MariaDB
diff --git a/‎include/mysql/plugin_audit.h.pp‎
Lines changed: 6 additions & 4 deletions b/‎include/mysql/plugin_audit.h.pp‎
Lines changed: 6 additions & 4 deletions
diff --git a/‎include/mysql/plugin_auth.h.pp‎
Lines changed: 6 additions & 4 deletions b/‎include/mysql/plugin_auth.h.pp‎
Lines changed: 6 additions & 4 deletions
diff --git a/‎include/mysql/plugin_encryption.h‎
Lines changed: 6 additions & 6 deletions b/‎include/mysql/plugin_encryption.h‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎include/mysql/plugin_encryption.h.pp‎
Lines changed: 9 additions & 7 deletions b/‎include/mysql/plugin_encryption.h.pp‎
Lines changed: 9 additions & 7 deletions
diff --git a/‎include/mysql/plugin_ftparser.h.pp‎
Lines changed: 6 additions & 4 deletions b/‎include/mysql/plugin_ftparser.h.pp‎
Lines changed: 6 additions & 4 deletions
diff --git a/‎include/mysql/plugin_password_validation.h.pp‎
Lines changed: 6 additions & 4 deletions b/‎include/mysql/plugin_password_validation.h.pp‎
Lines changed: 6 additions & 4 deletions
diff --git a/‎include/mysql/service_encryption.h‎
Lines changed: 19 additions & 15 deletions b/‎include/mysql/service_encryption.h‎
Lines changed: 19 additions & 15 deletions
diff --git a/‎plugin/debug_key_management/debug_key_management_plugin.cc‎
Lines changed: 11 additions & 2 deletions b/‎plugin/debug_key_management/debug_key_management_plugin.cc‎
Lines changed: 11 additions & 2 deletions
diff --git a/‎plugin/example_key_management/example_key_management_plugin.cc‎
Lines changed: 8 additions & 5 deletions b/‎plugin/example_key_management/example_key_management_plugin.cc‎
Lines changed: 8 additions & 5 deletions
diff --git a/‎plugin/file_key_management/file_key_management_plugin.cc‎
Lines changed: 8 additions & 10 deletions b/‎plugin/file_key_management/file_key_management_plugin.cc‎
Lines changed: 8 additions & 10 deletions
@@ -202,11 +202,13 @@
  unsigned char* dst, unsigned int* dlen,
  const unsigned char* key, unsigned int klen,
  const unsigned char* iv, unsigned int ivlen,
- int no_padding, unsigned int key_version);
+ int no_padding, unsigned int key_id,
+ unsigned int key_version);
 struct encryption_service_st {
- unsigned int (*encryption_key_get_latest_version_func)();
- unsigned int (*encryption_key_exists_func)(unsigned int);
- unsigned int (*encryption_key_get_func)(unsigned int, unsigned char*, unsigned int*);
+ unsigned int (*encryption_key_get_latest_version_func)(unsigned int);
+ unsigned int (*encryption_key_id_exists_func)(unsigned int);
+ unsigned int (*encryption_key_version_exists_func)(unsigned int, unsigned int);
+ unsigned int (*encryption_key_get_func)(unsigned int, unsigned int, unsigned char*, unsigned int*);
  encrypt_decrypt_func encryption_encrypt_func;
  encrypt_decrypt_func encryption_decrypt_func;
 };
 
@@ -202,11 +202,13 @@
  unsigned char* dst, unsigned int* dlen,
  const unsigned char* key, unsigned int klen,
  const unsigned char* iv, unsigned int ivlen,
- int no_padding, unsigned int key_version);
+ int no_padding, unsigned int key_id,
+ unsigned int key_version);
 struct encryption_service_st {
- unsigned int (*encryption_key_get_latest_version_func)();
- unsigned int (*encryption_key_exists_func)(unsigned int);
- unsigned int (*encryption_key_get_func)(unsigned int, unsigned char*, unsigned int*);
+ unsigned int (*encryption_key_get_latest_version_func)(unsigned int);
+ unsigned int (*encryption_key_id_exists_func)(unsigned int);
+ unsigned int (*encryption_key_version_exists_func)(unsigned int, unsigned int);
+ unsigned int (*encryption_key_get_func)(unsigned int, unsigned int, unsigned char*, unsigned int*);
  encrypt_decrypt_func encryption_encrypt_func;
  encrypt_decrypt_func encryption_decrypt_func;
 };
 
