {
long formatID;
long gtrid_length;
diff --git a/include/mysql/plugin_encryption.h b/include/mysql/plugin_encryption.h
index 43697096f04..a91a53c8ad5 100644
--- a/include/mysql/plugin_encryption.h
+++ b/include/mysql/plugin_encryption.h
@@ -1,5 +1,5 @@
#ifndef MYSQL_PLUGIN_ENCRYPTION_INCLUDED
-/* Copyright (C) 2014 Sergei Golubchik and MariaDB
+/* Copyright (C) 2014, 2015 Sergei Golubchik and MariaDB
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -29,9 +29,6 @@
#define MariaDB_ENCRYPTION_INTERFACE_VERSION 0x0200
-#define BAD_ENCRYPTION_KEY_VERSION (~(unsigned int)0)
-#define KEY_BUFFER_TOO_SMALL (100)
-
/**
Encryption plugin descriptor
*/
@@ -68,6 +65,9 @@ struct st_mariadb_encryption
*/
unsigned int (*get_key)(unsigned int version, unsigned char *key,
unsigned int *key_length);
+
+ encrypt_decrypt_func encrypt;
+ encrypt_decrypt_func decrypt;
};
#endif
diff --git a/include/mysql/plugin_encryption.h.pp b/include/mysql/plugin_encryption.h.pp
index a09e0e0543b..100928f0b19 100644
--- a/include/mysql/plugin_encryption.h.pp
+++ b/include/mysql/plugin_encryption.h.pp
@@ -198,14 +198,31 @@ void thd_key_delete(MYSQL_THD_KEY_T *key);
void* thd_getspecific(void* thd, MYSQL_THD_KEY_T key);
int thd_setspecific(void* thd, MYSQL_THD_KEY_T key, void *value);
#include <mysql/service_encryption_keys.h>
+typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen,
+ unsigned char* dst, unsigned int* dlen,
+ const unsigned char* key, unsigned int klen,
+ const unsigned char* iv, unsigned int ivlen,
+ int no_padding, unsigned int key_version);
extern struct encryption_keys_service_st {
unsigned int (*get_latest_encryption_key_version_func)();
unsigned int (*has_encryption_key_func)(unsigned int);
unsigned int (*get_encryption_key_func)(unsigned int, unsigned char*, unsigned int*);
+ encrypt_decrypt_func encrypt_data_func;
+ encrypt_decrypt_func decrypt_data_func;
} *encryption_keys_service;
unsigned int get_latest_encryption_key_version();
unsigned int has_encryption_key(unsigned int version);
unsigned int get_encryption_key(unsigned int version, unsigned char* key, unsigned int *keybufsize);
+int encrypt_data(const unsigned char* src, unsigned int slen,
+ unsigned char* dst, unsigned int* dlen,
+ const unsigned char* key, unsigned int klen,
+ const unsigned char* iv, unsigned int ivlen,
+ int no_padding, unsigned int key_version);
+int decrypt_data(const unsigned char* src, unsigned int slen,
+ unsigned char* dst, unsigned int* dlen,
+ const unsigned char* key, unsigned int klen,
+ const unsigned char* iv, unsigned int ivlen,
+ int no_padding, unsigned int key_version);
struct st_mysql_xid {
long formatID;
long gtrid_length;
@@ -368,4 +385,6 @@ struct st_mariadb_encryption
unsigned int (*get_latest_key_version)();
unsigned int (*get_key)(unsigned int version, unsigned char *key,
unsigned int *key_length);
+ encrypt_decrypt_func encrypt;
+ encrypt_decrypt_func decrypt;
};
diff --git a/include/mysql/plugin_ftparser.h.pp b/include/mysql/plugin_ftparser.h.pp
index e9315f4fe83..0c58e6912ca 100644
--- a/include/mysql/plugin_ftparser.h.pp
+++ b/include/mysql/plugin_ftparser.h.pp
@@ -198,14 +198,31 @@ void thd_key_delete(MYSQL_THD_KEY_T *key);
void* thd_getspecific(void* thd, MYSQL_THD_KEY_T key);
int thd_setspecific(void* thd, MYSQL_THD_KEY_T key, void *value);
#include <mysql/service_encryption_keys.h>
+typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen,
+ unsigned char* dst, unsigned int* dlen,
+ const unsigned char* key, unsigned int klen,
+ const unsigned char* iv, unsigned int ivlen,
+ int no_padding, unsigned int key_version);
extern struct encryption_keys_service_st {
unsigned int (*get_latest_encryption_key_version_func)();
unsigned int (*has_encryption_key_func)(unsigned int);
unsigned int (*get_encryption_key_func)(unsigned int, unsigned char*, unsigned int*);
+ encrypt_decrypt_func encrypt_data_func;
+ encrypt_decrypt_func decrypt_data_func;
} *encryption_keys_service;
unsigned int get_latest_encryption_key_version();
unsigned int has_encryption_key(unsigned int version);
unsigned int get_encryption_key(unsigned int version, unsigned char* key, unsigned int *keybufsize);
+int encrypt_data(const unsigned char* src, unsigned int slen,
+ unsigned char* dst, unsigned int* dlen,
+ const unsigned char* key, unsigned int klen,
+ const unsigned char* iv, unsigned int ivlen,
+ int no_padding, unsigned int key_version);
+int decrypt_data(const unsigned char* src, unsigned int slen,
+ unsigned char* dst, unsigned int* dlen,
+ const unsigned char* key, unsigned int klen,
+ const unsigned char* iv, unsigned int ivlen,
+ int no_padding, unsigned int key_version);
struct st_mysql_xid {
long formatID;
long gtrid_length;
diff --git a/include/mysql/plugin_password_validation.h.pp b/include/mysql/plugin_password_validation.h.pp
index a82d5fd9150..8ab0f680815 100644
--- a/include/mysql/plugin_password_validation.h.pp
+++ b/include/mysql/plugin_password_validation.h.pp
@@ -198,14 +198,31 @@ void thd_key_delete(MYSQL_THD_KEY_T *key);
void* thd_getspecific(void* thd, MYSQL_THD_KEY_T key);
int thd_setspecific(void* thd, MYSQL_THD_KEY_T key, void *value);
#include <mysql/service_encryption_keys.h>
+typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen,
+ unsigned char* dst, unsigned int* dlen,
+ const unsigned char* key, unsigned int klen,
+ const unsigned char* iv, unsigned int ivlen,
+ int no_padding, unsigned int key_version);
extern struct encryption_keys_service_st {
unsigned int (*get_latest_encryption_key_version_func)();
unsigned int (*has_encryption_key_func)(unsigned int);
unsigned int (*get_encryption_key_func)(unsigned int, unsigned char*, unsigned int*);
+ encrypt_decrypt_func encrypt_data_func;
+ encrypt_decrypt_func decrypt_data_func;
} *encryption_keys_service;
unsigned int get_latest_encryption_key_version();
unsigned int has_encryption_key(unsigned int version);
unsigned int get_encryption_key(unsigned int version, unsigned char* key, unsigned int *keybufsize);
+int encrypt_data(const unsigned char* src, unsigned int slen,
+ unsigned char* dst, unsigned int* dlen,
+ const unsigned char* key, unsigned int klen,
+ const unsigned char* iv, unsigned int ivlen,
+ int no_padding, unsigned int key_version);
+int decrypt_data(const unsigned char* src, unsigned int slen,
+ unsigned char* dst, unsigned int* dlen,
