-
Notifications
You must be signed in to change notification settings - Fork 4k
/
Copy pathrpl_log_encryption.h
826 lines (698 loc) · 26.3 KB
/
rpl_log_encryption.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
/* Copyright (c) 2018, 2025, Oracle and/or its affiliates.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License, version 2.0,
as published by the Free Software Foundation.
This program is designed to work with certain software (including
but not limited to OpenSSL) that is licensed under separate terms,
as designated in a particular file or component or in included license
documentation. The authors of MySQL hereby grant you an additional
permission to link the program and your derivative works with the
separately licensed software that they have either included with
the program or referenced in the documentation.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License, version 2.0, for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
#ifndef RPL_LOG_ENCRYPTION_INCLUDED
#define RPL_LOG_ENCRYPTION_INCLUDED
#include <openssl/evp.h>
#include <stdint.h>
#include <map>
#include <string>
#include "my_inttypes.h"
#include "mysys/stream_cipher.h"
class Basic_istream;
class Basic_ostream;
class THD;
/**
@file rpl_log_encryption.h
@brief This file includes the major components for encrypting/decrypting
binary log files.
* Replication logs
Here, replication logs includes both the binary and relay log files.
* File Level Encryption
- All standard binary log file data (including BINLOG_MAGIC) in replication
logs are encrypted.
- A replication log file is either encrypted or not (standard binary log
file). It is not possible that part of a log file is encrypted and part
of it is non-encrypted.
- There is an encryption header in the begin of each encrypted replication
log file.
<pre>
+--------------------+
| Encryption Header |
+--------------------+
| Encrypted Data |
+--------------------+
</pre>
The encrypted replication file header includes necessary information to
decrypt the encrypted data of the file (the standard binary log file
data). For detail, check Rpl_encryption_header class.
* Two Tier Keys
Replication logs are encrypted with two tier keys. A 'File Password' for
encrypting the standard binary log file data and a 'Replication Encryption
Key' for encrypting the 'File Password'.
- File password
Each replication log file has a password. A file key used to encrypt the
file is generated from the file password. The encrypted 'File Password'
is stored into encryption header of the file. For details, check
Rpl_encryption_header class.
- Replication encryption key
A replication encryption key is used to encrypt/decrypt the file
password stored in an encrypted replication file header. It is generated
by keyring and stored in/retrieved from keyring.
*/
#ifdef MYSQL_SERVER
/**
The Rpl_encryption class is the container for the binlog encryption feature
generic and server instance functions.
*/
class Rpl_encryption {
public:
struct Rpl_encryption_key {
std::string m_id;
Key_string m_value;
};
Rpl_encryption() = default;
Rpl_encryption(const Rpl_encryption &) = delete;
Rpl_encryption(Rpl_encryption &&) = delete;
Rpl_encryption &operator=(const Rpl_encryption &) = delete;
Rpl_encryption &operator=(Rpl_encryption &&) = delete;
enum class Keyring_status {
SUCCESS = 0,
KEYRING_ERROR_FETCHING = 1,
KEY_NOT_FOUND = 2,
UNEXPECTED_KEY_SIZE = 3,
UNEXPECTED_KEY_TYPE = 4,
KEY_EXISTS_UNEXPECTED = 5,
KEYRING_ERROR_GENERATING = 6,
KEYRING_ERROR_STORING = 7,
KEYRING_ERROR_REMOVING = 8,
};
/**
A wrapper function to throw a binlog encryption keyring error.
The wrapper will decide if the error will be reported to the client session
or to the server error log according to current_thd.
@param error The Keyring_status to be reported.
*/
static void report_keyring_error(Keyring_status error);
/**
A wrapper function to throw a replication logs encryption keyring error,
reporting also the key ID.
The wrapper will decide if the error will be reported to the client session
or to the server error log according to current_thd.
@param error The Keyring_status to be reported.
@param key_id The key ID to appear in the error message.
*/
static void report_keyring_error(Keyring_status error, const char *key_id);
/**
Replication encryption master key rotation process is recoverable. The
steps defined in the enum class below are the steps from which the rotation
process may continue after an unexpected interruption.
*/
enum class Key_rotation_step {
START,
DETERMINE_NEXT_SEQNO,
GENERATE_NEW_MASTER_KEY,
REMOVE_MASTER_KEY_INDEX,
STORE_MASTER_KEY_INDEX,
ROTATE_LOGS,
PURGE_UNUSED_ENCRYPTION_KEYS,
REMOVE_KEY_ROTATION_TAG
};
/**
Initialize the rpl_encryption instance. This initialization shall be called
after generating/loading the server UUID and before opening new binary and
relay log files for writing.
