summaryrefslogtreecommitdiffstats
path: root/sql/encryption.cc
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--sql/encryption.cc248
1 files changed, 248 insertions, 0 deletions
diff --git a/sql/encryption.cc b/sql/encryption.cc
new file mode 100644
index 00000000..13239b91
--- /dev/null
+++ b/sql/encryption.cc
@@ -0,0 +1,248 @@
+/* Copyright (C) 2015 MariaDB
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 2 of the License.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1335 USA */
+
+#include "mariadb.h"
+#include <mysql/plugin_encryption.h>
+#include "log.h"
+#include "sql_plugin.h"
+#include <my_crypt.h>
+#include <violite.h>
+
+/* there can be only one encryption plugin enabled */
+static plugin_ref encryption_manager= 0;
+struct encryption_service_st encryption_handler;
+
+extern "C" {
+
+uint no_get_key(uint, uint, uchar*, uint*)
+{
+ return ENCRYPTION_KEY_VERSION_INVALID;
+}
+uint no_key(uint)
+{
+ return ENCRYPTION_KEY_VERSION_INVALID;
+}
+uint zero_size(uint,uint)
+{
+ return 0;
+}
+
+static int ctx_init(void *ctx, const unsigned char* key, unsigned int klen,
+ const unsigned char* iv, unsigned int ivlen, int flags,
+ unsigned int key_id, unsigned int key_version)
+{
+ return my_aes_crypt_init(ctx, MY_AES_CBC, flags, key, klen, iv, ivlen);
+}
+
+static unsigned int get_length(unsigned int slen, unsigned int key_id,
+ unsigned int key_version)
+{
+ return my_aes_get_size(MY_AES_CBC, slen);
+}
+
+uint ctx_size(unsigned int, unsigned int)
+{
+ return MY_AES_CTX_SIZE;
+}
+
+} /* extern "C" */
+
+int initialize_encryption_plugin(st_plugin_int *plugin)
+{
+ if (encryption_manager)
+ return 1;
+
+ vio_check_ssl_init();
+
+ if (plugin->plugin->init && plugin->plugin->init(plugin))
+ {
+ sql_print_error("Plugin '%s' init function returned error.",
+ plugin->name.str);
+ return 1;
+ }
+
+ encryption_manager= plugin_lock(NULL, plugin_int_to_ref(plugin));
+ st_mariadb_encryption *handle=
+ (struct st_mariadb_encryption*) plugin->plugin->info;
+
+ /*
+ Compiler on Spark doesn't like the '?' operator here as it
+ believes the (uint (*)...) implies the C++ call model.
+ */
+ if (handle->crypt_ctx_size)
+ encryption_handler.encryption_ctx_size_func= handle->crypt_ctx_size;
+ else
+ encryption_handler.encryption_ctx_size_func= ctx_size;
+
+ encryption_handler.encryption_ctx_init_func=
+ handle->crypt_ctx_init ? handle->crypt_ctx_init : ctx_init;
+
+ encryption_handler.encryption_ctx_update_func=
+ handle->crypt_ctx_update ? handle->crypt_ctx_update : my_aes_crypt_update;
+
+ encryption_handler.encryption_ctx_finish_func=
+ handle->crypt_ctx_finish ? handle->crypt_ctx_finish : my_aes_crypt_finish;
+
+ encryption_handler.encryption_encrypted_length_func=
+ handle->encrypted_length ? handle->encrypted_length : get_length;
+
+ encryption_handler.encryption_key_get_func=
+ handle->get_key;
+
+ encryption_handler.encryption_key_get_latest_version_func=
+ handle->get_latest_key_version; // must be the last
+
+ return 0;
+}
+
+int finalize_encryption_plugin(st_plugin_int *plugin)
+{
+ bool used= plugin_ref_to_int(encryption_manager) == plugin;
+
+ if (used)
+ {
+ encryption_handler.encryption_key_get_func= no_get_key;
+ encryption_handler.encryption_key_get_latest_version_func= no_key;
+ encryption_handler.encryption_ctx_size_func= zero_size;
+ }
+
+ if (plugin && plugin->plugin->deinit && plugin->plugin->deinit(NULL))
+ {
+ DBUG_PRINT("warning", ("Plugin '%s' deinit function returned error.",
+ plugin->name.str));
+ }
+
+ if (used)
+ {
+ plugin_unlock(NULL, encryption_manager);
+ encryption_manager= 0;
+ }
+ return 0;
+}
+
+/******************************************************************
+ Encryption Scheme service
+******************************************************************/
+static uint scheme_get_key(st_encryption_scheme *scheme,
+ st_encryption_scheme_key *key)
+{
+ if (scheme->locker)
+ scheme->locker(scheme, 0);
+
+ // Check if we already have key
+ for (uint i = 0; i < array_elements(scheme->key); i++)
+ {
+ if (scheme->key[i].version == 0) // no more keys
+ break;
+
+ if (scheme->key[i].version == key->version)
+ {
+ *key= scheme->key[i];
+ if (scheme->locker)
+ scheme->locker(scheme, 1);
+ return 0;
+ }
+ }
+
+ // Not found!