+ const unsigned char* key, unsigned int klen,
+ const unsigned char* iv, unsigned int ivlen,
+ int no_padding, unsigned int key_version);
struct st_mysql_xid {
long formatID;
long gtrid_length;
diff --git a/include/mysql/service_encryption_keys.h b/include/mysql/service_encryption_keys.h
index f162bba3cff..105146d00a5 100644
--- a/include/mysql/service_encryption_keys.h
+++ b/include/mysql/service_encryption_keys.h
@@ -25,10 +25,21 @@
extern "C" {
#endif
+#define BAD_ENCRYPTION_KEY_VERSION (~(unsigned int)0)
+#define KEY_BUFFER_TOO_SMALL (100)
+
+typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen,
+ unsigned char* dst, unsigned int* dlen,
+ const unsigned char* key, unsigned int klen,
+ const unsigned char* iv, unsigned int ivlen,
+ int no_padding, unsigned int key_version);
+
extern struct encryption_keys_service_st {
unsigned int (*get_latest_encryption_key_version_func)();
unsigned int (*has_encryption_key_func)(unsigned int);
unsigned int (*get_encryption_key_func)(unsigned int, unsigned char*, unsigned int*);
+ encrypt_decrypt_func encrypt_data_func;
+ encrypt_decrypt_func decrypt_data_func;
} *encryption_keys_service;
#ifdef MYSQL_DYNAMIC_PLUGIN
@@ -36,13 +47,23 @@ extern struct encryption_keys_service_st {
#define get_latest_encryption_key_version() encryption_keys_service->get_latest_encryption_key_version_func()
#define has_encryption_key(V) encryption_keys_service->has_encryption_key_func(V)
#define get_encryption_key(V,K,S) encryption_keys_service->get_encryption_key_func((V), (K), (S))
-
+#define encrypt_data(S,SL,D,DL,K,KL,I,IL,NP,KV) encryption_keys_service->encrypt_data_func(S,SL,D,DL,K,KL,I,IL,NP,KV)
+#define decrypt_data(S,SL,D,DL,K,KL,I,IL,NP,KV) encryption_keys_service->decrypt_data_func(S,SL,D,DL,K,KL,I,IL,NP,KV)
#else
unsigned int get_latest_encryption_key_version();
unsigned int has_encryption_key(unsigned int version);
unsigned int get_encryption_key(unsigned int version, unsigned char* key, unsigned int *keybufsize);
-
+int encrypt_data(const unsigned char* src, unsigned int slen,
+ unsigned char* dst, unsigned int* dlen,
+ const unsigned char* key, unsigned int klen,
+ const unsigned char* iv, unsigned int ivlen,
+ int no_padding, unsigned int key_version);
+int decrypt_data(const unsigned char* src, unsigned int slen,
+ unsigned char* dst, unsigned int* dlen,
+ const unsigned char* key, unsigned int klen,
+ const unsigned char* iv, unsigned int ivlen,
+ int no_padding, unsigned int key_version);
#endif
#ifdef __cplusplus
diff --git a/mysql-test/include/encryption_algorithms.combinations b/mysql-test/include/encryption_algorithms.combinations
index 09c1e91e1cd..f8598401e5f 100644
--- a/mysql-test/include/encryption_algorithms.combinations
+++ b/mysql-test/include/encryption_algorithms.combinations
@@ -1,8 +1,5 @@
[cbc]
-encryption-algorithm=aes_cbc
-
-[ecb]
-encryption-algorithm=aes_ecb
+file-key-management-encryption-algorithm=aes_cbc
[ctr]
-encryption-algorithm=aes_ctr
+file-key-management-encryption-algorithm=aes_ctr
diff --git a/mysql-test/include/have_example_key_management_plugin.inc b/mysql-test/include/have_example_key_management_plugin.inc
index d04aad2532f..a87d3256ee0 100644
--- a/mysql-test/include/have_example_key_management_plugin.inc
+++ b/mysql-test/include/have_example_key_management_plugin.inc
@@ -1,5 +1,3 @@
--- source encryption_algorithms.inc
-
if (!$EXAMPLE_KEY_MANAGEMENT_SO)
{
--skip Needs example_key_management
diff --git a/mysql-test/include/have_file_key_management_plugin.inc b/mysql-test/include/have_file_key_management_plugin.inc
index f85214332f7..baada3a7d47 100644
--- a/mysql-test/include/have_file_key_management_plugin.inc
+++ b/mysql-test/include/have_file_key_management_plugin.inc
@@ -1,4 +1,4 @@
--- source encryption_algorithms.inc
+--source encryption_algorithms.inc
if (!$FILE_KEY_MANAGEMENT_SO)
{
diff --git a/mysql-test/r/mysqld--help.result b/mysql-test/r/mysqld--help.result
index 7d59ecd1dc2..3bd5e296ec9 100644
--- a/mysql-test/r/mysqld--help.result
+++ b/mysql-test/r/mysqld--help.result
@@ -165,10 +165,6 @@ The following options may be given as the first argument:
--encrypt-tmp-disk-tables
Encrypt tmp disk tables (created as part of query
execution)
- --encryption-algorithm=name
- Which encryption algorithm to use for table encryption.
- aes_cbc is the recommended one.. One of: none, aes_ecb,
- aes_cbc, aes_ctr
--enforce-storage-engine=name
Force the use of a storage engine for new tables
--event-scheduler[=name]
@@ -1151,7 +1147,6 @@ delayed-insert-timeout 300
delayed-queue-size 1000
div-precision-increment 4
encrypt-tmp-disk-tables FALSE
-encryption-algorithm none
enforce-storage-engine (No default value)
event-scheduler OFF
expensive-subquery-limit 100
diff --git a/mysql-test/suite/plugins/t/filekeys_plugin.opt b/mysql-test/suite/plugins/t/filekeys_plugin.opt
index 43d00186d59..b42e6266e66 100644
--- a/mysql-test/suite/plugins/t/filekeys_plugin.opt
+++ b/mysql-test/suite/plugins/t/filekeys_plugin.opt
@@ -1,2 +1 @@
--plugin-load-add=$FILE_KEY_MANAGEMENT_SO
---encryption-algorithm=aes_cbc
diff --git a/mysql-test/suite/sys_vars/r/encryption_algorithm_basic.result b/mysql-test/suite/sys_vars/r/encryption_algorithm_basic.result
deleted file mode 100644
index a9101b0f950..00000000000
--- a/mysql-test/suite/sys_vars/r/encryption_algorithm_basic.result
+++ /dev/null
@@ -1,7 +0,0 @@
-select @@global.encryption_algorithm;
-@@global.encryption_algorithm
-none
-select @@session.encryption_algorithm;
-ERROR HY000: Variable 'encryption_algorithm' is a GLOBAL variable
-set global encryption_algorithm="none";
-ERROR HY000: Variable 'encryption_algorithm' is a read only variable
diff --git a/mysql-test/suite/sys_vars/r/sysvars_server_embedded.result b/mysql-test/suite/sys_vars/r/sysvars_server_embedded.result
index e72678c5243..21d4ea85dd9 100644
--- a/mysql-test/suite/sys_vars/r/sysvars_server_embedded.result
+++ b/mysql-test/suite/sys_vars/r/sysvars_server_embedded.result
@@ -681,20 +681,6 @@ NUMERIC_BLOCK_SIZE 1
ENUM_VALUE_LIST NULL
READ_ONLY NO
COMMAND_LINE_ARGUMENT REQUIRED
-VARIABLE_NAME ENCRYPTION_ALGORITHM
-SESSION_VALUE NULL
-GLOBAL_VALUE none
-GLOBAL_VALUE_ORIGIN COMPILE-TIME
-DEFAULT_VALUE none
-VARIABLE_SCOPE GLOBAL
-VARIABLE_TYPE ENUM
-VARIABLE_COMMENT Which encryption algorithm to use for table encryption. aes_cbc is the recommended one.