When the replication_logs_encrypt option is on at server startup, the
initialization process will try to recover master key and may generate
a new replication master key if needed.
@retval false Success.
@retval true Error.
*/
bool initialize();
/**
Remove remaining old/new master key index in order to cleanup any previous
master key rotation.
@retval false Success.
@retval true Error.
*/
bool remove_remaining_seqnos_from_keyring();
/**
Recover the replication encryption master key from keyring.
The recovery of the master key process starts by trying to read the
replication master key information from keyring (the master key sequence
number, and the master key itself).
Then, if detected that a key rotation did not completed properly, tries to
continue the master key rotation.
When recovery is successful, the m_master_key_recovered flag is set true.
@retval false Success.
@retval true Error.
*/
bool recover_master_key();
/**
Return the current replication encryption master key.
@return The current replication encryption master key.
*/
const Rpl_encryption_key get_master_key();
/**
Get the key with given key ID. The key to be returned will be retrieved
from the keyring or from a cached copy in memory.
@param[in] key_id ID of the key to be returned.
@param[in] key_type Expected type of the key to be returned.
@return A pair containing the status of the operation (Keyring_status) and
a Key_string. Errors shall be checked by consulting the status.
*/
static std::pair<Keyring_status, Key_string> get_key(
const std::string &key_id, const std::string &key_type);
/**
Get the key with given key ID. The key to be returned will be retrieved
from the keyring or from a cached copy in memory.
@param[in] key_id ID of the key to be returned.
@param[in] key_type Expected type of the key to be returned.
@param[in] key_size Expected size of the key to be returned.
@return A pair containing the status of the operation (Keyring_status) and
a Key_string. Errors shall be checked by consulting the status.
*/
static std::pair<Keyring_status, Key_string> get_key(
const std::string &key_id, const std::string &key_type, size_t key_size);
/**
Enable binlog encryption option. It will generate a new global key if
there is no master key yet. Then rotate replication logs to make encryption
effective immediately.
Replication logs rotation errors don't fail, but they will throw a warning.
@param[in] thd the thd object of the session.
@retval false Success.
@retval true Error. If error happens when generating new key, it will fail.
*/
bool enable(THD *thd);
/**
Disable binlog encryption option. It rotates replication logs to make
encryption ineffective immediately.
Replication logs rotation errors don't fail, but they will throw a warning.
@param[in] thd the thd object of the session.
*/
void disable(THD *thd);
/**
Return is the replication logs encryption feature is enabled.
@retval false The feature is disabled.
@retval true The feature is enabled.
*/
bool is_enabled();
const bool &get_enabled_var();
const bool &get_master_key_rotation_at_startup_var();
/**
Purge unused master keys from Keyring.
@retval false Success.
@retval true Error.
*/
bool purge_unused_keys();
/**
Rotate the master key.
@param step Step to start the process (it might be recovering).
@param new_master_key_seqno When recovering, this is the new master key
sequence number detected by recovery process.
@retval false Success.
@retval true Error.
*/
bool rotate_master_key(Key_rotation_step step = Key_rotation_step::START,
uint32_t new_master_key_seqno = 0);
private:
/* Define the keyring key type for keys storing sequence numbers */
static const char *SEQNO_KEY_TYPE;
/* Define the keyring key length for keys storing sequence numbers */
static const int SEQNO_KEY_LENGTH = 16;
/*
Sys_binlog_encryption uses m_enabled as the storage of global var
binlog_encryption.
*/
bool m_enabled = false;
/*
Sys_binlog_rotate_encryption_master_key_at_startup uses
m_rotate_at_startup as the storage of global var
binlog_rotate_encryption_master_key_at_startup.
*/
bool m_rotate_at_startup = false;
#ifndef NDEBUG
/*
This variable is only used to assert that enable(), disable() and
get_master_key() functions are called only after initialize() was called.
*/
bool m_initialized = false;
#endif
/*
The replication logs encryption only needs to recover the current
replication master key if the binlog_encryption option is enabled.
This flag will be set true after a successful replication master key
recovery.
*/
bool m_master_key_recovered = false;
/* The sequence number of the replication master key. */
uint32_t m_master_key_seqno = 0;
/* The current replication master key */
Rpl_encryption_key m_master_key;
/*
Flag to avoid double logs rotation when enabling the option and
recovering from master key rotation.
*/
bool m_skip_logs_rotation = false;
/**
Fetch a key from keyring. When error happens, it either reports an error to
user or write an error to log accordingly.
@param[in] key_id ID of the key to be returned.
@param[in] key_type Expected type of the key to be returned.
