summaryrefslogtreecommitdiffstats
path: root/include/mysql/service_encryption_scheme.h
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-04 18:07:14 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-04 18:07:14 +0000
commita175314c3e5827eb193872241446f2f8f5c9d33c (patch)
treecd3d60ca99ae00829c52a6ca79150a5b6e62528b /include/mysql/service_encryption_scheme.h
parentInitial commit. (diff)
downloadmariadb-10.5-a175314c3e5827eb193872241446f2f8f5c9d33c.tar.xz
mariadb-10.5-a175314c3e5827eb193872241446f2f8f5c9d33c.zip
Adding upstream version 1:10.5.12.upstream/1%10.5.12upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'include/mysql/service_encryption_scheme.h')
-rw-r--r--include/mysql/service_encryption_scheme.h133
1 files changed, 133 insertions, 0 deletions
diff --git a/include/mysql/service_encryption_scheme.h b/include/mysql/service_encryption_scheme.h
new file mode 100644
index 00000000..bcd4d646
--- /dev/null
+++ b/include/mysql/service_encryption_scheme.h
@@ -0,0 +1,133 @@
+#ifndef MYSQL_SERVICE_ENCRYPTION_SCHEME_INCLUDED
+/* Copyright (c) 2015, MariaDB
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 2 of the License.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1335 USA */
+
+/**
+ @file
+ encryption scheme service
+
+ A higher-level access to encryption service.
+
+ This is a helper service that storage engines use to encrypt tables on disk.
+ It requests keys from the plugin, generates temporary or local keys
+ from the global (as returned by the plugin) keys, etc.
+
+ To use the service:
+
+ * st_encryption_scheme object is created per space. A "space" can be
+ a table space in XtraDB/InnoDB, a file in Aria, etc. The whole
+ space is encrypted with the one key id.
+
+ * The service does not take the key and the IV as parameters for
+ encryption or decryption. Instead it takes two 32-bit integers and
+ one 64-bit integer (and requests the key from an encryption
+ plugin, if needed).
+
+ * The service requests the global key from the encryption plugin
+ automatically as needed. Three last keys are cached in the
+ st_encryption_scheme. Number of key requests (number of cache
+ misses) are counted in st_encryption_scheme::keyserver_requests
+
+ * If an st_encryption_scheme can be used concurrently by different
+ threads, it needs to be able to lock itself when accessing the key
+ cache. Set the st_encryption_scheme::locker appropriately. If
+ non-zero, it will be invoked by encrypt/decrypt functions to lock
+ and unlock the scheme when needed.
+
+ * Implementation details (in particular, key derivation) are defined
+ by the scheme type. Currently only schema type 1 is supported.
+
+ In the schema type 1, every "space" (table space in XtraDB/InnoDB,
+ file in Aria) is encrypted with a different space-local key:
+
+ * Every space has a 16-byte unique identifier (typically it's
+ generated randomly and stored in the space). The caller should
+ put it into st_encryption_scheme::iv.
+
+ * Space-local key is generated by encrypting this identifier with
+ the global encryption key (of the given id and version) using AES_ECB.
+
+ * Encryption/decryption parameters for a page are typically the
+ 4-byte space id, 4-byte page position (offset, page number, etc),
+ and the 8-byte LSN. This guarantees that they'll be different for
+ any two pages (of the same or different tablespaces) and also that
+ they'll change for the same page when it's modified. They don't need
+ to be secret (they create the IV, not the encryption key).
+*/
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define ENCRYPTION_SCHEME_KEY_INVALID -1
+#define ENCRYPTION_SCHEME_BLOCK_LENGTH 16
+
+struct st_encryption_scheme_key {
+ unsigned int version;
+ unsigned char key[ENCRYPTION_SCHEME_BLOCK_LENGTH];
+};
+
+struct st_encryption_scheme {
+ unsigned char iv[ENCRYPTION_SCHEME_BLOCK_LENGTH];
+ struct st_encryption_scheme_key key[3];
+ unsigned int keyserver_requests;
+ unsigned int key_id;
+ unsigned int type;
+
+ void (*locker)(struct st_encryption_scheme *self, int release);
+};
+
+extern struct encryption_scheme_service_st {
+ int (*encryption_scheme_encrypt_func)
+ (const unsigned char* src, unsigned int slen,
+ unsigned char* dst, unsigned int* dlen,
+ struct st_encryption_scheme *scheme,
+ unsigned int key_version, unsigned int i32_1,
+ unsigned int i32_2, unsigned long long i64);
+ int (*encryption_scheme_decrypt_func)
+ (const unsigned char* src, unsigned int slen,
+ unsigned char* dst, unsigned int* dlen,
+ struct st_encryption_scheme *scheme,
+ unsigned int key_version, unsigned int i32_1,
+ unsigned int i32_2, unsigned long long i64);
+} *encryption_scheme_service;
+
+#ifdef MYSQL_DYNAMIC_PLUGIN
+
+#define encryption_scheme_encrypt(S,SL,D,DL,SCH,KV,I32,J32,I64) encryption_scheme_service->encryption_scheme_encrypt_func(S,SL,D,DL,SCH,KV,I32,J32,I64)
+#define encryption_scheme_decrypt(S,SL,D,DL,SCH,KV,I32,J32,I64) encryption_scheme_service->encryption_scheme_decrypt_func(S,SL,D,DL,SCH,KV,I32,J32,I64)
+
+#else
+
+int encryption_scheme_encrypt(const unsigned char* src, unsigned int slen,
+ unsigned char* dst, unsigned int* dlen,
+ struct st_encryption_scheme *scheme,
+ unsigned int key_version, unsigned int i32_1,
+ unsigned int i32_2, unsigned long long i64);
+int encryption_scheme_decrypt(const unsigned char* src, unsigned int slen,
+ unsigned char* dst, unsigned int* dlen,
+ struct st_encryption_scheme *scheme,
+ unsigned int key_version, unsigned int i32_1,
+ unsigned int i32_2, unsigned long long i64);
+
+#endif
+
+
+#ifdef __cplusplus
+}
+#endif
+
+#define MYSQL_SERVICE_ENCRYPTION_SCHEME_INCLUDED
+#endif