-NUMERIC_MIN_VALUE NULL
-NUMERIC_MAX_VALUE NULL
-NUMERIC_BLOCK_SIZE NULL
-ENUM_VALUE_LIST none,aes_ecb,aes_cbc,aes_ctr
-READ_ONLY YES
-COMMAND_LINE_ARGUMENT REQUIRED
VARIABLE_NAME ENCRYPT_TMP_DISK_TABLES
SESSION_VALUE NULL
GLOBAL_VALUE OFF
diff --git a/mysql-test/suite/sys_vars/r/sysvars_server_notembedded.result b/mysql-test/suite/sys_vars/r/sysvars_server_notembedded.result
index 7908300bf8f..ea4019e65cc 100644
--- a/mysql-test/suite/sys_vars/r/sysvars_server_notembedded.result
+++ b/mysql-test/suite/sys_vars/r/sysvars_server_notembedded.result
@@ -695,20 +695,6 @@ NUMERIC_BLOCK_SIZE 1
ENUM_VALUE_LIST NULL
READ_ONLY NO
COMMAND_LINE_ARGUMENT REQUIRED
-VARIABLE_NAME ENCRYPTION_ALGORITHM
-SESSION_VALUE NULL
-GLOBAL_VALUE none
-GLOBAL_VALUE_ORIGIN COMPILE-TIME
-DEFAULT_VALUE none
-VARIABLE_SCOPE GLOBAL
-VARIABLE_TYPE ENUM
-VARIABLE_COMMENT Which encryption algorithm to use for table encryption. aes_cbc is the recommended one.
-NUMERIC_MIN_VALUE NULL
-NUMERIC_MAX_VALUE NULL
-NUMERIC_BLOCK_SIZE NULL
-ENUM_VALUE_LIST none,aes_ecb,aes_cbc,aes_ctr
-READ_ONLY YES
-COMMAND_LINE_ARGUMENT REQUIRED
VARIABLE_NAME ENCRYPT_TMP_DISK_TABLES
SESSION_VALUE NULL
GLOBAL_VALUE OFF
diff --git a/mysql-test/suite/sys_vars/t/encryption_algorithm_basic.test b/mysql-test/suite/sys_vars/t/encryption_algorithm_basic.test
deleted file mode 100644
index 065453eba34..00000000000
--- a/mysql-test/suite/sys_vars/t/encryption_algorithm_basic.test
+++ /dev/null
@@ -1,13 +0,0 @@
-# bool global
-
-# exists as global only
-#
-select @@global.encryption_algorithm;
---error ER_INCORRECT_GLOBAL_LOCAL_VAR
-select @@session.encryption_algorithm;
-
-#
-# show that it's not writable
-#
---error 1238
-set global encryption_algorithm="none";
diff --git a/mysys_ssl/my_aes.cc b/mysys_ssl/my_aes.cc
index 97af3c39381..069d8d74ab2 100644
--- a/mysys_ssl/my_aes.cc
+++ b/mysys_ssl/my_aes.cc
@@ -19,163 +19,9 @@
#include <my_crypt.h>
/**
- Encryption interface that doesn't do anything (for testing)
-
- SYNOPSIS
- my_aes_encrypt_none()
- @param source [in] Pointer to data for encryption
- @param source_length [in] Size of encryption data
- @param dest [out] Buffer to place encrypted data (must be large enough)
- @param dest_length [out] Pointer to size of encrypted data
- @param key [in] Key to be used for encryption
- @param key_length [in] Length of the key. 16, 24 or 32
- @param iv [in] Iv to be used for encryption
- @param iv_length [in] Length of the iv. should be 16.
- @param noPadding [in] unused
- @return
- != 0 error
- 0 no error
-*/
-
-static int my_aes_encrypt_none(const uchar* source, uint32 source_length,
- uchar* dest, uint32* dest_length,
- const unsigned char* key, uint8 key_length,
- const unsigned char* iv, uint8 iv_length,
- uint noPadding)
-{
- memcpy(dest, source, source_length);
- *dest_length= source_length;
- return 0;
-}
-
-
-/**
- Decryption interface that doesn't do anything (for testing)
-
- SYNOPSIS
- my_aes_decrypt_none()
- @param source [in] Pointer to data to decrypt
- @param source_length [in] Size of data
- @param dest [out] Buffer to place decrypted data (must be large enough)
- @param dest_length [out] Pointer to size of decrypted data
- @param key [in] Key to be used for decryption
- @param key_length [in] Length of the key. 16, 24 or 32
- @param iv [in] Iv to be used for encryption
- @param iv_length [in] Length of the iv. should be 16.
- @param noPadding [in] unused
-
- @return
- != 0 error
- 0 no error
-*/
-
-int my_aes_decrypt_none(const uchar* source, uint32 source_length,
- uchar* dest, uint32 *dest_length,
- const unsigned char* key, uint8 key_length,
- const unsigned char* iv, uint8 iv_length,
- uint noPadding)
-{
- memcpy(dest, source, source_length);
- *dest_length= source_length;
- return 0;
-}
-
-/**
Initialize encryption methods
*/
-my_aes_decrypt_dynamic_type my_aes_decrypt_dynamic= my_aes_decrypt_none;
-my_aes_encrypt_dynamic_type my_aes_encrypt_dynamic= my_aes_encrypt_none;
-enum_my_aes_encryption_algorithm current_aes_dynamic_method= MY_AES_ALGORITHM_NONE;
-
-my_bool my_aes_init_dynamic_encrypt(enum_my_aes_encryption_algorithm method)
-{
- switch (method)
- {
- /* used for encrypting tables */
- case MY_AES_ALGORITHM_ECB:
- my_aes_encrypt_dynamic= my_aes_encrypt_ecb;
- my_aes_decrypt_dynamic= my_aes_decrypt_ecb;
- break;
- case MY_AES_ALGORITHM_CBC:
- my_aes_encrypt_dynamic= my_aes_encrypt_cbc;
- my_aes_decrypt_dynamic= my_aes_decrypt_cbc;
- break;
-#ifdef HAVE_EncryptAes128Ctr
- /* encrypt everything, with a set of keys */
- case MY_AES_ALGORITHM_CTR:
- my_aes_encrypt_dynamic= my_aes_encrypt_ctr;
- my_aes_decrypt_dynamic= my_aes_decrypt_ctr;
- break;
-#endif
- /* Simulate encrypting interface */
- case MY_AES_ALGORITHM_NONE:
- my_aes_encrypt_dynamic= my_aes_encrypt_none;
- my_aes_decrypt_dynamic= my_aes_decrypt_none;
- break;
- default:
- return 1;
- }
- current_aes_dynamic_method= method;
- return 0;
-}
-
-my_aes_decrypt_dynamic_type
-get_aes_decrypt_func(enum_my_aes_encryption_algorithm method)
-{
- switch (method)
- {
- /* used for encrypting tables */
- case MY_AES_ALGORITHM_ECB:
- return my_aes_decrypt_ecb;
- break;
- case MY_AES_ALGORITHM_CBC:
- return my_aes_decrypt_cbc;
- break;
-#ifdef HAVE_EncryptAes128Ctr
- /* encrypt everything, with a set of keys */
- case MY_AES_ALGORITHM_CTR:
- return my_aes_decrypt_ctr;
- break;
-#endif
- /* Simulate encrypting interface */