@return A tuple containing the status of the operation (Keyring_status), a
pointer to the fetched key (nullptr if the key was not fetched) and
the returned key size. Errors shall be checked by consulting the
status.
*/
static std::tuple<Keyring_status, void *, size_t> fetch_key_from_keyring(
const std::string &key_id, const std::string &key_type);
/**
Rotate replication logs excluding relay logs of group replication channels.
If error happens, it will either report a warning to session user.
@param[in] thd The thd object of current session.
*/
void rotate_logs(THD *thd);
/**
Get a sequence number from the keyring. The sequence number to be returned
will be extracted from the key retrieved from the keyring. No caching shall
be used for this function.
@param[in] key_id ID of the key to extract the sequence number from.
@return A pair containing the status of the operation (Keyring_status) and
a sequence number. Errors shall be checked by consulting the status.
*/
std::pair<Rpl_encryption::Keyring_status, uint32_t> get_seqno_from_keyring(
std::string key_id);
/**
Set a sequence number into a key and store it into keyring.
@param[in] key_id ID of the key to set the sequence number.
@param[in] seqno The sequence number to be set.
@retval false Success.
@retval true Error.
*/
bool set_seqno_on_keyring(std::string key_id, uint32_t seqno);
/**
Remove a key from the keyring.
@param[in] key_id ID of the key to be removed from keyring.
@retval false Success.
@retval true Error.
*/
bool remove_key_from_keyring(std::string key_id);
/**
Returns the key ID of the keyring key that stores the master key sequence
number.
@return The key ID.
*/
std::string get_master_key_seqno_key_id();
/**
Get the master key sequence number from keyring.
@return A pair containing the status of the operation (Keyring_status) and
a sequence number. Errors shall be checked by consulting the status.
*/
std::pair<Rpl_encryption::Keyring_status, uint32_t>
get_master_key_seqno_from_keyring();
/**
Set the master key sequence number into a key and store it into keyring.
@retval false Success.
@retval true Error.
*/
bool set_master_key_seqno_on_keyring(uint32 seqno);
/**
Remove the master key sequence number key from the keyring.
@retval false Success.
@retval true Error.
*/
bool remove_master_key_seqno_from_keyring();
/**
Returns the key ID of the keyring key that stores the "new" master key
sequence number.
@return The key ID.
*/
std::string get_new_master_key_seqno_key_id();
/**
Returns the key ID of the keyring key that stores the "last_purged"
master key sequence number.
@return The key ID.
*/
std::string get_last_purged_master_key_seqno_key_id();
/**
Returns the key ID of the keyring key that stores the "old" master key
sequence number.
@return The key ID.
*/
std::string get_old_master_key_seqno_key_id();
/**
Get the "new" master key sequence number from keyring.
@return A pair containing the status of the operation (Keyring_status) and
a sequence number. Errors shall be checked by consulting the status.
*/
std::pair<Rpl_encryption::Keyring_status, uint32_t>
get_new_master_key_seqno_from_keyring();
/**
Get the "old" master key sequence number from keyring.
@return A pair containing the status of the operation (Keyring_status) and
a sequence number. Errors shall be checked by consulting the status.
*/
std::pair<Rpl_encryption::Keyring_status, uint32_t>
get_old_master_key_seqno_from_keyring();
/**
Get the "last_purged" master key sequence number from keyring.
@return A pair containing the status of the operation (Keyring_status) and
a sequence number. Errors shall be checked by consulting the status.
*/
std::pair<Rpl_encryption::Keyring_status, uint32_t>
get_last_purged_master_key_seqno_from_keyring();
/**
Set the "new" master key sequence number into a key and store it into
keyring.
@retval false Success.
@retval true Error.
*/
bool set_new_master_key_seqno_on_keyring(uint32 seqno);
/**
Set the "last_purged" master key sequence number into a key and store it
into keyring.
@retval false Success.
@retval true Error.
*/
bool set_last_purged_master_key_seqno_on_keyring(uint32 seqno);
/**
Set the "old" master key sequence number into a key and store it into
keyring.
@retval false Success.
@retval true Error.
*/
bool set_old_master_key_seqno_on_keyring(uint32 seqno);
/**
Remove the "new" master key sequence number key from the keyring.
@retval false Success.
@retval true Error.
*/
bool remove_new_master_key_seqno_from_keyring();
/**
Remove the "last_purged" master key sequence number key from the keyring.
@retval false Success.
@retval true Error.
*/
bool remove_last_purged_master_key_seqno_from_keyring();
/**
Remove the "old" master key sequence number key from the keyring.
@retval false Success.
@retval true Error.
