WL#10957: Binary log encryption at rest (Step 2)

This patch introduces a new option 'binlog_encryption' that allows to
enable and disable the generation of encrypted binary and relay log
files.

It also introduces a new dynamic privilege 'BINLOG_ENCRYPTION_ADMIN'. A
user must have this privilege to change the option in a client session.

When enabling the option for the first time for a server instance, the
server shall generate a new binlog master key that will be used to
encrypt the encrypted binary and relay log files passwords.

@ share/errmsg-utf8.txt

  Introduced the following errors:
  - ER[_SERVER]_RPL_ENCRYPTION_FAILED_TO_ROTATE_LOGS;
  - ER[_SERVER]_RPL_ENCRYPTION_KEY_EXISTS_UNEXPECTED;
  - ER[_SERVER]_RPL_ENCRYPTION_FAILED_TO_GENERATE_KEY;
  - ER[_SERVER]_RPL_ENCRYPTION_FAILED_TO_STORE_KEY;
  - ER[_SERVER]_RPL_ENCRYPTION_FAILED_TO_REMOVE_KEY;
  - ER[_SERVER]_RPL_ENCRYPTION_MASTER_KEY_RECOVERY_FAILED;
  - ER_RPL_ENCRYPTION_UNABLE_TO_CHANGE_OPTION;
  - ER_SERVER_RPL_ENCRYPTION_UNABLE_TO_INITIALIZE;

@ sql/basic_istream.cc

  Did minor refactoring.

@ sql/binlog.cc

  Binlog_ofile can now create new encrypted binary or relay log files
  depending on binlog_encryption option.

  Made read_gtids_and_update_trx_parser_from_relaylog to not ignore
  errors when trying to decrypt relay log files.

@ sql/binlog_istream.cc

  Did minor refactoring.

@ sql/binlog_ostream.{h|cc}

  Introduced the new 'open' and 'get_header_size' functions to
  Binlog_encryption_ostream.

@ sql/binlog_reader.h

  Did minor refactoring.

@ sql/mysqld.cc

  Moved server UUID initialization to an early stage and added a call to
  initialize binlog encryption infrastructure right after it, as it must
  be initialized before generating any new binary or relay log file.

@ sql/rpl_log_encryption.{h|cc}

  Extended Rpl_encryption class to handle enabling and disabling the
  binlog_encryption option, master key generation and recovery.

  Extended Rpl_encryption_header and child to generate encryption
  headers for new files and to serialize them into a down stream.

  Extended and fixed code comments.

@ sql/rpl_rli.{h|cc}

  Add a new parameter to rli_init_info() to make it skip reading from
  any existing relay log files.

@ sql/rpl_slave.{h|cc}

  Add a new parameter to load_mi_and_rli_from_repositories() to make it
  skip reading from any existing relay log files.

  Refactored the generic error message reported by the applier thread
  when facing errors reading events from relay log files to also mention
  possible issues with keyring/encryption.

  Made change_master() to call load_mi_and_rli_from_repositories()
  telling it to skip reading from relay log files when they are expected
  to be purged in a later stage.

@ sql/set_var.h

  Refactored a comment.

@ sql/sys_vars.{h|cc}

  Added a new Sys_var_binlog_encryption to handle binlog_encryption
  option.

@ sql/auth/dynamic_privileges_impl.cc

  Introuduced the new BINLOG_ENCRYPTION_ADMIN dynamic privilege.

Test cases
==========

@ binlog.binlog_encryption_random_access

  Tests random access to an encrypted binary log file.

@ rpl.rpl_encryption

  Test many scenarios of enabling the option and errors a slave can face
  if the keyring is uninstalled while the binlog_encryption option is
  ON.

@ rpl.rpl_encryption_master_key_generation_recovery

  Test possible failures and how the server recover from issues while
  generating a new master key (enabling the option for the first time in
  a given server instance).

Some other test cases had to be re-recorded or fixed because of the new
option or the new dynamic privilege.