- case MY_AES_ALGORITHM_NONE:
- return my_aes_decrypt_none;
- break;
- default:
- return NULL;
- }
- return NULL;
-}
-
-my_aes_encrypt_dynamic_type
-get_aes_encrypt_func(enum_my_aes_encryption_algorithm method)
-{
- switch (method)
- {
- /* used for encrypting tables */
- case MY_AES_ALGORITHM_ECB:
- return my_aes_encrypt_ecb;
- break;
- case MY_AES_ALGORITHM_CBC:
- return my_aes_encrypt_cbc;
- break;
-#ifdef HAVE_EncryptAes128Ctr
- /* encrypt everything, with a set of keys */
- case MY_AES_ALGORITHM_CTR:
- return my_aes_encrypt_ctr;
- break;
-#endif
- /* Simulate encrypting interface */
- case MY_AES_ALGORITHM_NONE:
- return my_aes_encrypt_none;
- break;
- default:
- return NULL;
- }
- return NULL;
-}
-
/**
Get size of buffer which will be large enough for encrypted data
diff --git a/mysys_ssl/my_crypt.cc b/mysys_ssl/my_crypt.cc
index 60072a5bbaf..1709ae5e5eb 100644
--- a/mysys_ssl/my_crypt.cc
+++ b/mysys_ssl/my_crypt.cc
@@ -26,8 +26,8 @@ static const Dir CRYPT_ENCRYPT = TaoCrypt::ENCRYPTION;
static const Dir CRYPT_DECRYPT = TaoCrypt::DECRYPTION;
typedef TaoCrypt::Mode CipherMode;
-static inline CipherMode aes_ecb(uint8) { return TaoCrypt::ECB; }
-static inline CipherMode aes_cbc(uint8) { return TaoCrypt::CBC; }
+static inline CipherMode aes_ecb(uint) { return TaoCrypt::ECB; }
+static inline CipherMode aes_cbc(uint) { return TaoCrypt::CBC; }
typedef TaoCrypt::byte KeyByte;
@@ -42,7 +42,7 @@ static const Dir CRYPT_DECRYPT = 0;
typedef const EVP_CIPHER *CipherMode;
#define make_aes_dispatcher(mode) \
- static inline CipherMode aes_ ## mode(uint8 key_length) \
+ static inline CipherMode aes_ ## mode(uint key_length) \
{ \
switch (key_length) { \
case 16: return EVP_aes_128_ ## mode(); \
@@ -67,10 +67,10 @@ struct MyCTX : EVP_CIPHER_CTX {
#endif
static int do_crypt(CipherMode cipher, Dir dir,
- const uchar* source, uint32 source_length,
- uchar* dest, uint32* dest_length,
- const KeyByte *key, uint8 key_length,
- const KeyByte *iv, uint8 iv_length, int no_padding)
+ const uchar* source, uint source_length,
+ uchar* dest, uint* dest_length,
+ const KeyByte *key, uint key_length,
+ const KeyByte *iv, uint iv_length, int no_padding)
{
int tail= source_length % MY_AES_BLOCK_SIZE;
@@ -123,8 +123,8 @@ static int do_crypt(CipherMode cipher, Dir dir,
EVP_CIPHER_CTX_set_padding(&ctx, !no_padding);
- DBUG_ASSERT(EVP_CIPHER_CTX_key_length(&ctx) == key_length);
- DBUG_ASSERT(EVP_CIPHER_CTX_iv_length(&ctx) == iv_length);
+ DBUG_ASSERT(EVP_CIPHER_CTX_key_length(&ctx) == (int)key_length);
+ DBUG_ASSERT(EVP_CIPHER_CTX_iv_length(&ctx) == (int)iv_length);
DBUG_ASSERT(EVP_CIPHER_CTX_block_size(&ctx) == MY_AES_BLOCK_SIZE || !no_padding);
/* use built-in OpenSSL padding, if possible */
@@ -164,11 +164,11 @@ C_MODE_START
#ifdef HAVE_EncryptAes128Ctr
-int my_aes_encrypt_ctr(const uchar* source, uint32 source_length,
- uchar* dest, uint32* dest_length,
- const uchar* key, uint8 key_length,
- const uchar* iv, uint8 iv_length,
- uint no_padding)
+int my_aes_encrypt_ctr(const uchar* source, uint source_length,
+ uchar* dest, uint* dest_length,
+ const uchar* key, uint key_length,
+ const uchar* iv, uint iv_length,
+ int no_padding)
{
/* CTR is a stream cipher mode, it needs no special padding code */
return do_crypt(aes_ctr(key_length), CRYPT_ENCRYPT, source, source_length,
@@ -176,11 +176,11 @@ int my_aes_encrypt_ctr(const uchar* source, uint32 source_length,
}
-int my_aes_decrypt_ctr(const uchar* source, uint32 source_length,
- uchar* dest, uint32* dest_length,
- const uchar* key, uint8 key_length,
- const uchar* iv, uint8 iv_length,
- uint no_padding)
+int my_aes_decrypt_ctr(const uchar* source, uint source_length,
+ uchar* dest, uint* dest_length,
+ const uchar* key, uint key_length,
+ const uchar* iv, uint iv_length,
+ int no_padding)
{
return do_crypt(aes_ctr(key_length), CRYPT_DECRYPT, source, source_length,
dest, dest_length, key, key_length, iv, iv_length, 0);
@@ -188,41 +188,41 @@ int my_aes_decrypt_ctr(const uchar* source, uint32 source_length,
#endif /* HAVE_EncryptAes128Ctr */
-int my_aes_encrypt_ecb(const uchar* source, uint32 source_length,
- uchar* dest, uint32* dest_length,
- const uchar* key, uint8 key_length,
- const uchar* iv, uint8 iv_length,
- uint no_padding)
+int my_aes_encrypt_ecb(const uchar* source, uint source_length,
+ uchar* dest, uint* dest_length,
+ const uchar* key, uint key_length,
+ const uchar* iv, uint iv_length,
+ int no_padding)
{
return do_crypt(aes_ecb(key_length), CRYPT_ENCRYPT, source, source_length,
dest, dest_length, key, key_length, 0, 0, no_padding);
}
-int my_aes_decrypt_ecb(const uchar* source, uint32 source_length,
- uchar* dest, uint32* dest_length,
- const uchar* key, uint8 key_length,
- const uchar* iv, uint8 iv_length,
- uint no_padding)
+int my_aes_decrypt_ecb(const uchar* source, uint source_length,
+ uchar* dest, uint* dest_length,
+ const uchar* key, uint key_length,
+ const uchar* iv, uint iv_length,
+ int no_padding)
{
return do_crypt(aes_ecb(key_length), CRYPT_DECRYPT, source, source_length,
dest, dest_length, key, key_length, 0, 0, no_padding);
}
-int my_aes_encrypt_cbc(const uchar* source, uint32 source_length,
- uchar* dest, uint32* dest_length,
- const uchar* key, uint8 key_length,
- const uchar* iv, uint8 iv_length,
- uint no_padding)
+int my_aes_encrypt_cbc(const uchar* source, uint source_length,