*/
bool remove_old_master_key_seqno_from_keyring();
/**
Generate a new replication master key on keyring and retrieve it.
@param[in] seqno The sequence number of the master key.
@retval false Success.
@retval true Error.
*/
bool generate_master_key_on_keyring(uint32 seqno);
};
extern Rpl_encryption rpl_encryption;
#endif // MYSQL_SERVER
/**
@class Rpl_encryption_header
This is the base class to serialize and deserialize a replication log file
encryption header.
The new encrypted binary log file format is composed of two parts:
<pre>
+---------------------+
| Encryption Header |
+---------------------+
| Encrypted Data |
+---------------------+
</pre>
The encryption header exists only in the begin of encrypted replication log
files.
<pre>
+------------------------+----------------------------------------------+
| MAGIC HEADER (4 bytes) | Replication logs encryption version (1 byte) |
+------------------------+----------------------------------------------+
| Version specific encryption header data |
+-----------------------------------------------------------------------+
Encryption Header Format
</pre>
<table>
<caption>Encryption Header Format</caption>
<tr>
<th>Name</th>
<th>Format</th>
<th>Description</th>
</tr>
<tr>
<td>Magic Header</td>
<td>4 Bytes</td>
<td>
The content is always 0xFD62696E. It is similar to Binlog Magic Header.
Binlog magic header is: 0xFE62696e.
</td>
<tr>
<td>Replication logs encryption version</td>
<td>1 Byte</td>
<td>
The replication logs encryption version defines how the header shall be
deserialized and how the Encrypted Data shall be decrypted.
</td>
</tr>
<tr>
<td>Version specific encryption data header</td>
<td>Depends on the version field</td>
<td>
Data required to fetch a replication key from keyring and deserialize
the Encrypted Data.
</td>
</tr>
</table>
*/
class Rpl_encryption_header {
public:
/* Same as BINLOG_MAGIC_SIZE */
static const int ENCRYPTION_MAGIC_SIZE = 4;
/* The magic for an encrypted replication log file */
static const char *ENCRYPTION_MAGIC;
virtual ~Rpl_encryption_header();
/**
Deserialize the replication encrypted log file header from the given stream.
This function shall be called right after reading the magic from the stream.
It will read the version of the encrypted log file header, instantiate a
proper Rpl_encryption_header based on version and delegate the rest of the
header deserialization to the new instance.
@param istream The stream containing the header to deserialize.
@return A Rpl_encryption_header on success or nullptr on failure.
*/
static std::unique_ptr<Rpl_encryption_header> get_header(
Basic_istream *istream);
/**
Generate a new replication encryption header based on the default
replication encrypted log file header version.
@return A Rpl_encryption_header of default version.
*/
static std::unique_ptr<Rpl_encryption_header> get_new_default_header();
/**
Serialize the header into an output stream.
@param ostream The output stream to serialize the header.
@retval false Success.
@retval true Error.
*/
virtual bool serialize(Basic_ostream *ostream) = 0;
/**
Deserialize encryption header from a stream.
@param[in] istream The input stream for deserializing the encryption
header.
@retval false Success.
@retval true Error.
*/
virtual bool deserialize(Basic_istream *istream) = 0;
/**
Get the header version.
@return The header version.
*/
virtual char get_version() const = 0;
/**
Return the header size to be taken into account when serializing an
deserializing encrypted file headers from replication log files.
@return The size of the header for the header version.
*/
virtual int get_header_size() = 0;
/**
Decrypt the file password.
*/
virtual Key_string decrypt_file_password() = 0;
/**
Factory to generate ciphers to encrypt streams based on current header.
@return A Stream_cipher for this header version or nullptr on failure.
*/
virtual std::unique_ptr<Stream_cipher> get_encryptor() = 0;
/**
Factory to generate ciphers to decrypt streams based on current header.
@return A Stream_cipher for this header version or nullptr on failure.
*/
virtual std::unique_ptr<Stream_cipher> get_decryptor() = 0;
/**
Setup the header with current master key and generates a new random file
password. This function shall be called when creating new replication
log files.
@return The new file password, or an empty password if error happens.
*/
virtual Key_string generate_new_file_password() = 0;
#ifdef MYSQL_SERVER
/**
Encrypt a file password using current replication encryption master key.
@param[in] password_str The plain file password.
@retval false Success.
@retval true Error.
*/
virtual bool encrypt_file_password(Key_string password_str) = 0;
#endif
/**
Build a key id prefix using default header version.
@return A key ID prefix.
*/
static std::string key_id_prefix();
/**
Build a key id using the given sequence number using default header version.
@param[in] seqno The sequence number used to build key id.
