MDEV-8817: Failing assertion: new_state->key_version != ENCRYPTION_KE…

…Y_VERSION_INVALID Folloup: Made encryption rules too strict (and incorrect). Allow creating table with ENCRYPTED=OFF with all values of ENCRYPTION_KEY_ID but create warning that nondefault values are ignored. Allow creating table with ENCRYPTED=DEFAULT if used key_id is found from key file (there was bug on this) and give error if key_id is not found.
MariaDB · Sep 23, 2015 · 180c44e · 180c44e
1 parent 7cbecad
commit 180c44e
Show file tree

Hide file tree

Showing 4 changed files with 107 additions and 22 deletions.
diff --git a/mysql-test/suite/encryption/r/innodb-encryption-alter.result b/mysql-test/suite/encryption/r/innodb-encryption-alter.result
@@ -3,11 +3,51 @@ SET GLOBAL innodb_file_per_table = ON;
 SET GLOBAL innodb_encrypt_tables = ON;
 SET GLOBAL innodb_encryption_threads = 4;
 CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=NO ENCRYPTION_KEY_ID=4;
+Warnings:
+Warning	140	InnoDB: Ignored ENCRYPTION_KEY_ID 4 when encryption is disabled
+DROP TABLE t1;
+set innodb_default_encryption_key_id = 99;
+CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB;
 ERROR HY000: Can't create table `test`.`t1` (errno: 140 "Wrong create options")
+SHOW WARNINGS;
+Level	Code	Message
+Warning	140	InnoDB: ENCRYPTION_KEY_ID 99 not available
+Error	1005	Can't create table `test`.`t1` (errno: 140 "Wrong create options")
+Warning	1030	Got error 140 "Wrong create options" from storage engine InnoDB
+CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=YES;
+ERROR HY000: Can't create table `test`.`t1` (errno: 140 "Wrong create options")
+SHOW WARNINGS;
+Level	Code	Message
+Warning	140	InnoDB: ENCRYPTION_KEY_ID 99 not available
+Error	1005	Can't create table `test`.`t1` (errno: 140 "Wrong create options")
+Warning	1030	Got error 140 "Wrong create options" from storage engine InnoDB
+set innodb_default_encryption_key_id = 4;
+CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=YES;
+SHOW CREATE TABLE t1;
+Table	Create Table
+t1	CREATE TABLE `t1` (
+  `pk` int(11) NOT NULL AUTO_INCREMENT,
+  `c` varchar(256) DEFAULT NULL,
+  PRIMARY KEY (`pk`)
+) ENGINE=InnoDB DEFAULT CHARSET=latin1 `ENCRYPTED`=YES `ENCRYPTION_KEY_ID`=4
+DROP TABLE t1;
+CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB;
+SHOW CREATE TABLE t1;
+Table	Create Table
+t1	CREATE TABLE `t1` (
+  `pk` int(11) NOT NULL AUTO_INCREMENT,
+  `c` varchar(256) DEFAULT NULL,
+  PRIMARY KEY (`pk`)
+) ENGINE=InnoDB DEFAULT CHARSET=latin1 `ENCRYPTION_KEY_ID`=4
 CREATE TABLE t2 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=NO ENCRYPTION_KEY_ID=1;
-CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=YES ENCRYPTION_KEY_ID=4;
-ALTER TABLE t2 ENCRYPTION_KEY_ID=4;
-ERROR HY000: Can't create table `test`.`#sql-temporary` (errno: 140 "Wrong create options")
+Warnings:
+Warning	140	InnoDB: Ignored ENCRYPTION_KEY_ID 1 when encryption is disabled
 ALTER TABLE t1 ENCRYPTION_KEY_ID=99;
 ERROR HY000: Can't create table `test`.`#sql-temporary` (errno: 140 "Wrong create options")
+SHOW WARNINGS;
+Level	Code	Message
+Warning	140	InnoDB: ENCRYPTION_KEY_ID 99 not available
+Error	1005	Can't create table `test`.`#sql-temporary` (errno: 140 "Wrong create options")
+Warning	1030	Got error 140 "Wrong create options" from storage engine InnoDB
+set innodb_default_encryption_key_id = 1;
 drop table t1,t2;
diff --git a/mysql-test/suite/encryption/t/innodb-encryption-alter.test b/mysql-test/suite/encryption/t/innodb-encryption-alter.test
@@ -17,16 +17,29 @@ SET GLOBAL innodb_file_per_table = ON;
 SET GLOBAL innodb_encrypt_tables = ON;
 SET GLOBAL innodb_encryption_threads = 4;
 
---error 1005
 CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=NO ENCRYPTION_KEY_ID=4;
-CREATE TABLE t2 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=NO ENCRYPTION_KEY_ID=1;
-CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=YES ENCRYPTION_KEY_ID=4;
---replace_regex /#sql-[0-9a-f_]*/#sql-temporary/
+DROP TABLE t1;
+set innodb_default_encryption_key_id = 99;
+--error 1005
+CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB;
+SHOW WARNINGS;
 --error 1005
-ALTER TABLE t2 ENCRYPTION_KEY_ID=4;
+CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=YES;
+SHOW WARNINGS;
+set innodb_default_encryption_key_id = 4;
+CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=YES;
+SHOW CREATE TABLE t1;
+DROP TABLE t1;
+CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB;
+SHOW CREATE TABLE t1;
+CREATE TABLE t2 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=NO ENCRYPTION_KEY_ID=1;
 --replace_regex /#sql-[0-9a-f_]*/#sql-temporary/
 --error 1005
 ALTER TABLE t1 ENCRYPTION_KEY_ID=99;
+--replace_regex /#sql-[0-9a-f_]*/#sql-temporary/
+SHOW WARNINGS;
+set innodb_default_encryption_key_id = 1;
+
 