+ uchar* dest, uint* dest_length,
+ const uchar* key, uint key_length,
+ const uchar* iv, uint iv_length,
+ int no_padding)
{
return do_crypt(aes_cbc(key_length), CRYPT_ENCRYPT, source, source_length,
dest, dest_length, key, key_length, iv, iv_length, no_padding);
}
-int my_aes_decrypt_cbc(const uchar* source, uint32 source_length,
- uchar* dest, uint32* dest_length,
- const uchar* key, uint8 key_length,
- const uchar* iv, uint8 iv_length,
- uint no_padding)
+int my_aes_decrypt_cbc(const uchar* source, uint source_length,
+ uchar* dest, uint* dest_length,
+ const uchar* key, uint key_length,
+ const uchar* iv, uint iv_length,
+ int no_padding)
{
return do_crypt(aes_cbc(key_length), CRYPT_DECRYPT, source, source_length,
dest, dest_length, key, key_length, iv, iv_length, no_padding);
diff --git a/plugin/debug_key_management/debug_key_management_plugin.cc b/plugin/debug_key_management/debug_key_management_plugin.cc
index 9843c08d8bf..5b42c70c772 100644
--- a/plugin/debug_key_management/debug_key_management_plugin.cc
+++ b/plugin/debug_key_management/debug_key_management_plugin.cc
@@ -64,7 +64,8 @@ static unsigned int get_key(unsigned int version, unsigned char* dstbuf, unsigne
struct st_mariadb_encryption debug_key_management_plugin= {
MariaDB_ENCRYPTION_INTERFACE_VERSION,
get_latest_key_version,
- get_key
+ get_key,
+ 0, 0 // use default encrypt/decrypt functions
};
/*
diff --git a/plugin/example_key_management/example_key_management_plugin.cc b/plugin/example_key_management/example_key_management_plugin.cc
index 5ced65a7088..dd8416504a0 100644
--- a/plugin/example_key_management/example_key_management_plugin.cc
+++ b/plugin/example_key_management/example_key_management_plugin.cc
@@ -27,11 +27,9 @@
#include <my_global.h>
#include <my_pthread.h>
-#include <my_aes.h>
#include <mysql/plugin_encryption.h>
-#include <my_md5.h>
#include <my_rnd.h>
-#include "sql_class.h"
+#include <my_crypt.h>
/* rotate key randomly between 45 and 90 seconds */
#define KEY_ROTATION_MIN 45
@@ -61,12 +59,12 @@ get_latest_key_version()
static unsigned int
get_key(unsigned int version, unsigned char* dstbuf, unsigned *buflen)
{
- if (*buflen < MD5_HASH_SIZE)
+ if (*buflen < MY_MD5_HASH_SIZE)
{
- *buflen= MD5_HASH_SIZE;
+ *buflen= MY_MD5_HASH_SIZE;
return KEY_BUFFER_TOO_SMALL;
}
- *buflen= MD5_HASH_SIZE;
+ *buflen= MY_MD5_HASH_SIZE;
if (!dstbuf)
return 0;
@@ -75,21 +73,35 @@ get_key(unsigned int version, unsigned char* dstbuf, unsigned *buflen)
return 0;
}
+/*
+ for the sake of an example, let's use different encryption algorithms/modes
+ for different keys.
+*/
+int encrypt(const unsigned char* src, unsigned int slen,
+ unsigned char* dst, unsigned int* dlen,
+ const unsigned char* key, unsigned int klen,
+ const unsigned char* iv, unsigned int ivlen,
+ int no_padding, unsigned int key_version)
+{
+ return ((key_version & 1) ? my_aes_encrypt_cbc : my_aes_encrypt_ecb)
+ (src, slen, dst, dlen, key, klen, iv, ivlen, no_padding);
+}
+
+int decrypt(const unsigned char* src, unsigned int slen,
+ unsigned char* dst, unsigned int* dlen,
+ const unsigned char* key, unsigned int klen,
+ const unsigned char* iv, unsigned int ivlen,
+ int no_padding, unsigned int key_version)
+{
+ return ((key_version & 1) ? my_aes_decrypt_cbc : my_aes_decrypt_ecb)
+ (src, slen, dst, dlen, key, klen, iv, ivlen, no_padding);
+}
+
static int example_key_management_plugin_init(void *p)
{
/* init */
my_rnd_init(&seed, time(0), 0);
get_latest_key_version();
-
- if (current_aes_dynamic_method == MY_AES_ALGORITHM_NONE)
- {
- sql_print_error("No encryption method choosen with --encryption-algorithm. "
- "example_key_management_plugin disabled");
- return 1;
- }
-
- my_aes_init_dynamic_encrypt(current_aes_dynamic_method);
-
pthread_mutex_init(&mutex, NULL);
return 0;
@@ -104,7 +116,9 @@ static int example_key_management_plugin_deinit(void *p)
struct st_mariadb_encryption example_key_management_plugin= {
MariaDB_ENCRYPTION_INTERFACE_VERSION,
get_latest_key_version,
- get_key
+ get_key,
+ encrypt,
+ decrypt
};
/*
diff --git a/plugin/file_key_management/file_key_management_plugin.cc b/plugin/file_key_management/file_key_management_plugin.cc
index be623706051..d7edeb73665 100644
--- a/plugin/file_key_management/file_key_management_plugin.cc
+++ b/plugin/file_key_management/file_key_management_plugin.cc
@@ -15,12 +15,28 @@
#include "parser.h"
-#include <mysql_version.h>
#include <mysql/plugin_encryption.h>
#include <string.h>
static char* filename;
static char* filekey;
+static unsigned long encryption_algorithm;
+
+static const char *encryption_algorithm_names[]=
+{
+ "aes_cbc",
+#ifdef HAVE_EncryptAes128Ctr
+ "aes_ctr",
+#endif
+ 0
+};
+
+static TYPELIB encryption_algorithm_typelib=
+{
+ array_elements(encryption_algorithm_names)-1,"",
+ encryption_algorithm_names, NULL
+};
+
static MYSQL_SYSVAR_STR(filename, filename,
PLUGIN_VAR_RQCMDARG | PLUGIN_VAR_READONLY,
@@ -32,9 +48,15 @@ static MYSQL_SYSVAR_STR(filekey, filekey,
"Key to encrypt / decrypt the keyfile.",
NULL, NULL, "");
+static MYSQL_SYSVAR_ENUM(encryption_algorithm, encryption_algorithm,
+ PLUGIN_VAR_RQCMDARG | PLUGIN_VAR_READONLY,
+ "Encryption algorithm to use.",
+ NULL, NULL, 0, &encryption_algorithm_typelib);
+
static struct st_mysql_sys_var* settings[] = {
MYSQL_SYSVAR(filename),
MYSQL_SYSVAR(filekey),
+ MYSQL_SYSVAR(encryption_algorithm),
NULL
};
