Add encryption key id to the API as a distinct concept

which is separate from the encryption key version
MariaDB · Apr 9, 2015 · 97d5de4 · 97d5de4
1 parent 5dffda3
commit 97d5de4
Show file tree

Hide file tree

Showing 27 changed files with 196 additions and 143 deletions.
diff --git a/include/mysql/plugin_audit.h.pp b/include/mysql/plugin_audit.h.pp
@@ -202,11 +202,13 @@
                                     unsigned char* dst, unsigned int* dlen,
                                     const unsigned char* key, unsigned int klen,
                                     const unsigned char* iv, unsigned int ivlen,
-                                    int no_padding, unsigned int key_version);
+                                    int no_padding, unsigned int key_id,
+                                    unsigned int key_version);
 struct encryption_service_st {
-  unsigned int (*encryption_key_get_latest_version_func)();
-  unsigned int (*encryption_key_exists_func)(unsigned int);
-  unsigned int (*encryption_key_get_func)(unsigned int, unsigned char*, unsigned int*);
+  unsigned int (*encryption_key_get_latest_version_func)(unsigned int);
+  unsigned int (*encryption_key_id_exists_func)(unsigned int);
+  unsigned int (*encryption_key_version_exists_func)(unsigned int, unsigned int);
+  unsigned int (*encryption_key_get_func)(unsigned int, unsigned int, unsigned char*, unsigned int*);
   encrypt_decrypt_func encryption_encrypt_func;
   encrypt_decrypt_func encryption_decrypt_func;
 };

diff --git a/include/mysql/plugin_auth.h.pp b/include/mysql/plugin_auth.h.pp
@@ -202,11 +202,13 @@
                                     unsigned char* dst, unsigned int* dlen,
                                     const unsigned char* key, unsigned int klen,
                                     const unsigned char* iv, unsigned int ivlen,
-                                    int no_padding, unsigned int key_version);
+                                    int no_padding, unsigned int key_id,
+                                    unsigned int key_version);
 struct encryption_service_st {
-  unsigned int (*encryption_key_get_latest_version_func)();
-  unsigned int (*encryption_key_exists_func)(unsigned int);
-  unsigned int (*encryption_key_get_func)(unsigned int, unsigned char*, unsigned int*);
+  unsigned int (*encryption_key_get_latest_version_func)(unsigned int);
+  unsigned int (*encryption_key_id_exists_func)(unsigned int);
+  unsigned int (*encryption_key_version_exists_func)(unsigned int, unsigned int);
+  unsigned int (*encryption_key_get_func)(unsigned int, unsigned int, unsigned char*, unsigned int*);
   encrypt_decrypt_func encryption_encrypt_func;
   encrypt_decrypt_func encryption_decrypt_func;
 };

diff --git a/include/mysql/plugin_encryption.h b/include/mysql/plugin_encryption.h
@@ -37,11 +37,11 @@ struct st_mariadb_encryption
   int interface_version;                        /**< version plugin uses */
 
   /**
-    function returning latest key version.
+    function returning latest key version for a given key id
 
-    @return a version or BAD_ENCRYPTION_KEY_VERSION to indicate an error.
+    @return a version or ENCRYPTION_KEY_VERSION_INVALID to indicate an error.
   */
-  unsigned int (*get_latest_key_version)();
+  unsigned int (*get_latest_key_version)(unsigned int key_id);
 
   /**
     function returning a key for a key version
@@ -60,11 +60,11 @@ struct st_mariadb_encryption
     the key data or leave it untouched).
 
     @return 0 on success, or
-            BAD_ENCRYPTION_KEY_VERSION, KEY_BUFFER_TOO_SMALL,
+            ENCRYPTION_KEY_VERSION_INVALID, ENCRYPTION_KEY_BUFFER_TOO_SMALL
             or any other non-zero number for errors
   */
-  unsigned int (*get_key)(unsigned int version, unsigned char *key,
-                          unsigned int *key_length);
+  unsigned int (*get_key)(unsigned int key_id, unsigned int version,
+                          unsigned char *key, unsigned int *key_length);
 
   encrypt_decrypt_func encrypt;
   encrypt_decrypt_func decrypt;