Author: Joao Gramacho

mysql-test/include/rpl_get_end_of_relay_log.inc

@@ -64,6 +64,13 @@ EOF
 --let $relay_log_size= `SELECT TRIM(SUBSTR('$size_and_file', 1, 10))`
 --let $relay_log_file= `SELECT TRIM(SUBSTR('$size_and_file', 11))`
 
+# Take into account the encryption header if necessary
+--let $_binlog_encryption=`SELECT @@GLOBAL.binlog_encryption`
+if ($_binlog_encryption)
+{
+  --let $relay_log_size=`SELECT $relay_log_size - 512`
+}
+
 if ($rpl_debug)
 {
   --echo relay_log_file=$relay_log_file relay_log_size=$relay_log_size

mysql-test/include/rpl_get_log_encryption_key_id.inc

@@ -0,0 +1,107 @@
+# ==== Purpose ====
+#
+# Retrieve a given replication log file encryption key id.
+#
+# ==== Usage ====
+#
+# --let $rpl_log_file= <BINARY OR RELAY LOG FILE>
+# [--let $rpl_debug= 0]
+# --source include/rpl_get_log_encryption_key_id.inc
+#
+# Parameters:
+#
+#   $rpl_log_file
+#     The file to be inspected.
+#
+#   $rpl_debug=1
+#     Print extra debugging information.
+#
+# Output variable:
+#
+# $rpl_encryption_key_id will be set with:
+#
+#   - Error: Error fetching the info.
+#
+#   - None: The file is not encrypted.
+#
+#   - MySQLReplicationKey_<UUID>_<SEQNO>: a replication encryption key.
+#
+
+--let $_rgeki_suffix= `SELECT UUID()`
+--let _RPL_RESULT_FILE= $MYSQLTEST_VARDIR/tmp/_rgeki_$_rgeki_suffix
+--let _RPL_LOG_FILE= $rpl_log_file
+--let _RPL_DEBUG= $rpl_debug
+--let $rpl_encryption_key_id=Error
+
+# Write file to make mysql-test-run.pl start up the server again
+# Because mysqltest is such a wonderful language, we use perl instead.
+perl;
+  my $log_file= $ENV{'_RPL_LOG_FILE'};
+  my $result_file= $ENV{'_RPL_RESULT_FILE'};
+  if ($ENV{'_RPL_DEBUG'})
+  {
+    print "# debug: log_file='$log_file'\n";
+  }
+
+  # Open the file in raw mode
+  open LFILE, '<:raw', $log_file or die "Error opening $log_file: $!";
+  open RFILE, "> $result_file" or die "Error opening $result_file: $!";
+
+  # Read binlog magic
+  my $bytes_read = read LFILE, my $magic, 4;
+  die 'Got $bytes_read but expected 4' unless $bytes_read == 4;
+
+  if ($ENV{'_RPL_DEBUG'})
+  {
+    print "# debug: magic='$magic'\n";
+  }
+
+  my $plain_magic = "\xfe\x62\x69\x6e";
+  my $encrypted_magic = "\xfd\x62\x69\x6e";
+
+  if ($magic eq $plain_magic) {
+    # Ordinary binary log
+    if ($ENV{'_RPL_DEBUG'})
+    {
+      print "# debug: ordinary log file\n";
+    }
+    print RFILE "--let \$rpl_encryption_key_id=None\n" or die "Error writing to $result_file: $!";
+  } elsif ($magic eq $encrypted_magic) {
+    # Encrypted binary log
+    if ($ENV{'_RPL_DEBUG'})
+    {
+      print "# debug: encrypted log file\n";
+    }
+    $bytes_read = read LFILE, my $version, 1;
+    die 'Got $bytes_read but expected 1' unless $bytes_read == 1;
+    if ($version cmp "\x01")
+    {
+      die 'Unexpected replication encryption header version';
+    }
+    $bytes_read = read LFILE, my $field_type, 1;
+    die 'Got $bytes_read but expected 1' unless $bytes_read == 1;
+    if ($field_type cmp "\x01")
+    {
+      die 'Unexpected field type';
+    }
+    $bytes_read = read LFILE, my $length, 1;
+    die 'Got $bytes_read but expected 1' unless $bytes_read == 1;
+    $length = ord($length);
+    $bytes_read = read LFILE, my $key_id, $length;
+    die 'Got $bytes_read but expected $length' unless $bytes_read == $length;
+    print RFILE "--let \$rpl_encryption_key_id=$key_id\n" or die "Error writing to $result_file: $!";
+  }
+  else {
+    die 'Not a binary log file.';
+  }
+
+  close LFILE or die "Error closing $log_file: $!";
+  close RFILE or die "Error closing $result_file: $!";
+
+EOF
+
+--source $_RPL_RESULT_FILE
+--remove_file $_RPL_RESULT_FILE
+--let _RPL_LOG_FILE=
+--let _RPL_DEBUG=
+--let _RPL_RESULT_FILE=

mysql-test/include/rpl_start_server.inc

@@ -132,3 +132,8 @@ if (!$rpl_server_error)
   --let $include_filename= rpl_start_server.inc [$_rpl_start_server_info]
   --source include/end_include_file.inc
 }
+
+if ($rpl_server_error)
+{
+  --dec $_include_file_depth
+}