@@ -88,18 +110,37 @@ static unsigned int get_key_from_key_file(unsigned int key_id,
return 0;
}
+struct st_mariadb_encryption file_key_management_plugin= {
+ MariaDB_ENCRYPTION_INTERFACE_VERSION,
+ get_highest_key_used_in_key_file,
+ get_key_from_key_file,
+ 0,0
+};
+
static int file_key_management_plugin_init(void *p)
{
Parser parser(filename, filekey);
+ switch (encryption_algorithm) {
+ case 0: // AES_CBC
+ file_key_management_plugin.encrypt=
+ (encrypt_decrypt_func)my_aes_encrypt_cbc;
+ file_key_management_plugin.decrypt=
+ (encrypt_decrypt_func)my_aes_decrypt_cbc;
+ break;
+#ifdef HAVE_EncryptAes128Ctr
+ case 1: // AES_CTR
+ file_key_management_plugin.encrypt=
+ (encrypt_decrypt_func)my_aes_encrypt_ctr;
+ file_key_management_plugin.decrypt=
+ (encrypt_decrypt_func)my_aes_decrypt_ctr;
+ break;
+#endif
+ default:
+ return 1; // cannot happen
+ }
return parser.parse(&keys);
}
-struct st_mariadb_encryption file_key_management_plugin= {
- MariaDB_ENCRYPTION_INTERFACE_VERSION,
- get_highest_key_used_in_key_file,
- get_key_from_key_file
-};
-
/*
Plugin library descriptor
*/
diff --git a/sql/encryption_keys.cc b/sql/encryption_keys.cc
index b31ec270a8f..8a9a17a5452 100644
--- a/sql/encryption_keys.cc
+++ b/sql/encryption_keys.cc
@@ -1,7 +1,23 @@
+/* Copyright (C) 2015 MariaDB
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 2 of the License.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
+
#include <my_global.h>
#include <mysql/plugin_encryption.h>
#include "log.h"
#include "sql_plugin.h"
+#include <my_crypt.h>
/* there can be only one encryption plugin enabled */
static plugin_ref encryption_key_manager= 0;
@@ -34,6 +50,34 @@ uint get_encryption_key(uint version, uchar* key, uint *size)
return BAD_ENCRYPTION_KEY_VERSION;
}
+int encrypt_data(const uchar* source, uint source_length,
+ uchar* dest, uint* dest_length,
+ const uchar* key, uint key_length,
+ const uchar* iv, uint iv_length,
+ int no_padding, uint key_version)
+{
+ if (encryption_key_manager)
+ return handle->encrypt(source, source_length,
+ dest, dest_length, key, key_length,
+ iv, iv_length, no_padding, key_version);
+ return 1;
+}
+
+
+int decrypt_data(const uchar* source, uint source_length,
+ uchar* dest, uint* dest_length,
+ const uchar* key, uint key_length,
+ const uchar* iv, uint iv_length,
+ int no_padding, uint key_version)
+{
+ if (encryption_key_manager)
+ return handle->decrypt(source, source_length,
+ dest, dest_length, key, key_length,
+ iv, iv_length, no_padding, key_version);
+ return 1;
+}
+
+
int initialize_encryption_plugin(st_plugin_int *plugin)
{
if (encryption_key_manager)
@@ -49,6 +93,13 @@ int initialize_encryption_plugin(st_plugin_int *plugin)
encryption_key_manager= plugin_lock(NULL, plugin_int_to_ref(plugin));
handle= (struct st_mariadb_encryption*)
plugin->plugin->info;
+
+ /* default encryption algorithm */
+ if (!handle->encrypt)
+ handle->encrypt= (encrypt_decrypt_func)my_aes_encrypt_cbc;
+ if (!handle->decrypt)
+ handle->decrypt= (encrypt_decrypt_func)my_aes_decrypt_cbc;
+
return 0;
}
diff --git a/sql/item_strfunc.h b/sql/item_strfunc.h
index e11d2c41bc6..ca699b28245 100644
--- a/sql/item_strfunc.h
+++ b/sql/item_strfunc.h
@@ -142,7 +142,9 @@ class Item_aes_crypt :public Item_str_func
void create_key(String *user_key, uchar* key);
protected:
- my_aes_encrypt_dynamic_type crypt;
+ int (*crypt)(const uchar* src, uint slen, uchar* dst, uint* dlen,
+ const uchar* key, uint klen, const uchar* iv, uint ivlen,
+ int no_padding);
public:
Item_aes_crypt(Item *a, Item *b) :Item_str_func(a,b) {}
diff --git a/sql/mysqld.cc b/sql/mysqld.cc
index da432063c0a..c002a9d7d46 100644
--- a/sql/mysqld.cc
+++ b/sql/mysqld.cc
@@ -630,7 +630,6 @@ char *mysqld_unix_port, *opt_mysql_tmpdir;
ulong thread_handling;
my_bool encrypt_tmp_disk_tables;
-ulong encryption_algorithm;
/** name of reference on left expression in rewritten IN subquery */
const char *in_left_expr_name= "<left expr>";
@@ -4804,13 +4803,6 @@ static int init_server_components()
my_rnd_init(&sql_rand,(ulong) server_start_time,(ulong) server_start_time/2);
setup_fpu();
init_thr_lock();
- if (my_aes_init_dynamic_encrypt((enum_my_aes_encryption_algorithm)
- encryption_algorithm))
- {
- fprintf(stderr, "Can't initialize encryption algorithm to \"%s\".\nCheck that the program is linked with the right library (openssl?)\n",
- encryption_algorithm_names[encryption_algorithm]);
- unireg_abort(1);
- }
#ifndef EMBEDDED_LIBRARY
if (init_thr_timer(thread_scheduler->max_threads + extra_max_connections))
diff --git a/sql/sql_plugin_services.h b/sql/sql_plugin_services.h
index 4511d8bca59..8deac855a53 100644
--- a/sql/sql_plugin_services.h
+++ b/sql/sql_plugin_services.h
@@ -143,7 +143,9 @@ static struct encryption_keys_service_st encryption_keys_handler=
{
get_latest_encryption_key_version,
has_encryption_key,
- get_encryption_key
+ get_encryption_key,
+ encrypt_data,
+ decrypt_data
};
static struct thd_specifics_service_st thd_specifics_handler=
diff --git a/sql/sys_vars.cc b/sql/sys_vars.cc
index 9cba8739eee..32935f3404e 100644
--- a/sql/sys_vars.cc
+++ b/sql/sys_vars.cc
@@ -5168,14 +5168,6 @@ static Sys_var_mybool Sys_encrypt_tmp_disk_tables(
GLOBAL_VAR(encrypt_tmp_disk_tables),
CMD_LINE(OPT_ARG), DEFAULT(FALSE));
-const char *encryption_algorithm_names[]=
-{ "none", "aes_ecb", "aes_cbc", "aes_ctr", 0 };
-static Sys_var_enum Sys_encryption_algorithm(