diff --git a/include/mysql/plugin_encryption.h.pp b/include/mysql/plugin_encryption.h.pp
@@ -202,11 +202,13 @@
                                     unsigned char* dst, unsigned int* dlen,
                                     const unsigned char* key, unsigned int klen,
                                     const unsigned char* iv, unsigned int ivlen,
-                                    int no_padding, unsigned int key_version);
+                                    int no_padding, unsigned int key_id,
+                                    unsigned int key_version);
 struct encryption_service_st {
-  unsigned int (*encryption_key_get_latest_version_func)();
-  unsigned int (*encryption_key_exists_func)(unsigned int);
-  unsigned int (*encryption_key_get_func)(unsigned int, unsigned char*, unsigned int*);
+  unsigned int (*encryption_key_get_latest_version_func)(unsigned int);
+  unsigned int (*encryption_key_id_exists_func)(unsigned int);
+  unsigned int (*encryption_key_version_exists_func)(unsigned int, unsigned int);
+  unsigned int (*encryption_key_get_func)(unsigned int, unsigned int, unsigned char*, unsigned int*);
   encrypt_decrypt_func encryption_encrypt_func;
   encrypt_decrypt_func encryption_decrypt_func;
 };
@@ -370,9 +372,9 @@
 struct st_mariadb_encryption
 {
   int interface_version;
-  unsigned int (*get_latest_key_version)();
-  unsigned int (*get_key)(unsigned int version, unsigned char *key,
-                          unsigned int *key_length);
+  unsigned int (*get_latest_key_version)(unsigned int key_id);
+  unsigned int (*get_key)(unsigned int key_id, unsigned int version,
+                          unsigned char *key, unsigned int *key_length);
   encrypt_decrypt_func encrypt;
   encrypt_decrypt_func decrypt;
 };
diff --git a/include/mysql/plugin_ftparser.h.pp b/include/mysql/plugin_ftparser.h.pp
@@ -202,11 +202,13 @@
                                     unsigned char* dst, unsigned int* dlen,
                                     const unsigned char* key, unsigned int klen,
                                     const unsigned char* iv, unsigned int ivlen,
-                                    int no_padding, unsigned int key_version);
+                                    int no_padding, unsigned int key_id,
+                                    unsigned int key_version);
 struct encryption_service_st {
-  unsigned int (*encryption_key_get_latest_version_func)();
-  unsigned int (*encryption_key_exists_func)(unsigned int);
-  unsigned int (*encryption_key_get_func)(unsigned int, unsigned char*, unsigned int*);
+  unsigned int (*encryption_key_get_latest_version_func)(unsigned int);
+  unsigned int (*encryption_key_id_exists_func)(unsigned int);
+  unsigned int (*encryption_key_version_exists_func)(unsigned int, unsigned int);
+  unsigned int (*encryption_key_get_func)(unsigned int, unsigned int, unsigned char*, unsigned int*);
   encrypt_decrypt_func encryption_encrypt_func;
   encrypt_decrypt_func encryption_decrypt_func;
 };

diff --git a/include/mysql/plugin_password_validation.h.pp b/include/mysql/plugin_password_validation.h.pp
@@ -202,11 +202,13 @@
                                     unsigned char* dst, unsigned int* dlen,
                                     const unsigned char* key, unsigned int klen,
                                     const unsigned char* iv, unsigned int ivlen,
-                                    int no_padding, unsigned int key_version);
+                                    int no_padding, unsigned int key_id,
+                                    unsigned int key_version);
 struct encryption_service_st {
-  unsigned int (*encryption_key_get_latest_version_func)();
-  unsigned int (*encryption_key_exists_func)(unsigned int);
-  unsigned int (*encryption_key_get_func)(unsigned int, unsigned char*, unsigned int*);
+  unsigned int (*encryption_key_get_latest_version_func)(unsigned int);
+  unsigned int (*encryption_key_id_exists_func)(unsigned int);
+  unsigned int (*encryption_key_version_exists_func)(unsigned int, unsigned int);
+  unsigned int (*encryption_key_get_func)(unsigned int, unsigned int, unsigned char*, unsigned int*);
   encrypt_decrypt_func encryption_encrypt_func;
   encrypt_decrypt_func encryption_decrypt_func;
 };

diff --git a/include/mysql/service_encryption.h b/include/mysql/service_encryption.h
@@ -30,7 +30,7 @@ extern "C" {
 