+ scheme->keyserver_requests++;
+
+ uchar global_key[MY_AES_MAX_KEY_LENGTH];
+ uint global_key_len= sizeof(global_key), key_len;
+
+ uint rc = encryption_key_get(scheme->key_id, key->version,
+ global_key, & global_key_len);
+ if (rc)
+ goto ret;
+
+ /* Now generate the local key by encrypting IV using the global key */
+ rc = my_aes_crypt(MY_AES_ECB, ENCRYPTION_FLAG_ENCRYPT | ENCRYPTION_FLAG_NOPAD,
+ scheme->iv, sizeof(scheme->iv), key->key, &key_len,
+ global_key, global_key_len, NULL, 0);
+
+ DBUG_ASSERT(key_len == sizeof(key->key));
+
+ if (rc)
+ goto ret;
+
+ // Rotate keys to make room for a new
+ for (uint i = array_elements(scheme->key) - 1; i; i--)
+ scheme->key[i] = scheme->key[i - 1];
+
+ scheme->key[0]= *key;
+
+ret:
+ if (scheme->locker)
+ scheme->locker(scheme, 1);
+ return rc;
+}
+
+int do_crypt(const unsigned char* src, unsigned int slen,
+ unsigned char* dst, unsigned int* dlen,
+ struct st_encryption_scheme *scheme,
+ unsigned int key_version, unsigned int i32_1,
+ unsigned int i32_2, unsigned long long i64,
+ int flag)
+{
+ compile_time_assert(ENCRYPTION_SCHEME_KEY_INVALID ==
+ (int)ENCRYPTION_KEY_VERSION_INVALID);
+
+ // Maybe temporal solution for MDEV-8173
+ // Rationale: scheme->type is currently global/object
+ // and when used here might not represent actual state
+ // of smaller granularity objects e.g. InnoDB page state
+ // as type is stored to tablespace (FIL) and could represent
+ // state where key rotation is trying to reach
+ //DBUG_ASSERT(scheme->type == 1);
+
+ if (key_version == ENCRYPTION_KEY_VERSION_INVALID ||
+ key_version == ENCRYPTION_KEY_NOT_ENCRYPTED)
+ return ENCRYPTION_SCHEME_KEY_INVALID;
+
+ st_encryption_scheme_key key;
+ key.version= key_version;
+ uint rc= scheme_get_key(scheme, &key);
+ if (rc)
+ return (int)rc;
+
+ unsigned char iv[4 + 4 + 8];
+ int4store(iv + 0, i32_1);
+ int4store(iv + 4, i32_2);
+ int8store(iv + 8, i64);
+
+ return encryption_crypt(src, slen, dst, dlen, key.key, sizeof(key.key),
+ iv, sizeof(iv), flag, scheme->key_id, key_version);
+}
+
+int encryption_scheme_encrypt(const unsigned char* src, unsigned int slen,
+ unsigned char* dst, unsigned int* dlen,
+ struct st_encryption_scheme *scheme,
+ unsigned int key_version, unsigned int i32_1,
+ unsigned int i32_2, unsigned long long i64)
+{
+ return do_crypt(src, slen, dst, dlen, scheme, key_version, i32_1,
+ i32_2, i64, ENCRYPTION_FLAG_NOPAD | ENCRYPTION_FLAG_ENCRYPT);
+}
+
+
+int encryption_scheme_decrypt(const unsigned char* src, unsigned int slen,
+ unsigned char* dst, unsigned int* dlen,
+ struct st_encryption_scheme *scheme,
+ unsigned int key_version, unsigned int i32_1,
+ unsigned int i32_2, unsigned long long i64)
+{
+ return do_crypt(src, slen, dst, dlen, scheme, key_version, i32_1,
+ i32_2, i64, ENCRYPTION_FLAG_NOPAD | ENCRYPTION_FLAG_DECRYPT);
+}