@@ -37,11 +37,11 @@ struct st_mariadb_encryption
  int interface_version; /**< version plugin uses */
 
  /**
- function returning latest key version.
+ function returning latest key version for a given key id
 
- @return a version or BAD_ENCRYPTION_KEY_VERSION to indicate an error.
+ @return a version or ENCRYPTION_KEY_VERSION_INVALID to indicate an error.
  */
- unsigned int (*get_latest_key_version)();
+ unsigned int (*get_latest_key_version)(unsigned int key_id);
 
  /**
  function returning a key for a key version
@@ -60,11 +60,11 @@ struct st_mariadb_encryption
  the key data or leave it untouched).
 
  @return 0 on success, or
- BAD_ENCRYPTION_KEY_VERSION, KEY_BUFFER_TOO_SMALL,
+ ENCRYPTION_KEY_VERSION_INVALID, ENCRYPTION_KEY_BUFFER_TOO_SMALL
  or any other non-zero number for errors
  */
- unsigned int (*get_key)(unsigned int version, unsigned char *key,
- unsigned int *key_length);
+ unsigned int (*get_key)(unsigned int key_id, unsigned int version,
+ unsigned char *key, unsigned int *key_length);
 
  encrypt_decrypt_func encrypt;
  encrypt_decrypt_func decrypt;
 
@@ -202,11 +202,13 @@
  unsigned char* dst, unsigned int* dlen,
  const unsigned char* key, unsigned int klen,
  const unsigned char* iv, unsigned int ivlen,
- int no_padding, unsigned int key_version);
+ int no_padding, unsigned int key_id,
+ unsigned int key_version);
 struct encryption_service_st {
- unsigned int (*encryption_key_get_latest_version_func)();
- unsigned int (*encryption_key_exists_func)(unsigned int);
- unsigned int (*encryption_key_get_func)(unsigned int, unsigned char*, unsigned int*);
+ unsigned int (*encryption_key_get_latest_version_func)(unsigned int);
+ unsigned int (*encryption_key_id_exists_func)(unsigned int);
+ unsigned int (*encryption_key_version_exists_func)(unsigned int, unsigned int);
+ unsigned int (*encryption_key_get_func)(unsigned int, unsigned int, unsigned char*, unsigned int*);
  encrypt_decrypt_func encryption_encrypt_func;
  encrypt_decrypt_func encryption_decrypt_func;
 };
@@ -370,9 +372,9 @@
 struct st_mariadb_encryption
 {
  int interface_version;
- unsigned int (*get_latest_key_version)();
- unsigned int (*get_key)(unsigned int version, unsigned char *key,
- unsigned int *key_length);
+ unsigned int (*get_latest_key_version)(unsigned int key_id);
+ unsigned int (*get_key)(unsigned int key_id, unsigned int version,
+ unsigned char *key, unsigned int *key_length);
  encrypt_decrypt_func encrypt;
  encrypt_decrypt_func decrypt;
 };
@@ -202,11 +202,13 @@
  unsigned char* dst, unsigned int* dlen,
  const unsigned char* key, unsigned int klen,
  const unsigned char* iv, unsigned int ivlen,
- int no_padding, unsigned int key_version);
+ int no_padding, unsigned int key_id,
+ unsigned int key_version);
 struct encryption_service_st {
- unsigned int (*encryption_key_get_latest_version_func)();
- unsigned int (*encryption_key_exists_func)(unsigned int);
- unsigned int (*encryption_key_get_func)(unsigned int, unsigned char*, unsigned int*);
+ unsigned int (*encryption_key_get_latest_version_func)(unsigned int);
+ unsigned int (*encryption_key_id_exists_func)(unsigned int);
+ unsigned int (*encryption_key_version_exists_func)(unsigned int, unsigned int);
+ unsigned int (*encryption_key_get_func)(unsigned int, unsigned int, unsigned char*, unsigned int*);
  encrypt_decrypt_func encryption_encrypt_func;
  encrypt_decrypt_func encryption_decrypt_func;
 };
 