 --disable_warnings
 --disable_query_log

diff --git a/storage/innobase/handler/ha_innodb.cc b/storage/innobase/handler/ha_innodb.cc
@@ -11491,6 +11491,7 @@ ha_innobase::check_table_options(
 		}
 	}
 
+	/* If encryption is set up make sure that used key_id is found */
 	if (encrypt == FIL_SPACE_ENCRYPTION_ON ||
             (encrypt == FIL_SPACE_ENCRYPTION_DEFAULT && srv_encrypt_tables)) {
 		if (!encryption_key_id_exists((unsigned int)options->encryption_key_id)) {
@@ -11504,18 +11505,33 @@ ha_innobase::check_table_options(
 		}
 	}
 
-	/* Do not allow creating unencrypted table with nondefault
-	encryption key */
-	if ((encrypt == FIL_SPACE_ENCRYPTION_OFF ||
-	    (encrypt == FIL_SPACE_ENCRYPTION_DEFAULT && !srv_encrypt_tables)) &&
-		options->encryption_key_id != FIL_DEFAULT_ENCRYPTION_KEY) {
+	/* Ignore nondefault key_id if encryption is set off */
+	if (encrypt == FIL_SPACE_ENCRYPTION_OFF &&
+		options->encryption_key_id != THDVAR(thd, default_encryption_key_id)) {
 		push_warning_printf(
 			thd, Sql_condition::WARN_LEVEL_WARN,
 			HA_WRONG_CREATE_OPTION,
-			"InnoDB: Incorrect ENCRYPTION_KEY_ID %u when encryption is disabled",
+			"InnoDB: Ignored ENCRYPTION_KEY_ID %u when encryption is disabled",
 			(uint)options->encryption_key_id
 		);
-		return "ENCRYPTION_KEY_ID";
+		options->encryption_key_id = FIL_DEFAULT_ENCRYPTION_KEY;
+	}
+
+	/* If default encryption is used make sure that used kay is found
+	from key file. */
+	if (encrypt == FIL_SPACE_ENCRYPTION_DEFAULT &&
+		!srv_encrypt_tables &&
+		options->encryption_key_id != FIL_DEFAULT_ENCRYPTION_KEY) {
+		if (!encryption_key_id_exists((unsigned int)options->encryption_key_id)) {
+			push_warning_printf(
+				thd, Sql_condition::WARN_LEVEL_WARN,
+				HA_WRONG_CREATE_OPTION,
+				"InnoDB: ENCRYPTION_KEY_ID %u not available",
+				(uint)options->encryption_key_id
+			);
+			return "ENCRYPTION_KEY_ID";
+
+		}
 	}
 
 	/* Check atomic writes requirements */

diff --git a/storage/xtradb/handler/ha_innodb.cc b/storage/xtradb/handler/ha_innodb.cc
@@ -11973,6 +11973,7 @@ ha_innobase::check_table_options(
 		}
 	}
 
+	/* If encryption is set up make sure that used key_id is found */
 	if (encrypt == FIL_SPACE_ENCRYPTION_ON ||
             (encrypt == FIL_SPACE_ENCRYPTION_DEFAULT && srv_encrypt_tables)) {
 		if (!encryption_key_id_exists((unsigned int)options->encryption_key_id)) {
@@ -11987,18 +11988,33 @@ ha_innobase::check_table_options(
 		}
 	}
 
-	/* Do not allow creating unencrypted table with nondefault
-	encryption key */
-	if ((encrypt == FIL_SPACE_ENCRYPTION_OFF ||
-	    (encrypt == FIL_SPACE_ENCRYPTION_DEFAULT && !srv_encrypt_tables)) &&
-		options->encryption_key_id != FIL_DEFAULT_ENCRYPTION_KEY) {
+	/* Ignore nondefault key_id if encryption is set off */
+	if (encrypt == FIL_SPACE_ENCRYPTION_OFF &&
+		options->encryption_key_id != THDVAR(thd, default_encryption_key_id)) {
 		push_warning_printf(
 			thd, Sql_condition::WARN_LEVEL_WARN,
 			HA_WRONG_CREATE_OPTION,
-			"InnoDB: Incorrect ENCRYPTION_KEY_ID %u when encryption is disabled",
+			"InnoDB: Ignored ENCRYPTION_KEY_ID %u when encryption is disabled",
 			(uint)options->encryption_key_id
 		);
-		return "ENCRYPTION_KEY_ID";
+		options->encryption_key_id = FIL_DEFAULT_ENCRYPTION_KEY;
+	}
+
+	/* If default encryption is used make sure that used kay is found
+	from key file. */
+	if (encrypt == FIL_SPACE_ENCRYPTION_DEFAULT &&
+		!srv_encrypt_tables &&
+		options->encryption_key_id != FIL_DEFAULT_ENCRYPTION_KEY) {
+		if (!encryption_key_id_exists((unsigned int)options->encryption_key_id)) {
+			push_warning_printf(
+				thd, Sql_condition::WARN_LEVEL_WARN,
+				HA_WRONG_CREATE_OPTION,
+				"InnoDB: ENCRYPTION_KEY_ID %u not available",
+				(uint)options->encryption_key_id
+			);
+			return "ENCRYPTION_KEY_ID";
+
+		}
 	}
 
 	/* Check atomic writes requirements */