Commit 6a7ee5a5 authored by Sergei Golubchik's avatar Sergei Golubchik

encryption cleanup: small changes

* comments
* move my_bytes_to_key() and my_aes_hex2uint() into file_key_management_plugin
* rename HA_INSERT_ORDER -> HA_PRESERVE_INSERT_ORDER
* remove unused variables and declarations
* fix casts
* don't link innodb with pcre
* remove redundant entries from aria's TARGET_LINK_LIBRARIES
parent 87604c4c
/* Copyright (c) 2002, 2006 MySQL AB, 2009 Sun Microsystems, Inc.
Copyright (c) 2014, 2015 MariaDB Corporation
Use is subject to license terms.
This program is free software; you can redistribute it and/or modify
......@@ -21,7 +22,6 @@
#ifndef MY_AES_INCLUDED
#define MY_AES_INCLUDED
/* We expect same result code from encryption functions as in my_aes.h */
typedef int Crypt_result;
#define AES_OK 0
......@@ -36,7 +36,7 @@ typedef int Crypt_result;
#define CRYPT_BUFFER_TO_SMALL -11
#define CRYPT_KEY_UNKNOWN -48
/* The max block sizes of all supported algorithms */
/* The block size for all supported algorithms */
#define MY_AES_BLOCK_SIZE 16
/* The max key length of all supported algorithms */
......@@ -127,38 +127,6 @@ my_bool my_aes_init_dynamic_encrypt(enum enum_my_aes_encryption_algorithm method
extern MYSQL_PLUGIN_IMPORT enum enum_my_aes_encryption_algorithm current_aes_dynamic_method;
/**
Calculate key and iv from a given salt and secret as it is handled in openssl
encrypted files via console
SYNOPSIS
my_bytes_to_key()
@param salt [in] the given salt as extracted from the encrypted file
@param secret [in] the given secret as String, provided by the user
@param key [out] 32 Bytes of key are written to this pointer
@param iv [out] 16 Bytes of iv are written to this pointer
*/
void my_bytes_to_key(const uchar *salt,
const char *secret, uchar *key,
uchar *iv);
/**
Decode Hexencoded String to uint8[].
SYNOPSIS
my_aes_hex2uint()
@param iv [in] Pointer to hexadecimal encoded IV String
@param dest [out] Pointer to output uint8 array. Memory needs to be
allocated by caller
@param iv_length [in] Size of destination array.
*/
void my_aes_hex2uint(const char *in, uchar *out, int dest_length);
/**
Crypt buffer with AES encryption algorithm.
......
......@@ -355,7 +355,7 @@ enum ha_base_keytype {
#define HA_CREATE_RELIES_ON_SQL_LAYER 128
#define HA_CREATE_INTERNAL_TABLE 256
#define HA_CREATE_ENCRYPTED 512
#define HA_INSERT_ORDER 1024
#define HA_PRESERVE_INSERT_ORDER 1024
/* Flags used by start_bulk_insert */
......
......@@ -176,9 +176,6 @@ extern void _db_suicide_();
#define DBUG_SYNC_POINT(lock_name,lock_timeout) \
debug_sync_point(lock_name,lock_timeout)
void debug_sync_point(const char* lock_name, uint lock_timeout);
/* Extern function for debugging */
extern void dump_buffer(FILE *stream, unsigned n, const unsigned char* buf);
#else
#define DBUG_SYNC_POINT(lock_name,lock_timeout)
#endif /* EXTRA_DEBUG */
......
......@@ -28,7 +28,7 @@
extern "C" {
#endif
#define compute_md5_hash(A,B,C) my_md5((unsigned char *)A,B,C)
#define compute_md5_hash(A,B,C) my_md5(A,B,C)
/*
Convert an array of bytes to a hexadecimal representation.
......
......@@ -100,101 +100,6 @@ static int my_aes_create_key(const char *key, int key_length, uint8 *rkey)
return 0;
}
/**
Decode Hexencoded String to uint8[].
SYNOPSIS
my_aes_hex2uint()
@param iv [in] Pointer to hexadecimal encoded IV String
@param dest [out] Pointer to output uint8 array. Memory allocated by caller
@param iv_length [in] Size of destination array.