 /* returned from encryption_key_get_latest_version() */
 #define ENCRYPTION_KEY_VERSION_INVALID        (~(unsigned int)0)
-#define ENCRYPTION_KEY_VERSION_NOT_ENCRYPTED  (0)
+#define ENCRYPTION_KEY_NOT_ENCRYPTED          (0)
 
 /* returned from encryption_key_get()  */
 #define ENCRYPTION_KEY_BUFFER_TOO_SMALL    (100)
@@ -39,12 +39,14 @@ typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen,
                                     unsigned char* dst, unsigned int* dlen,
                                     const unsigned char* key, unsigned int klen,
                                     const unsigned char* iv, unsigned int ivlen,
-                                    int no_padding, unsigned int key_version);
+                                    int no_padding, unsigned int key_id,
+                                    unsigned int key_version);
 
 struct encryption_service_st {
-  unsigned int (*encryption_key_get_latest_version_func)();
-  unsigned int (*encryption_key_exists_func)(unsigned int);
-  unsigned int (*encryption_key_get_func)(unsigned int, unsigned char*, unsigned int*);
+  unsigned int (*encryption_key_get_latest_version_func)(unsigned int);
+  unsigned int (*encryption_key_id_exists_func)(unsigned int);
+  unsigned int (*encryption_key_version_exists_func)(unsigned int, unsigned int);
+  unsigned int (*encryption_key_get_func)(unsigned int, unsigned int, unsigned char*, unsigned int*);
   encrypt_decrypt_func encryption_encrypt_func;
   encrypt_decrypt_func encryption_decrypt_func;
 };
@@ -53,20 +55,22 @@ struct encryption_service_st {
 
 extern struct encryption_service_st *encryption_service;
 
-#define encryption_key_get_latest_version() encryption_service->encryption_key_get_latest_version_func()
-#define encryption_key_exists(V) encryption_service->encryption_key_exists_func(V)
-#define encryption_key_get(V,K,S) encryption_service->encryption_key_get_func((V), (K), (S))
-#define encryption_encrypt(S,SL,D,DL,K,KL,I,IL,NP,KV) encryption_service->encryption_encrypt_func(S,SL,D,DL,K,KL,I,IL,NP,KV)
-#define encryption_decrypt(S,SL,D,DL,K,KL,I,IL,NP,KV) encryption_service->encryption_decrypt_func(S,SL,D,DL,K,KL,I,IL,NP,KV)
+#define encryption_key_get_latest_version(KI) encryption_service->encryption_key_get_latest_version_func(KI)
+#define encryption_key_id_exists(KI) encryption_service->encryption_key_id_exists_func((KI))
+#define encryption_key_version_exists(KI,KV) encryption_service->encryption_key_version_exists_func((KI),(KV))
+#define encryption_key_get(KI,KV,K,S) encryption_service->encryption_key_get_func((KI),(KV),(K),(S))
+#define encryption_encrypt(S,SL,D,DL,K,KL,I,IL,NP,KI,KV) encryption_service->encryption_encrypt_func((S),(SL),(D),(DL),(K),(KL),(I),(IL),(NP),(KI),(KV))
+#define encryption_decrypt(S,SL,D,DL,K,KL,I,IL,NP,KI,KV) encryption_service->encryption_decrypt_func((S),(SL),(D),(DL),(K),(KL),(I),(IL),(NP),(KI),(KV))
 #else
 
 extern struct encryption_service_st encryption_handler;
 