@@ -202,11 +202,13 @@
  unsigned char* dst, unsigned int* dlen,
  const unsigned char* key, unsigned int klen,
  const unsigned char* iv, unsigned int ivlen,
- int no_padding, unsigned int key_version);
+ int no_padding, unsigned int key_id,
+ unsigned int key_version);
 struct encryption_service_st {
- unsigned int (*encryption_key_get_latest_version_func)();
- unsigned int (*encryption_key_exists_func)(unsigned int);
- unsigned int (*encryption_key_get_func)(unsigned int, unsigned char*, unsigned int*);
+ unsigned int (*encryption_key_get_latest_version_func)(unsigned int);
+ unsigned int (*encryption_key_id_exists_func)(unsigned int);
+ unsigned int (*encryption_key_version_exists_func)(unsigned int, unsigned int);
+ unsigned int (*encryption_key_get_func)(unsigned int, unsigned int, unsigned char*, unsigned int*);
  encrypt_decrypt_func encryption_encrypt_func;
  encrypt_decrypt_func encryption_decrypt_func;
 };
 
@@ -30,7 +30,7 @@ extern "C" {
 
 /* returned from encryption_key_get_latest_version() */
 #define ENCRYPTION_KEY_VERSION_INVALID (~(unsigned int)0)
-#define ENCRYPTION_KEY_VERSION_NOT_ENCRYPTED (0)
+#define ENCRYPTION_KEY_NOT_ENCRYPTED  (0)
 
 /* returned from encryption_key_get() */
 #define ENCRYPTION_KEY_BUFFER_TOO_SMALL (100)
@@ -39,12 +39,14 @@ typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen,
  unsigned char* dst, unsigned int* dlen,
  const unsigned char* key, unsigned int klen,
  const unsigned char* iv, unsigned int ivlen,
- int no_padding, unsigned int key_version);
+ int no_padding, unsigned int key_id,
+ unsigned int key_version);
 
 struct encryption_service_st {
- unsigned int (*encryption_key_get_latest_version_func)();
- unsigned int (*encryption_key_exists_func)(unsigned int);
- unsigned int (*encryption_key_get_func)(unsigned int, unsigned char*, unsigned int*);
+ unsigned int (*encryption_key_get_latest_version_func)(unsigned int);
+ unsigned int (*encryption_key_id_exists_func)(unsigned int);
+ unsigned int (*encryption_key_version_exists_func)(unsigned int, unsigned int);
+ unsigned int (*encryption_key_get_func)(unsigned int, unsigned int, unsigned char*, unsigned int*);
  encrypt_decrypt_func encryption_encrypt_func;
  encrypt_decrypt_func encryption_decrypt_func;
 };
@@ -53,20 +55,22 @@ struct encryption_service_st {
 
 extern struct encryption_service_st *encryption_service;
 