mysql-test/include/show_binary_logs.inc

@@ -1,5 +1,5 @@
 # show binary logs
 
 # mask out the binlog position
--- replace_column 2 #
+-- replace_column 2 # 3 #
 show binary logs;

mysql-test/include/show_master_logs.inc

@@ -1,5 +1,5 @@
 # show master logs
 
-# mask out the binlog position
--- replace_column 2 #
+# mask out the binlog position and the encrypted columns
+-- replace_column 2 # 3 #
 query_vertical show master logs;

mysql-test/r/mysqld--help-notwin.result

@@ -69,6 +69,7 @@ The following options may be given as the first argument:
  --binlog-do-db=name Tells the master it should log updates for the specified
  database, and exclude all others not explicitly
  mentioned.
+ --binlog-encryption Enable/disable binary and relay logs encryption.
  --binlog-error-action=name 
  When statements cannot be written to the binary log due
  to a fatal error, the server can either ignore the error
@@ -1335,6 +1336,7 @@ bind-address *
 binlog-cache-size 32768
 binlog-checksum CRC32
 binlog-direct-non-transactional-updates FALSE
+binlog-encryption FALSE
 binlog-error-action ABORT_SERVER
 binlog-expire-logs-seconds 2592000
 binlog-format ROW

mysql-test/r/mysqld--help-win.result

@@ -69,6 +69,7 @@ The following options may be given as the first argument:
  --binlog-do-db=name Tells the master it should log updates for the specified
  database, and exclude all others not explicitly
  mentioned.
+ --binlog-encryption Enable/disable binary and relay logs encryption.
  --binlog-error-action=name 
  When statements cannot be written to the binary log due
  to a fatal error, the server can either ignore the error
@@ -1343,6 +1344,7 @@ bind-address *
 binlog-cache-size 32768
 binlog-checksum CRC32
 binlog-direct-non-transactional-updates FALSE
+binlog-encryption FALSE
 binlog-error-action ABORT_SERVER
 binlog-expire-logs-seconds 2592000
 binlog-format ROW

mysql-test/suite/binlog/r/binlog_encryption_random_access.result

@@ -0,0 +1,5 @@
+CALL mtr.add_suppression('Unsafe statement written to the binary log using statement format');
+CREATE TABLE t1 (c1 INT PRIMARY KEY, c2 TEXT, pos INT);
+# Inserting 100 random transaction
+# Asserting we can show binlog events from each transaction
+DROP TABLE t1;

mysql-test/suite/binlog/t/binlog_encryption_random_access-master.opt

@@ -0,0 +1,4 @@
+--early-plugin-load="keyring_file=$KEYRING_PLUGIN"
+--keyring_file_data=$MYSQL_TMP_DIR/keyring_data
+--binlog_encryption=ON
+$KEYRING_PLUGIN_OPT

mysql-test/suite/binlog/t/binlog_encryption_random_access.test

@@ -0,0 +1,59 @@
+# ==== Purpose ====
+#
+# This test will generate a random workload in the server and will perform
+# many SHOW BINLOG EVENTS pointing to the positions the transactions start
+# in the encrypted binary log file.
+#
+# The server shall be able to display the requested events properly, by doing
+# random access to the encrypted binary log file.
+#
+# ==== Related Bugs and Worklogs ====
+#
+# WL#10957: Binary log encryption at rest
+#
+
+--source include/have_log_bin.inc
+
+# Suppression of error messages
+CALL mtr.add_suppression('Unsafe statement written to the binary log using statement format');
+--let $binlog_file=query_get_value(SHOW MASTER STATUS, File, 1)
+
+CREATE TABLE t1 (c1 INT PRIMARY KEY, c2 TEXT, pos INT);
+
+--let $max_trx=100
+--echo # Inserting $max_trx random transaction
+--let $trx=$max_trx
+--disable_query_log
+--disable_warnings
+while ($trx)
+{
+  --let $pos=query_get_value(SHOW MASTER STATUS, Position, 1)
+  BEGIN;
+  --eval INSERT INTO t1 (c1, c2, pos) VALUES ($trx, REPEAT('a', RAND() * 8192), $pos)
+  COMMIT;
+  --dec $trx
+}
+--enable_query_log
+--enable_warnings
+
+--let $trx=$max_trx
+--echo # Asserting we can show binlog events from each transaction
+--disable_query_log
+while ($trx)
+{
+  --let $pos=`SELECT pos FROM t1 WHERE c1 = $trx`
+  --let $command=SHOW BINLOG EVENTS IN '$binlog_file' FROM $pos LIMIT 1
+  --let $showed_pos=query_get_value($command, Pos, 1)
+  if ($showed_pos != $pos)
+  {
+    --enable_query_log
+    --echo requested_pos=$pos
+    --eval $command
+    --die requested_pos shall be equal to Pos
+  }
+  --dec $trx
+}
+--enable_query_log
+
+# Cleanup
+DROP TABLE t1;

mysql-test/suite/binlog_nogtid/r/binlog_persist_only_variables.result

@@ -22,12 +22,13 @@ VARIABLE_NAME LIKE '%slave%') AND
 'innodb_master_thread_disabled_debug'))
 ORDER BY VARIABLE_NAME;
 