*/
void my_aes_hex2uint(const char* in, unsigned char *out, int dest_length)
{
const char *pos= in;
int count;
for (count = 0; count < dest_length; count++)
{
uchar res;
sscanf(pos, "%2hhx", &res);
out[count] = res;
pos += 2 * sizeof(char);
}
}
/**
Calculate key and iv from a given salt and secret as it is handled
in openssl encrypted files via console
SYNOPSIS
my_bytes_to_key()
@param salt [in] the given salt as extracted from the encrypted file
@param secret [in] the given secret as String, provided by the user
@param key [out] 32 Bytes of key are written to this pointer
@param iv [out] 16 Bytes of iv are written to this pointer
*/
void my_bytes_to_key(const unsigned char *salt, const char *secret, unsigned char *key,
unsigned char *iv)
{
#ifdef HAVE_YASSL
/* the yassl function has no support for SHA1. Reason unknown. */
int keyLen = 32;
int ivLen = 16;
int EVP_SALT_SZ = 8;
const int SHA_LEN = 20;
yaSSL::SHA myMD;
uint digestSz = myMD.get_digestSize();
unsigned char digest[SHA_LEN]; // max size
int sz = strlen(secret);
int count = 1;
int keyLeft = keyLen;
int ivLeft = ivLen;
int keyOutput = 0;
while (keyOutput < (keyLen + ivLen))
{
int digestLeft = digestSz;
if (keyOutput) // first time D_0 is empty
myMD.update(digest, digestSz);
myMD.update((yaSSL::byte* )secret, sz);
if (salt)
myMD.update(salt, EVP_SALT_SZ);
myMD.get_digest(digest);
for (int j = 1; j < count; j++)
{
myMD.update(digest, digestSz);
myMD.get_digest(digest);
}
if (keyLeft)
{
int store = MY_MIN(keyLeft, static_cast<int>(digestSz));
memcpy(&key[keyLen - keyLeft], digest, store);
keyOutput += store;
keyLeft -= store;
digestLeft -= store;
}
if (ivLeft && digestLeft)
{
int store = MY_MIN(ivLeft, digestLeft);
memcpy(&iv[ivLen - ivLeft], &digest[digestSz - digestLeft], store);
keyOutput += store;
ivLeft -= store;
}
}
#elif defined(HAVE_OPENSSL)
const EVP_CIPHER *type = EVP_aes_256_cbc();
const EVP_MD *digest = EVP_sha1();
EVP_BytesToKey(type, digest, salt, (uchar*) secret, strlen(secret), 1, key, iv);
#endif
}
/**
Crypt buffer with AES CBC encryption algorithm.
......
IF(HAVE_EncryptAes128Ctr)
MYSQL_ADD_PLUGIN(EXAMPLE_KEY_MANAGEMENT_PLUGIN example_key_management_plugin.cc
MYSQL_ADD_PLUGIN(EXAMPLE_KEY_MANAGEMENT_PLUGIN example_key_management_plugin.cc
MODULE_ONLY)
ENDIF()
// Copyright (C) 2014 Google Inc.
/*
Copyright (c) 2014 Google Inc.
Copyright (c) 2014, 2015 MariaDB Corporation
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
/**
Example key management plugin. It demonstrates how to return
keys on request, how to change them. That the engine can have
different pages in the same tablespace encrypted with different keys
and what the background re-encryption thread does.
THIS IS AN EXAMPLE ONLY! ENCRYPTION KEYS ARE HARD-CODED AND *NOT* SECRET!
DO NOT USE THIS PLUGIN IN PRODUCTION! EVER!
*/
#include <my_global.h>
#include <my_pthread.h>
......@@ -36,7 +61,7 @@ get_latest_key_version()
static int
get_key(unsigned int version, unsigned char* dstbuf, unsigned buflen)
{
char *dst = (char*)dstbuf; // md5 function takes char* as argument...
unsigned char *dst = dstbuf;
unsigned len = 0;
for (; len + MD5_HASH_SIZE <= buflen; len += MD5_HASH_SIZE)
{
......