-#define encryption_key_get_latest_version() encryption_handler.encryption_key_get_latest_version_func()
-#define encryption_key_exists(V) encryption_handler.encryption_key_exists_func(V)
-#define encryption_key_get(V,K,S) encryption_handler.encryption_key_get_func((V), (K), (S))
-#define encryption_encrypt(S,SL,D,DL,K,KL,I,IL,NP,KV) encryption_handler.encryption_encrypt_func(S,SL,D,DL,K,KL,I,IL,NP,KV)
-#define encryption_decrypt(S,SL,D,DL,K,KL,I,IL,NP,KV) encryption_handler.encryption_decrypt_func(S,SL,D,DL,K,KL,I,IL,NP,KV)
+#define encryption_key_get_latest_version(KI) encryption_handler.encryption_key_get_latest_version_func(KI)
+#define encryption_key_id_exists(KI) encryption_handler.encryption_key_id_exists_func((KI))
+#define encryption_key_version_exists(KI,KV) encryption_handler.encryption_key_version_exists_func((KI),(KV))
+#define encryption_key_get(KI,KV,K,S) encryption_handler.encryption_key_get_func((KI),(KV),(K),(S))
+#define encryption_encrypt(S,SL,D,DL,K,KL,I,IL,NP,KI,KV) encryption_handler.encryption_encrypt_func((S),(SL),(D),(DL),(K),(KL),(I),(IL),(NP),(KI),(KV))
+#define encryption_decrypt(S,SL,D,DL,K,KL,I,IL,NP,KI,KV) encryption_handler.encryption_decrypt_func((S),(SL),(D),(DL),(K),(KL),(I),(IL),(NP),(KI),(KV))
 #endif
 
 #ifdef __cplusplus

diff --git a/plugin/debug_key_management/debug_key_management_plugin.cc b/plugin/debug_key_management/debug_key_management_plugin.cc
@@ -19,6 +19,8 @@
   It's used to debug the encryption code with a fixed keys that change
   only on user request.
 
+  It does not support different key ids, the only valid key id is 1.
+
   THIS IS AN EXAMPLE ONLY! ENCRYPTION KEYS ARE HARD-CODED AND *NOT* SECRET!
   DO NOT USE THIS PLUGIN IN PRODUCTION! EVER!
 */
@@ -40,13 +42,20 @@ static struct st_mysql_sys_var* sysvars[] = {
   NULL
 };
 
-static unsigned int get_latest_key_version()
+static unsigned int get_latest_key_version(unsigned int keyid)
 {
+  if (keyid != 1)
+    return ENCRYPTION_KEY_VERSION_INVALID;
+
   return key_version;
 }
 
-static unsigned int get_key(unsigned int version, unsigned char* dstbuf, unsigned *buflen)
+static unsigned int get_key(unsigned int keyid, unsigned int version,
+                            unsigned char* dstbuf, unsigned *buflen)
 {
+  if (keyid != 1)
+    return ENCRYPTION_KEY_VERSION_INVALID;
+
   if (*buflen < KEY_SIZE)
   {
     *buflen= KEY_SIZE;

diff --git a/plugin/example_key_management/example_key_management_plugin.cc b/plugin/example_key_management/example_key_management_plugin.cc
@@ -21,6 +21,8 @@
   different pages in the same tablespace encrypted with different keys
   and what the background re-encryption thread does.
 
+  It does not support different key ids, for all ids the key will be the same.
+
   THIS IS AN EXAMPLE ONLY! ENCRYPTION KEYS ARE HARD-CODED AND *NOT* SECRET!
   DO NOT USE THIS PLUGIN IN PRODUCTION! EVER!
 */
@@ -41,7 +43,7 @@ static unsigned int next_key_version = 0;
 static pthread_mutex_t mutex;
 
 static unsigned int
-get_latest_key_version()
+get_latest_key_version(unsigned int key_id)
 {
   uint now = time(0);
   pthread_mutex_lock(&mutex);
@@ -57,7 +59,8 @@ get_latest_key_version()
 }
 
 static unsigned int
-get_key(unsigned int version, unsigned char* dstbuf, unsigned *buflen)
+get_key(unsigned int key_id, unsigned int version,
+        unsigned char* dstbuf, unsigned *buflen)
 {
   if (*buflen < MY_MD5_HASH_SIZE)
   {
@@ -81,7 +84,7 @@ int encrypt(const unsigned char* src, unsigned int slen,
             unsigned char* dst, unsigned int* dlen,
             const unsigned char* key, unsigned int klen,
             const unsigned char* iv, unsigned int ivlen,
-            int no_padding, unsigned int key_version)
+            int no_padding, unsigned int keyid, unsigned int key_version)
 {
   return ((key_version & 1) ? my_aes_encrypt_cbc : my_aes_encrypt_ecb)
     (src, slen, dst, dlen, key, klen, iv, ivlen, no_padding);
@@ -91,7 +94,7 @@ int decrypt(const unsigned char* src, unsigned int slen,
             unsigned char* dst, unsigned int* dlen,
             const unsigned char* key, unsigned int klen,
             const unsigned char* iv, unsigned int ivlen,
-            int no_padding, unsigned int key_version)
+            int no_padding, unsigned int keyid, unsigned int key_version)
 {
   return ((key_version & 1) ? my_aes_decrypt_cbc : my_aes_decrypt_ecb)
     (src, slen, dst, dlen, key, klen, iv, ivlen, no_padding);
@@ -101,7 +104,7 @@ static int example_key_management_plugin_init(void *p)
 {
   /* init */
   my_rnd_init(&seed, time(0), 0);
-  get_latest_key_version();
+  get_latest_key_version(1);
   pthread_mutex_init(&mutex, NULL);
 