-include/assert.inc ['Expect 81 variables in the table.']
+include/assert.inc ['Expect 82 variables in the table.']
 
 # Test SET PERSIST_ONLY
 SET PERSIST_ONLY binlog_cache_size = @@GLOBAL.binlog_cache_size;
 SET PERSIST_ONLY binlog_checksum = @@GLOBAL.binlog_checksum;
 SET PERSIST_ONLY binlog_direct_non_transactional_updates = @@GLOBAL.binlog_direct_non_transactional_updates;
+SET PERSIST_ONLY binlog_encryption = @@GLOBAL.binlog_encryption;
 SET PERSIST_ONLY binlog_error_action = @@GLOBAL.binlog_error_action;
 SET PERSIST_ONLY binlog_expire_logs_seconds = @@GLOBAL.binlog_expire_logs_seconds;
 SET PERSIST_ONLY binlog_format = @@GLOBAL.binlog_format;
@@ -121,23 +122,24 @@ SET PERSIST_ONLY sync_master_info = @@GLOBAL.sync_master_info;
 SET PERSIST_ONLY sync_relay_log = @@GLOBAL.sync_relay_log;
 SET PERSIST_ONLY sync_relay_log_info = @@GLOBAL.sync_relay_log_info;
 
-include/assert.inc ['Expect 70 persisted variables in persisted_variables table.']
+include/assert.inc ['Expect 71 persisted variables in persisted_variables table.']
 
 ############################################################
 # 2. Restart server, it must preserve the persisted variable
 #    settings. Verify persisted configuration.
 # restart
 
-include/assert.inc ['Expect 70 persisted variables in persisted_variables table.']
-include/assert.inc ['Expect 70 persisted variables shown as PERSISTED in variables_info table.']
-include/assert.inc ['Expect 70 persisted variables with matching peristed and global values.']
+include/assert.inc ['Expect 71 persisted variables in persisted_variables table.']
+include/assert.inc ['Expect 71 persisted variables shown as PERSISTED in variables_info table.']
+include/assert.inc ['Expect 70 persisted variables with matching persisted and global values.']
 
 ############################################################
 # 3. Test RESET PERSIST. Verify persisted variable settings
 #    are removed.
 RESET PERSIST binlog_cache_size;
 RESET PERSIST binlog_checksum;
 RESET PERSIST binlog_direct_non_transactional_updates;
+RESET PERSIST binlog_encryption;
 RESET PERSIST binlog_error_action;
 RESET PERSIST binlog_expire_logs_seconds;
 RESET PERSIST binlog_format;

mysql-test/suite/binlog_nogtid/r/binlog_persist_variables.result

@@ -22,12 +22,13 @@ VARIABLE_NAME LIKE '%slave%') AND
 'innodb_master_thread_disabled_debug'))
 ORDER BY VARIABLE_NAME;
 
-include/assert.inc ['Expect 81 variables in the table.']
+include/assert.inc ['Expect 82 variables in the table.']
 
 # Test SET PERSIST
 SET PERSIST binlog_cache_size = @@GLOBAL.binlog_cache_size;
 SET PERSIST binlog_checksum = @@GLOBAL.binlog_checksum;
 SET PERSIST binlog_direct_non_transactional_updates = @@GLOBAL.binlog_direct_non_transactional_updates;
+SET PERSIST binlog_encryption = @@GLOBAL.binlog_encryption;
 SET PERSIST binlog_error_action = @@GLOBAL.binlog_error_action;
 SET PERSIST binlog_expire_logs_seconds = @@GLOBAL.binlog_expire_logs_seconds;
 SET PERSIST binlog_format = @@GLOBAL.binlog_format;
@@ -127,23 +128,24 @@ SET PERSIST sync_master_info = @@GLOBAL.sync_master_info;
 SET PERSIST sync_relay_log = @@GLOBAL.sync_relay_log;
 SET PERSIST sync_relay_log_info = @@GLOBAL.sync_relay_log_info;
 
-include/assert.inc ['Expect 64 persisted variables in persisted_variables table.']
+include/assert.inc ['Expect 65 persisted variables in persisted_variables table.']
 