- "encryption_algorithm",
- "Which encryption algorithm to use for table encryption. aes_cbc is the recommended one.",
- READ_ONLY GLOBAL_VAR(encryption_algorithm),CMD_LINE(REQUIRED_ARG),
- encryption_algorithm_names, DEFAULT(0));
-
static bool check_pseudo_slave_mode(sys_var *self, THD *thd, set_var *var)
{
longlong previous_val= thd->variables.pseudo_slave_mode;
diff --git a/storage/innobase/fil/fil0crypt.cc b/storage/innobase/fil/fil0crypt.cc
index 5020d2345b9..57029c684d4 100644
--- a/storage/innobase/fil/fil0crypt.cc
+++ b/storage/innobase/fil/fil0crypt.cc
@@ -693,11 +693,9 @@ fil_space_encrypt(ulint space, ulint offset, lsn_t lsn,
srclen = page_size - FIL_PAGE_DATA;
}
- int rc = (* my_aes_encrypt_dynamic)(src, srclen,
- dst, &dstlen,
- (unsigned char*)key, key_length,
- (unsigned char*)iv, sizeof(iv),
- 1);
+ int rc = encrypt_data(src, srclen, dst, &dstlen,
+ (unsigned char*)key, key_length,
+ (unsigned char*)iv, sizeof(iv), 1, key_version);
if (! ((rc == AES_OK) && ((ulint) dstlen == srclen))) {
ib_logf(IB_LOG_LEVEL_FATAL,
@@ -867,11 +865,9 @@ fil_space_decrypt(fil_space_crypt_t* crypt_data,
srclen = pow((double)2, (double)((int)compressed_len)) - FIL_PAGE_DATA;
}
- int rc = (* my_aes_decrypt_dynamic)(src, srclen,
- dst, &dstlen,
- (unsigned char*)key, key_length,
- (unsigned char*)iv, sizeof(iv),
- 1);
+ int rc = decrypt_data(src, srclen, dst, &dstlen,
+ (unsigned char*)key, key_length,
+ (unsigned char*)iv, sizeof(iv), 1, key_version);
if (! ((rc == AES_OK) && ((ulint) dstlen == srclen))) {
ib_logf(IB_LOG_LEVEL_FATAL,
diff --git a/storage/innobase/include/log0crypt.h b/storage/innobase/include/log0crypt.h
index 9c7c0229ba4..8d5f8c61dd1 100644
--- a/storage/innobase/include/log0crypt.h
+++ b/storage/innobase/include/log0crypt.h
@@ -17,6 +17,8 @@ Created 11/25/2013 Minli Zhu
#define PURPOSE_BYTE_OFFSET 0
#define UNENCRYPTED_KEY_VER 0
+typedef int Crypt_result;
+
/* If true, enable redo log encryption. */
extern my_bool srv_encrypt_log;
/* Plain text used by AES_ECB to generate redo log crypt key. */
diff --git a/storage/innobase/log/log0crypt.cc b/storage/innobase/log/log0crypt.cc
index 4a7474761a3..f2609b9502a 100644
--- a/storage/innobase/log/log0crypt.cc
+++ b/storage/innobase/log/log0crypt.cc
@@ -32,7 +32,6 @@ Modified Jan Lindström jan.lindstrom@mariadb.com
#include "srv0start.h" // for srv_start_lsn
#include "log0recv.h" // for recv_sys
-#include "mysql/plugin_encryption.h" // for BAD_ENCRYPTION_KEY_VERSION
#include "ha_prototypes.h" // IB_LOG_
/* If true, enable redo log encryption. */
@@ -127,12 +126,10 @@ log_init_crypt_key(
}
uint32 dst_len;
- my_aes_encrypt_dynamic_type func= get_aes_encrypt_func(MY_AES_ALGORITHM_ECB);
- int rc= (*func)(crypt_msg, MY_AES_BLOCK_SIZE, //src, srclen
+ int rc= my_aes_encrypt_ecb(crypt_msg, MY_AES_BLOCK_SIZE, //src, srclen
key, &dst_len, //dst, &dstlen
(unsigned char*)&mysqld_key, sizeof(mysqld_key),
- NULL, 0,
- 1);
+ NULL, 0, 1);
if (rc != AES_OK || dst_len != MY_AES_BLOCK_SIZE)
{
@@ -207,11 +204,11 @@ log_blocks_crypt(
mach_write_to_4(aes_ctr_counter + 11, log_block_no);
bzero(aes_ctr_counter + 15, 1);
- int rc = (* my_aes_encrypt_dynamic)(log_block + LOG_BLOCK_HDR_SIZE, src_len,
- dst_block + LOG_BLOCK_HDR_SIZE, &dst_len,
- (unsigned char*)key, 16,
- aes_ctr_counter, MY_AES_BLOCK_SIZE,
- 1);
+ int rc = encrypt_data(log_block + LOG_BLOCK_HDR_SIZE, src_len,
+ dst_block + LOG_BLOCK_HDR_SIZE, &dst_len,
+ (unsigned char*)key, 16,
+ aes_ctr_counter, MY_AES_BLOCK_SIZE, 1,
+ recv_sys->recv_log_crypt_ver);
ut_a(rc == AES_OK);
ut_a(dst_len == src_len);
@@ -266,8 +263,7 @@ log_crypt_set_ver_and_key(
encrypted = true;
if (vkey == UNENCRYPTED_KEY_VER ||
- vkey == BAD_ENCRYPTION_KEY_VERSION ||
- vkey == (unsigned int)CRYPT_KEY_UNKNOWN) {
+ vkey == BAD_ENCRYPTION_KEY_VERSION) {
encrypted = false;
ib_logf(IB_LOG_LEVEL_WARN,
diff --git a/storage/maria/ma_check_standalone.h b/storage/maria/ma_check_standalone.h
index 241bc7c2739..056d4660a72 100644
--- a/storage/maria/ma_check_standalone.h
+++ b/storage/maria/ma_check_standalone.h
@@ -23,6 +23,40 @@ void _mi_report_crashed(void *file __attribute__((unused)),
{
}
+unsigned int get_latest_encryption_key_version()
+{
+ return BAD_ENCRYPTION_KEY_VERSION;
+}
+
+int encrypt_data(const uchar* source __attribute__((unused)),
+ uint source_length __attribute__((unused)),
+ uchar* dest __attribute__((unused)),
+ uint* dest_length __attribute__((unused)),
+ const uchar* key __attribute__((unused)),
+ uint key_length __attribute__((unused)),
+ const uchar* iv __attribute__((unused)),
+ uint iv_length __attribute__((unused)),
+ int no_padding __attribute__((unused)),
+ uint key_version __attribute__((unused)))
+{
+ return 1;
+}
+
+
+int decrypt_data(const uchar* source __attribute__((unused)),
+ uint source_length __attribute__((unused)),
+ uchar* dest __attribute__((unused)),
+ uint* dest_length __attribute__((unused)),
+ const uchar* key __attribute__((unused)),
+ uint key_length __attribute__((unused)),
+ const uchar* iv __attribute__((unused)),
+ uint iv_length __attribute__((unused)),
+ int no_padding __attribute__((unused)),
+ uint key_version __attribute__((unused)))
+{
+ return 1;
+}
+
/* only those that included myisamchk.h may need and can use the below */
#ifdef _myisamchk_h
/*
@@ -121,5 +155,6 @@ void _ma_check_print_error(HA_CHECK *param, const char *fmt,...)