   return 0;

diff --git a/plugin/file_key_management/file_key_management_plugin.cc b/plugin/file_key_management/file_key_management_plugin.cc
@@ -78,20 +78,18 @@ static keyentry *get_key(unsigned int key_id)
   return a->id == key_id ? a : 0;
 }
 
-/**
-   This method is using with the id 0 if exists. 
-   This method is used by innobase/xtradb for the key
-   rotation feature of encrypting log files.
-*/
-
-static unsigned int get_highest_key_used_in_key_file()
+/* the version is always the same, no automatic key rotation */
+static unsigned int get_latest_version(uint key_id)
 {
-  return 0;
+  return  get_key(key_id) ? 1 : ENCRYPTION_KEY_VERSION_INVALID;
 }
 
 static unsigned int get_key_from_key_file(unsigned int key_id,
-                          unsigned char* dstbuf, unsigned *buflen)
+       unsigned int key_version, unsigned char* dstbuf, unsigned *buflen)
 {
+  if (key_version != 1)
+    return ENCRYPTION_KEY_VERSION_INVALID;
+
   keyentry* entry = get_key(key_id);
 
   if (entry == NULL)
@@ -112,7 +110,7 @@ static unsigned int get_key_from_key_file(unsigned int key_id,
 
 struct st_mariadb_encryption file_key_management_plugin= {
   MariaDB_ENCRYPTION_INTERFACE_VERSION,
-  get_highest_key_used_in_key_file,
+  get_latest_version,
   get_key_from_key_file,
   0,0
 };

diff --git a/sql/encryption.cc b/sql/encryption.cc
@@ -23,13 +23,18 @@
 static plugin_ref encryption_manager= 0;
 struct encryption_service_st encryption_handler;
 
-unsigned int has_key(uint version)
+unsigned int has_key_id(uint id)
+{
+  return encryption_key_get_latest_version(id) != ENCRYPTION_KEY_VERSION_INVALID;
+}
+
+unsigned int has_key_version(uint id, uint version)
 {
   uint unused;
-  return encryption_key_get(version, NULL, &unused) != ENCRYPTION_KEY_VERSION_INVALID;
+  return encryption_key_get(id, version, NULL, &unused) != ENCRYPTION_KEY_VERSION_INVALID;
 }
 
-uint no_key()
+uint no_key(uint)
 {
   return ENCRYPTION_KEY_VERSION_INVALID;
 }
@@ -38,7 +43,7 @@ static int no_crypt(const uchar* source, uint source_length,
                     uchar* dest, uint* dest_length,
                     const uchar* key, uint key_length,
                     const uchar* iv, uint iv_length,
-                    int no_padding, uint key_version)
+                    int no_padding, uint key_id, uint key_version)
 {
   return 1;
 }
@@ -81,9 +86,10 @@ int finalize_encryption_plugin(st_plugin_int *plugin)
 {
   encryption_handler.encryption_encrypt_func= no_crypt;
   encryption_handler.encryption_decrypt_func= no_crypt;
-  encryption_handler.encryption_key_exists_func= has_key;
+  encryption_handler.encryption_key_id_exists_func= has_key_id;
+  encryption_handler.encryption_key_version_exists_func= has_key_version;
   encryption_handler.encryption_key_get_func=
-      (uint (*)(uint, uchar*, uint*))no_key;
+      (uint (*)(uint, uint, uchar*, uint*))no_key;
   encryption_handler.encryption_key_get_latest_version_func= no_key;
 
   if (plugin && plugin->plugin->deinit && plugin->plugin->deinit(NULL))