@return A key ID with a sequence number.
*/
static std::string seqno_to_key_id(uint32_t seqno);
/**
Build a key id using the given suffix using default header version.
@param[in] suffix The suffix used to build key id.
@return A key ID with a suffix.
*/
static std::string key_id_with_suffix(const char *suffix);
/**
Return the default header version encryption key type.
@return The encrypted key type.
*/
static const char *get_key_type();
protected:
/* Offset of the version field in the header */
static const int VERSION_OFFSET = ENCRYPTION_MAGIC_SIZE;
/* Size of the version field in the header */
static const int VERSION_SIZE = 1;
/* Offset of the optional header fields in the header */
static const int OPTIONAL_FIELD_OFFSET = VERSION_OFFSET + VERSION_SIZE;
private:
/* The default header version for new headers */
static const char m_default_version = 1;
};
/**
@class Rpl_encryption_header_v1
<pre>
+------------------------+----------------------------------------------+
| MAGIC HEADER (4 bytes) | Replication logs encryption version (1 byte) |
+------------------------+----------------------------------------------+
| Replication Encryption Key ID (60 to 69 bytes) |
+-----------------------------------------------------------------------+
| Encrypted File Password (33 bytes) |
+-----------------------------------------------------------------------+
| IV For Encrypting File Password (17 bytes) |
+-----------------------------------------------------------------------+
| Padding (388 to 397 bytes) |
+-----------------------------------------------------------------------+
Encrypted binary log file header format version 1
</pre>
<table>
<caption>Encrypted binary log file header format version 1</caption>
<tr>
<th>Name</th>
<th>Format</th>
<th>Description</th>
</tr>
<tr>
<td>Replication Encryption Key ID</td>
<td>
Variable length field that uses Type, Length, Value (TLV) format. Type
takes 1 byte. Length takes 1 byte. Values takes Length bytes.
</td>
<td>
ID of the key that shall be retrieved from keyring to be used to decrypt
the file password field.
</td>
</tr>
<tr>
<td>Encrypted File Password</td>
<td>
Fixed length field that uses Type, Value format. Type takes 1 byte.
Value takes 32 bytes.</td>
<td>It is the encrypted file password.</td>
</tr>
<tr>
<td>IV for Encrypting File Password</td>
<td>
Fixed length field that uses Type, Value format. Type takes 1 byte.
Value takes 16 bytes.</td>
<td>
The iv, together with the key, is used to encrypt/decrypt the
file password.
</td>
</tr>
<tr>
<td>Padding</td>
<td>Variable length, all bytes are 0.</td>
<td>
Encryption header has 512 bytes. Above fields don't take all bytes. All
unused bytes are filled with 0 as padding.
</td>
</tr>
</table>
*/
class Rpl_encryption_header_v1 : public Rpl_encryption_header {
public:
static const char *KEY_TYPE;
static const int KEY_LENGTH = 32;
static const int HEADER_SIZE = 512;
static const int IV_FIELD_SIZE = 16;
static const int PASSWORD_FIELD_SIZE = 32;
Rpl_encryption_header_v1() = default;
~Rpl_encryption_header_v1() override;
bool serialize(Basic_ostream *ostream) override;
bool deserialize(Basic_istream *istream) override;
char get_version() const override;
int get_header_size() override;
Key_string decrypt_file_password() override;
std::unique_ptr<Stream_cipher> get_encryptor() override;
std::unique_ptr<Stream_cipher> get_decryptor() override;
Key_string generate_new_file_password() override;
#ifdef MYSQL_SERVER
bool encrypt_file_password(Key_string password_str) override;
#endif
/**
Build a key id prefix.
*/
static std::string key_id_prefix();
/**
Build a key id using the given sequence number.
@param[in] seqno The sequence number used to build key id.
*/
static std::string seqno_to_key_id(uint32_t seqno);
/**
Build a key id using the given suffix.
@param[in] suffix The suffix used to build key id.
*/
static std::string key_id_with_suffix(const char *suffix);
private:
/* The prefix for key IDs */
static const char *KEY_ID_PREFIX;
/* Expected field types */
enum Field_type {
KEY_ID = 1,
ENCRYPTED_FILE_PASSWORD = 2,
IV_FOR_FILE_PASSWORD = 3
};
/* This header implementation version */
char m_version = 1;
/* The key ID of the keyring key that encrypted the password */
std::string m_key_id;
/* The encrypted file password */
Key_string m_encrypted_password;
/* The IV used to encrypt/decrypt the file password */
Key_string m_iv;
};
#endif // RPL_LOG_ENCRYPTION_INCLUDED