Push for testing of encryption

Author: montywi

include/maria.h

@@ -268,6 +268,8 @@ extern my_bool maria_delay_key_write;
 extern my_off_t maria_max_temp_length;
 extern ulong maria_bulk_insert_tree_size, maria_data_pointer_size;
 extern MY_TMPDIR *maria_tmpdir;
+extern my_bool maria_encrypt_tables;
+
 /*
  This is used to check if a symlink points into the mysql data home,
  which is normally forbidden as it can be used to get access to

include/my_aes.h

@@ -1,6 +1,3 @@
-#ifndef MY_AES_INCLUDED
-#define MY_AES_INCLUDED
-
 /* Copyright (c) 2002, 2006 MySQL AB, 2009 Sun Microsystems, Inc.
  Use is subject to license terms.
 
@@ -21,47 +18,192 @@
 /* Header file for my_aes.c */
 /* Wrapper to give simple interface for MySQL to AES standard encryption */
 
+#ifndef MY_AES_INCLUDED
+#define MY_AES_INCLUDED
+
+/* We expect same result code from encryption functions as in my_aes.h */
+typedef int Crypt_result;
+
+#define AES_OK 0
+#define AES_BAD_DATA -1
+#define AES_BAD_IV -2
+#define AES_INVALID -3
+#define AES_OPENSSL_ERROR -4
+#define AES_BAD_KEYSIZE -5
+#define AES_KEY_CREATION_FAILED -10
+
+#define CRYPT_KEY_OK 0
+#define CRYPT_BUFFER_TO_SMALL -11;
+#define CRYPT_KEY_UNKNOWN -48;
+
+/* The max block sizes of all supported algorithms */
+#define MY_AES_BLOCK_SIZE 16
+
+/* The max key length of all supported algorithms */
+#define MY_AES_MAX_KEY_LENGTH 32
+
+
 #include "rijndael.h"
 
 C_MODE_START
 
 #define AES_KEY_LENGTH 128/* Must be 128 192 or 256 */
 
-/*
- my_aes_encrypt	- Crypt buffer with AES encryption algorithm.
- source	- Pointer to data for encryption
- source_length	- size of encryption data
- dest	- buffer to place encrypted data (must be large enough)
- key	- Key to be used for encryption
- kel_length	- Length of the key. Will handle keys of any length
+/**
+ Crypt buffer with AES dynamic (defined at startup) encryption algorithm.
+
+ SYNOPSIS
+ my_aes_encrypt_dynamic()
+ @param source [in] Pointer to data for encryption
+ @param source_length [in] Size of encryption data
+ @param dest [out] Buffer to place encrypted data (must be large enough)
+ @param dest_length [out] Pointer to size of encrypted data
+ @param key [in] Key to be used for encryption
+ @param key_length [in] Length of the key. 16, 24 or 32
+ @param iv [in] Iv to be used for encryption
+ @param iv_length [in] Length of the iv. should be 16.
+ @param noPadding [in] if set, algorithm specific padding behaviour is used
+
+ Method used defined by calling my_aes_init_dynamic_encrypt() at startup.
+
+ @return
+ != 0 error
+ 0 no error
+*/
+
+typedef int (*my_aes_encrypt_dynamic_type)(const uchar* source, uint32 source_length,
+ uchar* dest, uint32* dest_length,
+ const uchar* key, uint8 key_length,
+ const uchar* iv, uint8 iv_length,
+ uint noPadding);
+
+extern my_aes_encrypt_dynamic_type my_aes_encrypt_dynamic;
+
+/**
+ AES decryption AES dynamic (defined at startup) encryption algorithm.
+
+ SYNOPSIS
+ my_aes_decrypt_dynamic()
+ @param source [in] Pointer to data to decrypt
+ @param source_length [in] Size of data
+ @param dest [out] Buffer to place decrypted data (must be large enough)
+ @param dest_length [out] Pointer to size of decrypted data
+ @param key [in] Key to be used for decryption
+ @param key_length [in] Length of the key. 16, 24 or 32
+ @param iv [in] Iv to be used for encryption
+ @param iv_length [in] Length of the iv. should be 16.
+ @param noPadding [in] if set, algorithm specific padding behaviour is used
+
+ @return
+ != 0 error
+ 0 no error
+
+ Method used defined by calling my_aes_init_dynamic_encrypt() at startup.
+*/
+
+typedef int (*my_aes_decrypt_dynamic_type)(const uchar *source,
+ uint32 source_length,
+ uchar *dest, uint32 *dest_length,
+ const uchar *key, uint8 key_length,
+ const uchar *iv, uint8 iv_length,
+ uint noPadding);
+extern my_aes_decrypt_dynamic_type my_aes_decrypt_dynamic;
+
+/**
+ Initialize dynamic crypt functions
+*/
+
+enum enum_my_aes_encryption_algorithm
+{
+ MY_AES_ALGORITHM_NONE, MY_AES_ALGORITHM_ECB, MY_AES_ALGORITHM_CBC,
+ MY_AES_ALGORITHM_CTR
+};
 
