diff options
Diffstat (limited to 'include/mysql/plugin_encryption.h')
-rw-r--r-- | include/mysql/plugin_encryption.h | 126 |
1 files changed, 126 insertions, 0 deletions
diff --git a/include/mysql/plugin_encryption.h b/include/mysql/plugin_encryption.h new file mode 100644 index 00000000..3c574aa4 --- /dev/null +++ b/include/mysql/plugin_encryption.h @@ -0,0 +1,126 @@ +#ifndef MYSQL_PLUGIN_ENCRYPTION_INCLUDED +/* Copyright (C) 2014, 2015 Sergei Golubchik and MariaDB + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1335 USA */ + +/** + @file + + Encryption Plugin API. + + This file defines the API for server plugins that manage encryption + keys for MariaDB on-disk data encryption. +*/ + +#define MYSQL_PLUGIN_ENCRYPTION_INCLUDED + +#include <mysql/plugin.h> + +#ifdef __cplusplus +extern "C" { +#endif + +#define MariaDB_ENCRYPTION_INTERFACE_VERSION 0x0300 + +/** + Encryption plugin descriptor +*/ +struct st_mariadb_encryption +{ + int interface_version; /**< version plugin uses */ + + /*********** KEY MANAGEMENT ********************************************/ + + /** + function returning latest key version for a given key id + + @return a version or ENCRYPTION_KEY_VERSION_INVALID to indicate an error. + */ + unsigned int (*get_latest_key_version)(unsigned int key_id); + + /** + function returning a key for a key version + + @param version the requested key version + @param key the key will be stored there. Can be NULL - + in which case no key will be returned + @param key_length in: key buffer size + out: the actual length of the key + + This method can be used to query the key length - the required + buffer size - by passing key==NULL. + + If the buffer size is less than the key length the content of the + key buffer is undefined (the plugin is free to partially fill it with + the key data or leave it untouched). + + @return 0 on success, or + ENCRYPTION_KEY_VERSION_INVALID, ENCRYPTION_KEY_BUFFER_TOO_SMALL + or any other non-zero number for errors + */ + unsigned int (*get_key)(unsigned int key_id, unsigned int version, + unsigned char *key, unsigned int *key_length); + + /*********** ENCRYPTION ************************************************/ + /* + the caller uses encryption as follows: + 1. create the encryption context object of the crypt_ctx_size() bytes. + 2. initialize it with crypt_ctx_init(). + 3. repeat crypt_ctx_update() until there are no more data to encrypt. + 4. write the remaining output bytes and destroy the context object + with crypt_ctx_finish(). + */ + + /** + returns the size of the encryption context object in bytes + */ + unsigned int (*crypt_ctx_size)(unsigned int key_id, unsigned int key_version); + /** + initializes the encryption context object. + */ + int (*crypt_ctx_init)(void *ctx, const unsigned char* key, unsigned int klen, + const unsigned char* iv, unsigned int ivlen, + int flags, unsigned int key_id, + unsigned int key_version); + /** + processes (encrypts or decrypts) a chunk of data + + writes the output to th dst buffer. note that it might write + more bytes that were in the input. or less. or none at all. + */ + int (*crypt_ctx_update)(void *ctx, const unsigned char* src, unsigned int slen, + unsigned char* dst, unsigned int* dlen); + /** + writes the remaining output bytes and destroys the encryption context + + crypt_ctx_update might've cached part of the output in the context, + this method will flush these data out. + */ + int (*crypt_ctx_finish)(void *ctx, unsigned char* dst, unsigned int* dlen); + /** + returns the length of the encrypted data + + it returns the exact length, given only the source length. + which means, this API only supports encryption algorithms where + the length of the encrypted data only depends on the length of the + input (a.k.a. compression is not supported). + */ + unsigned int (*encrypted_length)(unsigned int slen, unsigned int key_id, unsigned int key_version); +}; + +#ifdef __cplusplus +} +#endif +#endif + |