va_end(args);
DBUG_VOID_RETURN;
}
+
#endif
diff --git a/storage/maria/ma_crypt.c b/storage/maria/ma_crypt.c
index c471a246bbf..fabfbe9d584 100644
--- a/storage/maria/ma_crypt.c
+++ b/storage/maria/ma_crypt.c
@@ -16,7 +16,6 @@
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
#include <my_global.h>
-#include "ma_crypt.h"
#include "maria_def.h"
#include "ma_blockrec.h"
#include <my_crypt.h>
@@ -291,7 +290,7 @@ void ma_crypt_set_data_pagecache_callbacks(PAGECACHE_FILE *file,
__attribute__((unused)))
{
/* Only use encryption if we have defined it */
- if (likely(current_aes_dynamic_method != MY_AES_ALGORITHM_NONE))
+ if (get_latest_encryption_key_version() != BAD_ENCRYPTION_KEY_VERSION)
{
file->pre_read_hook= ma_crypt_pre_read_hook;
file->post_read_hook= ma_crypt_data_post_read_hook;
@@ -411,17 +410,16 @@ static int ma_encrypt(MARIA_CRYPT_DATA *crypt_data,
int rc;
uint32 dstlen;
uchar counter[COUNTER_LEN];
+ *key_version= 1;
// create counter block
memcpy(counter + 0, crypt_data->iv + CRYPT_SCHEME_1_IV_LEN, 4);
int4store(counter + 4, pageno);
int8store(counter + 8, lsn);
- rc = my_aes_encrypt_dynamic(src, size,
- dst, &dstlen,
- crypt_data->iv, CRYPT_SCHEME_1_IV_LEN,
- counter, sizeof(counter),
- 1);
+ rc = encrypt_data(src, size, dst, &dstlen,
+ crypt_data->iv, CRYPT_SCHEME_1_IV_LEN,
+ counter, sizeof(counter), 1, *key_version);
DBUG_ASSERT(rc == AES_OK);
DBUG_ASSERT(dstlen == size);
@@ -434,7 +432,6 @@ static int ma_encrypt(MARIA_CRYPT_DATA *crypt_data,
return 1;
}
- *key_version= 1;
return 0;
}
@@ -452,11 +449,9 @@ static int ma_decrypt(MARIA_CRYPT_DATA *crypt_data,
int4store(counter + 4, pageno);
int8store(counter + 8, lsn);
- rc = my_aes_decrypt_dynamic(src, size,
- dst, &dstlen,
- crypt_data->iv, CRYPT_SCHEME_1_IV_LEN,
- counter, sizeof(counter),
- 1);
+ rc =decrypt_data(src, size, dst, &dstlen,
+ crypt_data->iv, CRYPT_SCHEME_1_IV_LEN,
+ counter, sizeof(counter), 1, key_version);
DBUG_ASSERT(rc == AES_OK);
DBUG_ASSERT(dstlen == size);
diff --git a/storage/xtradb/fil/fil0crypt.cc b/storage/xtradb/fil/fil0crypt.cc
index 24592e6a11d..660cfb9417d 100644
--- a/storage/xtradb/fil/fil0crypt.cc
+++ b/storage/xtradb/fil/fil0crypt.cc
@@ -693,11 +693,9 @@ fil_space_encrypt(ulint space, ulint offset, lsn_t lsn,
srclen = page_size - FIL_PAGE_DATA;
}
- int rc = (* my_aes_encrypt_dynamic)(src, srclen,
- dst, &dstlen,
- (unsigned char*)key, key_length,
- (unsigned char*)iv, sizeof(iv),
- 1);
+ int rc = encrypt_data(src, srclen, dst, &dstlen,
+ (unsigned char*)key, key_length,
+ (unsigned char*)iv, sizeof(iv), 1, key_version);
if (! ((rc == AES_OK) && ((ulint) dstlen == srclen))) {
ib_logf(IB_LOG_LEVEL_FATAL,
@@ -867,11 +865,9 @@ fil_space_decrypt(fil_space_crypt_t* crypt_data,
srclen = pow((double)2, (double)((int)compressed_len)) - FIL_PAGE_DATA;
}
- int rc = (* my_aes_decrypt_dynamic)(src, srclen,
- dst, &dstlen,
- (unsigned char*)key, key_length,
- (unsigned char*)iv, sizeof(iv),
- 1);
+ int rc = decrypt_data(src, srclen, dst, &dstlen,
+ (unsigned char*)key, key_length,
+ (unsigned char*)iv, sizeof(iv), 1, key_version);
if (! ((rc == AES_OK) && ((ulint) dstlen == srclen))) {
ib_logf(IB_LOG_LEVEL_FATAL,
diff --git a/storage/xtradb/include/log0crypt.h b/storage/xtradb/include/log0crypt.h
index 9c7c0229ba4..8d5f8c61dd1 100644
--- a/storage/xtradb/include/log0crypt.h
+++ b/storage/xtradb/include/log0crypt.h
@@ -17,6 +17,8 @@ Created 11/25/2013 Minli Zhu
#define PURPOSE_BYTE_OFFSET 0
#define UNENCRYPTED_KEY_VER 0
+typedef int Crypt_result;
+
/* If true, enable redo log encryption. */
extern my_bool srv_encrypt_log;
/* Plain text used by AES_ECB to generate redo log crypt key. */
diff --git a/storage/xtradb/log/log0crypt.cc b/storage/xtradb/log/log0crypt.cc
index 4a7474761a3..643e3a08ec4 100644
--- a/storage/xtradb/log/log0crypt.cc
+++ b/storage/xtradb/log/log0crypt.cc
@@ -32,7 +32,6 @@ Modified Jan Lindström jan.lindstrom@mariadb.com
#include "srv0start.h" // for srv_start_lsn
#include "log0recv.h" // for recv_sys
-#include "mysql/plugin_encryption.h" // for BAD_ENCRYPTION_KEY_VERSION
#include "ha_prototypes.h" // IB_LOG_
/* If true, enable redo log encryption. */
@@ -127,12 +126,10 @@ log_init_crypt_key(
}
uint32 dst_len;
- my_aes_encrypt_dynamic_type func= get_aes_encrypt_func(MY_AES_ALGORITHM_ECB);
- int rc= (*func)(crypt_msg, MY_AES_BLOCK_SIZE, //src, srclen
+ int rc= my_aes_encrypt_ecb(crypt_msg, MY_AES_BLOCK_SIZE, //src, srclen
key, &dst_len, //dst, &dstlen
(unsigned char*)&mysqld_key, sizeof(mysqld_key),
- NULL, 0,
- 1);
+ NULL, 0, 1);
if (rc != AES_OK || dst_len != MY_AES_BLOCK_SIZE)
{
@@ -207,11 +204,11 @@ log_blocks_crypt(
mach_write_to_4(aes_ctr_counter + 11, log_block_no);
bzero(aes_ctr_counter + 15, 1);
- int rc = (* my_aes_encrypt_dynamic)(log_block + LOG_BLOCK_HDR_SIZE, src_len,
- dst_block + LOG_BLOCK_HDR_SIZE, &dst_len,
- (unsigned char*)key, 16,
- aes_ctr_counter, MY_AES_BLOCK_SIZE,
- 1);
+ int rc = encrypt_data(log_block + LOG_BLOCK_HDR_SIZE, src_len,
+ dst_block + LOG_BLOCK_HDR_SIZE, &dst_len,
+ (unsigned char*)key, 16,
+ aes_ctr_counter, MY_AES_BLOCK_SIZE, 1,
+ log_sys->redo_log_crypt_ver);
ut_a(rc == AES_OK);
ut_a(dst_len == src_len);
@@ -266,8 +263,7 @@ log_crypt_set_ver_and_key(
encrypted = true;
if (vkey == UNENCRYPTED_KEY_VER ||
- vkey == BAD_ENCRYPTION_KEY_VERSION ||
- vkey == (unsigned int)CRYPT_KEY_UNKNOWN) {
+ vkey == BAD_ENCRYPTION_KEY_VERSION) {
encrypted = false;
ib_logf(IB_LOG_LEVEL_WARN,
View Lorry Controller Status