- returns - size of encrypted data, or negative in case of error.
+my_aes_decrypt_dynamic_type get_aes_decrypt_func(enum enum_my_aes_encryption_algorithm method);
+my_aes_encrypt_dynamic_type get_aes_encrypt_func(enum enum_my_aes_encryption_algorithm method);
+
+
+my_bool my_aes_init_dynamic_encrypt(enum enum_my_aes_encryption_algorithm method);
+
+extern MYSQL_PLUGIN_IMPORT enum enum_my_aes_encryption_algorithm current_aes_dynamic_method;
+
+
+
+/**
+ Calculate key and iv from a given salt and secret as it is handled in openssl
+ encrypted files via console
+
+ SYNOPSIS
+ my_bytes_to_key()
+
+ @param salt [in] the given salt as extracted from the encrypted file
+ @param secret [in] the given secret as String, provided by the user
+ @param key [out] 32 Bytes of key are written to this pointer
+ @param iv [out] 16 Bytes of iv are written to this pointer
+ */
+
+void my_bytes_to_key(const uchar *salt,
+ const char *secret, uchar *key,
+ uchar *iv);
+
+/**
+ Decode Hexencoded String to uint8[].
+
+ SYNOPSIS
+ my_aes_hex2uint()
+ @param iv [in]	Pointer to hexadecimal encoded IV String
+ @param dest [out]	Pointer to output uint8 array. Memory needs to be
+ allocated by caller
+ @param iv_length [in] Size of destination array.
+ */
+
+void my_aes_hex2uint(const char *in, uchar *out, int dest_length);
+
+/**
+ Crypt buffer with AES encryption algorithm.
+
+ SYNOPSIS
+ my_aes_encrypt()
+
+ @param source	Pointer to data for encryption
+ @param source_length	Size of encryption data
+ @param dest	Buffer to place encrypted data (must be large enough)
+ @param key	Key to be used for encryption
+ @param kel_length	Length of the key. Will handle keys of any length
+
+ @return	Size of encrypted data, or negative in case of error.
 */
 
-int my_aes_encrypt(const char *source, int source_length, char *dest,
+int my_aes_encrypt(const uchar *source, int source_length, uchar *dest,
  const char *key, int key_length);
 
-/*
- my_aes_decrypt	- DeCrypt buffer with AES encryption algorithm.
- source	- Pointer to data for decryption
- source_length	- size of encrypted data
- dest	- buffer to place decrypted data (must be large enough)
- key	- Key to be used for decryption
- kel_length	- Length of the key. Will handle keys of any length
+/**
+ DeCrypt buffer with AES encryption algorithm.
+
+ SYNOPSIS
+ my_aes_decrypt()
 
- returns - size of original data, or negative in case of error.
+ @param source	Pointer to data for decryption
+ @param source_length	size of encrypted data
+ @param dest	buffer to place decrypted data (must be large enough)
+ @param key	Key to be used for decryption
+ @param kel_length	Length of the key. Will handle keys of any length
+
+ @return size of original data, or negative in case of error.
 */
 
 
-int my_aes_decrypt(const char *source, int source_length, char *dest,
+int my_aes_decrypt(const uchar *source, int source_length, uchar *dest,
  const char *key, int key_length);
 
-/*
- my_aes_get_size - get size of buffer which will be large enough for encrypted
- data
- source_length - length of data to be encrypted
+/**
+ get size of buffer which will be large enough for encrypted data
+
+ SYNOPSIS
+ my_aes_get_size()
+ @param source_length	Length of data to be encrypted
 
- returns - size of buffer required to store encrypted data
+ @return Size of buffer required to store encrypted data
 */
 
 int my_aes_get_size(int source_length);

include/my_base.h

@@ -354,6 +354,8 @@ enum ha_base_keytype {
 #define HA_CREATE_DELAY_KEY_WRITE 64
 #define HA_CREATE_RELIES_ON_SQL_LAYER 128
 #define HA_CREATE_INTERNAL_TABLE 256
+#define HA_CREATE_ENCRYPTED 512
+#define HA_INSERT_ORDER 1024
 
 /* Flags used by start_bulk_insert */
 

include/my_crypt.h

@@ -0,0 +1,42 @@
+// TODO: Add Windows support
+
+#ifndef MYSYS_MY_CRYPT_H_
+#define MYSYS_MY_CRYPT_H_
+
+#include <my_aes.h>
+
+#if !defined(HAVE_YASSL) && defined(HAVE_OPENSSL)
+
+#define HAVE_EncryptAes128Ctr
+
+C_MODE_START
+Crypt_result my_aes_encrypt_ctr(const uchar* source, uint32 source_length,
+ uchar* dest, uint32* dest_length,
+ const unsigned char* key, uint8 key_length,
+ const unsigned char* iv, uint8 iv_length,
+ uint noPadding);
+
+Crypt_result my_aes_decrypt_ctr(const uchar* source, uint32 source_length,
+ uchar* dest, uint32* dest_length,
+ const unsigned char* key, uint8 key_length,
+ const unsigned char* iv, uint8 iv_length,
+ uint noPadding);
+C_MODE_END
+
+Crypt_result EncryptAes128Ctr(const uchar* key,
+ const uchar* iv, int iv_size,
+ const uchar* plaintext, int plaintext_size,
+ uchar* ciphertext, int* ciphertext_used);
+
+Crypt_result DecryptAes128Ctr(const uchar* key,
+ const uchar* iv, int iv_size,
+ const uchar* ciphertext, int ciphertext_size,
+ uchar* plaintext, int* plaintext_used);
+
+#endif /* !defined(HAVE_YASSL) && defined(HAVE_OPENSSL) */
+
+C_MODE_START
+Crypt_result my_random_bytes(uchar* buf, int num);
+C_MODE_END
+
+#endif /* MYSYS_MY_CRYPT_H_ */