-#define encryption_key_get_latest_version() encryption_service->encryption_key_get_latest_version_func()
-#define encryption_key_exists(V) encryption_service->encryption_key_exists_func(V)
-#define encryption_key_get(V,K,S) encryption_service->encryption_key_get_func((V), (K), (S))
-#define encryption_encrypt(S,SL,D,DL,K,KL,I,IL,NP,KV) encryption_service->encryption_encrypt_func(S,SL,D,DL,K,KL,I,IL,NP,KV)
-#define encryption_decrypt(S,SL,D,DL,K,KL,I,IL,NP,KV) encryption_service->encryption_decrypt_func(S,SL,D,DL,K,KL,I,IL,NP,KV)
+#define encryption_key_get_latest_version(KI) encryption_service->encryption_key_get_latest_version_func(KI)
+#define encryption_key_id_exists(KI) encryption_service->encryption_key_id_exists_func((KI))
+#define encryption_key_version_exists(KI,KV) encryption_service->encryption_key_version_exists_func((KI),(KV))
+#define encryption_key_get(KI,KV,K,S) encryption_service->encryption_key_get_func((KI),(KV),(K),(S))
+#define encryption_encrypt(S,SL,D,DL,K,KL,I,IL,NP,KI,KV) encryption_service->encryption_encrypt_func((S),(SL),(D),(DL),(K),(KL),(I),(IL),(NP),(KI),(KV))
+#define encryption_decrypt(S,SL,D,DL,K,KL,I,IL,NP,KI,KV) encryption_service->encryption_decrypt_func((S),(SL),(D),(DL),(K),(KL),(I),(IL),(NP),(KI),(KV))
 #else
 
 extern struct encryption_service_st encryption_handler;
 
-#define encryption_key_get_latest_version() encryption_handler.encryption_key_get_latest_version_func()
-#define encryption_key_exists(V) encryption_handler.encryption_key_exists_func(V)
-#define encryption_key_get(V,K,S) encryption_handler.encryption_key_get_func((V), (K), (S))
-#define encryption_encrypt(S,SL,D,DL,K,KL,I,IL,NP,KV) encryption_handler.encryption_encrypt_func(S,SL,D,DL,K,KL,I,IL,NP,KV)
-#define encryption_decrypt(S,SL,D,DL,K,KL,I,IL,NP,KV) encryption_handler.encryption_decrypt_func(S,SL,D,DL,K,KL,I,IL,NP,KV)
+#define encryption_key_get_latest_version(KI) encryption_handler.encryption_key_get_latest_version_func(KI)
+#define encryption_key_id_exists(KI) encryption_handler.encryption_key_id_exists_func((KI))
+#define encryption_key_version_exists(KI,KV) encryption_handler.encryption_key_version_exists_func((KI),(KV))
+#define encryption_key_get(KI,KV,K,S) encryption_handler.encryption_key_get_func((KI),(KV),(K),(S))
+#define encryption_encrypt(S,SL,D,DL,K,KL,I,IL,NP,KI,KV) encryption_handler.encryption_encrypt_func((S),(SL),(D),(DL),(K),(KL),(I),(IL),(NP),(KI),(KV))
+#define encryption_decrypt(S,SL,D,DL,K,KL,I,IL,NP,KI,KV) encryption_handler.encryption_decrypt_func((S),(SL),(D),(DL),(K),(KL),(I),(IL),(NP),(KI),(KV))
 #endif
 
 #ifdef __cplusplus
 
@@ -19,6 +19,8 @@
  It's used to debug the encryption code with a fixed keys that change
  only on user request.
 
+ It does not support different key ids, the only valid key id is 1.
+
  THIS IS AN EXAMPLE ONLY! ENCRYPTION KEYS ARE HARD-CODED AND *NOT* SECRET!
  DO NOT USE THIS PLUGIN IN PRODUCTION! EVER!
 */
@@ -40,13 +42,20 @@ static struct st_mysql_sys_var* sysvars[] = {
  NULL
 };
 
-static unsigned int get_latest_key_version()
+static unsigned int get_latest_key_version(unsigned int keyid)
 {
+ if (keyid != 1)
+ return ENCRYPTION_KEY_VERSION_INVALID;
+
  return key_version;
 }
 
-static unsigned int get_key(unsigned int version, unsigned char* dstbuf, unsigned *buflen)
+static unsigned int get_key(unsigned int keyid, unsigned int version,
+ unsigned char* dstbuf, unsigned *buflen)
 {
+ if (keyid != 1)
+ return ENCRYPTION_KEY_VERSION_INVALID;
+
  if (*buflen < KEY_SIZE)
  {
  *buflen= KEY_SIZE;
 
@@ -21,6 +21,8 @@
  different pages in the same tablespace encrypted with different keys
  and what the background re-encryption thread does.
 