 ############################################################
 # 2. Restart server, it must preserve the persisted variable
 #    settings. Verify persisted configuration.
 # restart
 
-include/assert.inc ['Expect 64 persisted variables in persisted_variables table.']
-include/assert.inc ['Expect 64 persisted variables shown as PERSISTED in variables_info table.']
-include/assert.inc ['Expect 64 persisted variables with matching peristed and global values.']
+include/assert.inc ['Expect 65 persisted variables in persisted_variables table.']
+include/assert.inc ['Expect 65 persisted variables shown as PERSISTED in variables_info table.']
+include/assert.inc ['Expect 65 persisted variables with matching persisted and global values.']
 
 ############################################################
 # 3. Test RESET PERSIST IF EXISTS. Verify persisted variable
 #    settings are removed.
 RESET PERSIST IF EXISTS binlog_cache_size;
 RESET PERSIST IF EXISTS binlog_checksum;
 RESET PERSIST IF EXISTS binlog_direct_non_transactional_updates;
+RESET PERSIST IF EXISTS binlog_encryption;
 RESET PERSIST IF EXISTS binlog_error_action;
 RESET PERSIST IF EXISTS binlog_expire_logs_seconds;
 RESET PERSIST IF EXISTS binlog_format;

mysql-test/suite/binlog_nogtid/t/binlog_persist_only_variables.test

@@ -57,8 +57,8 @@ INSERT INTO rplvars (varname, varvalue)
 # If this count differs, it means a variable has been added or removed.
 # In that case, this testcase needs to be updated accordingly.
 --echo
---let $assert_text= 'Expect 81 variables in the table.'
---let $assert_cond= [SELECT COUNT(*) as count FROM rplvars, count, 1] = 81
+--let $assert_text= 'Expect 82 variables in the table.'
+--let $assert_cond= [SELECT COUNT(*) as count FROM rplvars, count, 1] = 82
 --source include/assert.inc
 
 --echo
@@ -88,8 +88,8 @@ while ( $varid <= $countvars )
 }
 
 --echo
---let $assert_text= 'Expect 70 persisted variables in persisted_variables table.'
---let $assert_cond= [SELECT COUNT(*) as count FROM performance_schema.persisted_variables, count, 1] = 70
+--let $assert_text= 'Expect 71 persisted variables in persisted_variables table.'
+--let $assert_cond= [SELECT COUNT(*) as count FROM performance_schema.persisted_variables, count, 1] = 71
 --source include/assert.inc
 
 
@@ -101,15 +101,18 @@ while ( $varid <= $countvars )
 --source include/wait_until_connected_again.inc
 
 --echo
---let $assert_text= 'Expect 70 persisted variables in persisted_variables table.'
---let $assert_cond= [SELECT COUNT(*) as count FROM performance_schema.persisted_variables, count, 1] = 70
+--let $assert_text= 'Expect 71 persisted variables in persisted_variables table.'
+--let $assert_cond= [SELECT COUNT(*) as count FROM performance_schema.persisted_variables, count, 1] = 71
 --source include/assert.inc
 
---let $assert_text= 'Expect 70 persisted variables shown as PERSISTED in variables_info table.'
---let $assert_cond= [SELECT COUNT(*) as count FROM performance_schema.variables_info WHERE variable_source="PERSISTED", count, 1] = 70
+--let $assert_text= 'Expect 71 persisted variables shown as PERSISTED in variables_info table.'
+--let $assert_cond= [SELECT COUNT(*) as count FROM performance_schema.variables_info WHERE variable_source="PERSISTED", count, 1] = 71
 --source include/assert.inc
 
---let $assert_text= 'Expect 70 persisted variables with matching peristed and global values.'
+# WL#10957 added binlog_encryption and as it is persisted as read only and
+# appended to command line parameter, its value is not converted from 0 to OFF.
+# The values at persisted_variables and global_variables tables differ: 0 != OFF.
+--let $assert_text= 'Expect 70 persisted variables with matching persisted and global values.'
 --let $assert_cond= [SELECT COUNT(*) as count FROM performance_schema.variables_info vi JOIN performance_schema.persisted_variables pv JOIN performance_schema.global_variables gv ON vi.variable_name=pv.variable_name AND vi.variable_name=gv.variable_name AND pv.variable_value=gv.variable_value WHERE vi.variable_source="PERSISTED", count, 1] = 70
 --source include/assert.inc