1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
#ifndef MYSQL_SERVICE_ENCRYPTION_SCHEME_INCLUDED
/* Copyright (c) 2015, MariaDB
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1335 USA */
/**
@file
encryption scheme service
A higher-level access to encryption service.
This is a helper service that storage engines use to encrypt tables on disk.
It requests keys from the plugin, generates temporary or local keys
from the global (as returned by the plugin) keys, etc.
To use the service:
* st_encryption_scheme object is created per space. A "space" can be
a table space in XtraDB/InnoDB, a file in Aria, etc. The whole
space is encrypted with the one key id.
* The service does not take the key and the IV as parameters for
encryption or decryption. Instead it takes two 32-bit integers and
one 64-bit integer (and requests the key from an encryption
plugin, if needed).
* The service requests the global key from the encryption plugin
automatically as needed. Three last keys are cached in the
st_encryption_scheme. Number of key requests (number of cache
misses) are counted in st_encryption_scheme::keyserver_requests
* If an st_encryption_scheme can be used concurrently by different
threads, it needs to be able to lock itself when accessing the key
cache. Set the st_encryption_scheme::locker appropriately. If
non-zero, it will be invoked by encrypt/decrypt functions to lock
and unlock the scheme when needed.
* Implementation details (in particular, key derivation) are defined
by the scheme type. Currently only schema type 1 is supported.
In the schema type 1, every "space" (table space in XtraDB/InnoDB,
file in Aria) is encrypted with a different space-local key:
* Every space has a 16-byte unique identifier (typically it's
generated randomly and stored in the space). The caller should
put it into st_encryption_scheme::iv.
* Space-local key is generated by encrypting this identifier with
the global encryption key (of the given id and version) using AES_ECB.
* Encryption/decryption parameters for a page are typically the
4-byte space id, 4-byte page position (offset, page number, etc),
and the 8-byte LSN. This guarantees that they'll be different for
any two pages (of the same or different tablespaces) and also that
they'll change for the same page when it's modified. They don't need
to be secret (they create the IV, not the encryption key).
*/
#ifdef __cplusplus
extern "C" {
#endif
#define ENCRYPTION_SCHEME_KEY_INVALID -1
#define ENCRYPTION_SCHEME_BLOCK_LENGTH 16
struct st_encryption_scheme_key {
unsigned int version;
unsigned char key[ENCRYPTION_SCHEME_BLOCK_LENGTH];
};
struct st_encryption_scheme {
unsigned char iv[ENCRYPTION_SCHEME_BLOCK_LENGTH];
struct st_encryption_scheme_key key[3];
unsigned int keyserver_requests;
unsigned int key_id;
unsigned int type;
void (*locker)(struct st_encryption_scheme *self, int release);
};
extern struct encryption_scheme_service_st {
int (*encryption_scheme_encrypt_func)
(const unsigned char* src, unsigned int slen,
unsigned char* dst, unsigned int* dlen,
struct st_encryption_scheme *scheme,
unsigned int key_version, unsigned int i32_1,
unsigned int i32_2, unsigned long long i64);
int (*encryption_scheme_decrypt_func)
(const unsigned char* src, unsigned int slen,
unsigned char* dst, unsigned int* dlen,
struct st_encryption_scheme *scheme,
unsigned int key_version, unsigned int i32_1,
unsigned int i32_2, unsigned long long i64);
} *encryption_scheme_service;
#ifdef MYSQL_DYNAMIC_PLUGIN
#define encryption_scheme_encrypt(S,SL,D,DL,SCH,KV,I32,J32,I64) encryption_scheme_service->encryption_scheme_encrypt_func(S,SL,D,DL,SCH,KV,I32,J32,I64)
#define encryption_scheme_decrypt(S,SL,D,DL,SCH,KV,I32,J32,I64) encryption_scheme_service->encryption_scheme_decrypt_func(S,SL,D,DL,SCH,KV,I32,J32,I64)
#else
int encryption_scheme_encrypt(const unsigned char* src, unsigned int slen,
unsigned char* dst, unsigned int* dlen,
struct st_encryption_scheme *scheme,
unsigned int key_version, unsigned int i32_1,
unsigned int i32_2, unsigned long long i64);
int encryption_scheme_decrypt(const unsigned char* src, unsigned int slen,
unsigned char* dst, unsigned int* dlen,
struct st_encryption_scheme *scheme,
unsigned int key_version, unsigned int i32_1,
unsigned int i32_2, unsigned long long i64);
#endif
#ifdef __cplusplus
}
#endif
#define MYSQL_SERVICE_ENCRYPTION_SCHEME_INCLUDED
#endif
|