include/my_crypt_key_management.h

@@ -0,0 +1,80 @@
+
+#ifndef MYSYS_MY_CRYPT_KEY_MANAGMENT_H_
+#define MYSYS_MY_CRYPT_KEY_MANAGMENT_H_
+
+#include "my_global.h"
+#include "my_pthread.h"
+#include "mysql/psi/psi.h"
+
+#ifndef DBUG_OFF
+extern my_bool debug_use_static_encryption_keys;
+
+#ifdef HAVE_PSI_INTERFACE
+extern PSI_rwlock_key key_LOCK_dbug_encryption_key_version;
+#endif
+
+extern mysql_rwlock_t LOCK_dbug_encryption_key_version;
+extern uint opt_debug_encryption_key_version;
+#endif /* DBUG_OFF */
+
+C_MODE_START
+/**
+ * function returning latest key version
+ */
+typedef int (* GetLatestCryptoKeyVersionFunc_t)();
+
+/**
+ * function returning if the key exists
+ */
+typedef unsigned int (* HasKeyVersionFunc_t)(unsigned int version);
+
+/**
+ * function returning the key size
+ */
+typedef int (* GetKeySizeFunc_t)(unsigned int version);
+
+/**
+ * function returning a key for a key version
+ */
+typedef int (* GetCryptoKeyFunc_t)(unsigned int version,
+ unsigned char* key,
+ unsigned keybufsize);
+
+/**
+ * function returning an iv for a key version
+ */
+typedef int (* GetCryptoIVFunc_t)(unsigned int version,
+ unsigned char* iv,
+ unsigned ivbufsize);
+
+
+struct CryptoKeyFuncs_t
+{
+ GetLatestCryptoKeyVersionFunc_t getLatestCryptoKeyVersionFunc;
+ HasKeyVersionFunc_t hasCryptoKeyFunc;
+ GetKeySizeFunc_t getCryptoKeySize;
+ GetCryptoKeyFunc_t getCryptoKeyFunc;
+ GetCryptoIVFunc_t getCryptoIVFunc;
+};
+
+/**
+ * Install functions to use for key management
+ */
+void
+InstallCryptoKeyFunctions(const struct CryptoKeyFuncs_t* cryptoKeyFuncs);
+
+/**
+ * Functions to interact with key management
+ */
+
+int GetLatestCryptoKeyVersion();
+unsigned int HasCryptoKey(unsigned int version);
+int GetCryptoKeySize(unsigned int version);
+int GetCryptoKey(unsigned int version, unsigned char* key_buffer,
+ unsigned int size);
+int GetCryptoIV(unsigned int version, unsigned char* key_buffer,
+ unsigned int size);
+
+C_MODE_END
+
+#endif // MYSYS_MY_CRYPT_KEY_MANAGMENT_H_

include/my_dbug.h

@@ -176,6 +176,9 @@ extern void _db_suicide_();
 #define DBUG_SYNC_POINT(lock_name,lock_timeout) \
  debug_sync_point(lock_name,lock_timeout)
 void debug_sync_point(const char* lock_name, uint lock_timeout);
+
+/* Extern function for debugging */
+extern void dump_buffer(FILE *stream, unsigned n, const unsigned char* buf);
 #else
 #define DBUG_SYNC_POINT(lock_name,lock_timeout)
 #endif /* EXTRA_DEBUG */

include/my_md5.h

@@ -28,7 +28,7 @@
 extern "C" {
 #endif
 
-#define compute_md5_hash(A,B,C) my_md5(A,B,C)
+#define compute_md5_hash(A,B,C) my_md5((unsigned char *)A,B,C)
 
 /*
  Convert an array of bytes to a hexadecimal representation.

include/mysql/plugin.h

@@ -88,7 +88,8 @@ typedef struct st_mysql_xid MYSQL_XID;
 #define MYSQL_AUDIT_PLUGIN 5
 #define MYSQL_REPLICATION_PLUGIN 6
 #define MYSQL_AUTHENTICATION_PLUGIN 7
-#define MYSQL_MAX_PLUGIN_TYPE_NUM 9 /* The number of plugin types */
+#define MYSQL_KEY_MANAGEMENT_PLUGIN 9
+#define MYSQL_MAX_PLUGIN_TYPE_NUM 10 /* The number of plugin types */
 
 /* MariaDB plugin types */
 #define MariaDB_PASSWORD_VALIDATION_PLUGIN 8