+ It does not support different key ids, for all ids the key will be the same.
+
  THIS IS AN EXAMPLE ONLY! ENCRYPTION KEYS ARE HARD-CODED AND *NOT* SECRET!
  DO NOT USE THIS PLUGIN IN PRODUCTION! EVER!
 */
@@ -41,7 +43,7 @@ static unsigned int next_key_version = 0;
 static pthread_mutex_t mutex;
 
 static unsigned int
-get_latest_key_version()
+get_latest_key_version(unsigned int key_id)
 {
  uint now = time(0);
  pthread_mutex_lock(&mutex);
@@ -57,7 +59,8 @@ get_latest_key_version()
 }
 
 static unsigned int
-get_key(unsigned int version, unsigned char* dstbuf, unsigned *buflen)
+get_key(unsigned int key_id, unsigned int version,
+ unsigned char* dstbuf, unsigned *buflen)
 {
  if (*buflen < MY_MD5_HASH_SIZE)
  {
@@ -81,7 +84,7 @@ int encrypt(const unsigned char* src, unsigned int slen,
  unsigned char* dst, unsigned int* dlen,
  const unsigned char* key, unsigned int klen,
  const unsigned char* iv, unsigned int ivlen,
- int no_padding, unsigned int key_version)
+ int no_padding, unsigned int keyid, unsigned int key_version)
 {
  return ((key_version & 1) ? my_aes_encrypt_cbc : my_aes_encrypt_ecb)
  (src, slen, dst, dlen, key, klen, iv, ivlen, no_padding);
@@ -91,7 +94,7 @@ int decrypt(const unsigned char* src, unsigned int slen,
  unsigned char* dst, unsigned int* dlen,
  const unsigned char* key, unsigned int klen,
  const unsigned char* iv, unsigned int ivlen,
- int no_padding, unsigned int key_version)
+ int no_padding, unsigned int keyid, unsigned int key_version)
 {
  return ((key_version & 1) ? my_aes_decrypt_cbc : my_aes_decrypt_ecb)
  (src, slen, dst, dlen, key, klen, iv, ivlen, no_padding);
@@ -101,7 +104,7 @@ static int example_key_management_plugin_init(void *p)
 {
  /* init */
  my_rnd_init(&seed, time(0), 0);
- get_latest_key_version();
+ get_latest_key_version(1);
  pthread_mutex_init(&mutex, NULL);
 
  return 0;
 
@@ -78,20 +78,18 @@ static keyentry *get_key(unsigned int key_id)
  return a->id == key_id ? a : 0;
 }
 
-/**
- This method is using with the id 0 if exists. 
- This method is used by innobase/xtradb for the key
- rotation feature of encrypting log files.
-*/
-
-static unsigned int get_highest_key_used_in_key_file()
+/* the version is always the same, no automatic key rotation */
+static unsigned int get_latest_version(uint key_id)
 {
- return 0;
+ return  get_key(key_id) ? 1 : ENCRYPTION_KEY_VERSION_INVALID;
 }
 
 static unsigned int get_key_from_key_file(unsigned int key_id,
-   unsigned char* dstbuf, unsigned *buflen)
+ unsigned int key_version, unsigned char* dstbuf, unsigned *buflen)
 {
+ if (key_version != 1)
+ return ENCRYPTION_KEY_VERSION_INVALID;
+
  keyentry* entry = get_key(key_id);
 
  if (entry == NULL)
@@ -112,7 +110,7 @@ static unsigned int get_key_from_key_file(unsigned int key_id,
 
 struct st_mariadb_encryption file_key_management_plugin= {
  MariaDB_ENCRYPTION_INTERFACE_VERSION,
- get_highest_key_used_in_key_file,
+ get_latest_version,
  get_key_from_key_file,
  0,0
 };