......@@ -259,7 +259,6 @@ int EncKeys::parseFile(const char* filename, const uint32 maxKeyId,
{
int errorCode= 0;
char *buffer= decryptFile(filename, secret, &errorCode);
uint32 id= 0;
if (errorCode != NO_ERROR_PARSE_OK)
return errorCode;
......@@ -271,7 +270,6 @@ int EncKeys::parseFile(const char* filename, const uint32 maxKeyId,
keyLineInKeyFile++;
switch (parseLine(line, maxKeyId)) {
case NO_ERROR_PARSE_OK:
id= oneKey->id;
keys[oneKey->id - 1]= *oneKey;
delete(oneKey);
countKeys++;
......
......@@ -27,9 +27,35 @@ Created 09/15/2014
#include <sys/types.h>
#include <stdio.h>
/**
Calculate key and iv from a given salt and secret as it is handled in openssl
encrypted files via console
SYNOPSIS
my_bytes_to_key()
@param salt [in] the given salt as extracted from the encrypted file
@param secret [in] the given secret as String, provided by the user
@param key [out] 32 Bytes of key are written to this pointer
@param iv [out] 16 Bytes of iv are written to this pointer
*/
void my_bytes_to_key(const uchar *salt,
const char *secret, uchar *key,
uchar *iv);
/**
Decode Hexencoded String to uint8[].
SYNOPSIS
my_aes_hex2uint()
@param iv [in] Pointer to hexadecimal encoded IV String
@param dest [out] Pointer to output uint8 array. Memory needs to be
allocated by caller
@param iv_length [in] Size of destination array.
*/
void my_aes_hex2uint(const char *in, uchar *out, int dest_length);
struct keyentry {
uint32 id;
......@@ -37,7 +63,6 @@ struct keyentry {
char *key;
};
class EncKeys
{
private:
......
......@@ -42,6 +42,101 @@ static struct st_mysql_sys_var* settings[] = {
NULL
};
/**
Decode Hexencoded String to uint8[].
SYNOPSIS
my_aes_hex2uint()
@param iv [in] Pointer to hexadecimal encoded IV String
@param dest [out] Pointer to output uint8 array. Memory allocated by caller
@param iv_length [in] Size of destination array.
*/
void my_aes_hex2uint(const char* in, unsigned char *out, int dest_length)
{
const char *pos= in;
int count;
for (count = 0; count < dest_length; count++)
{
uchar res;
sscanf(pos, "%2hhx", &res);
out[count] = res;
pos += 2 * sizeof(char);
}
}
/**
Calculate key and iv from a given salt and secret as it is handled
in openssl encrypted files via console
SYNOPSIS
my_bytes_to_key()
@param salt [in] the given salt as extracted from the encrypted file
@param secret [in] the given secret as String, provided by the user
@param key [out] 32 Bytes of key are written to this pointer
@param iv [out] 16 Bytes of iv are written to this pointer
*/
void my_bytes_to_key(const unsigned char *salt, const char *secret, unsigned char *key,
unsigned char *iv)
{
#ifdef HAVE_YASSL
/* the yassl function has no support for SHA1. Reason unknown. */
int keyLen = 32;
int ivLen = 16;
int EVP_SALT_SZ = 8;
const int SHA_LEN = 20;
yaSSL::SHA myMD;
uint digestSz = myMD.get_digestSize();
unsigned char digest[SHA_LEN]; // max size
int sz = strlen(secret);
int count = 1;
int keyLeft = keyLen;
int ivLeft = ivLen;
int keyOutput = 0;
while (keyOutput < (keyLen + ivLen))
{
int digestLeft = digestSz;
if (keyOutput) // first time D_0 is empty
myMD.update(digest, digestSz);
myMD.update((yaSSL::byte* )secret, sz);
if (salt)
myMD.update(salt, EVP_SALT_SZ);
myMD.get_digest(digest);
for (int j = 1; j < count; j++)
{
myMD.update(digest, digestSz);
myMD.get_digest(digest);
}
if (keyLeft)
{
int store = MY_MIN(keyLeft, static_cast<int>(digestSz));
memcpy(&key[keyLen - keyLeft], digest, store);
keyOutput += store;
keyLeft -= store;
digestLeft -= store;
}
if (ivLeft && digestLeft)
{
int store = MY_MIN(ivLeft, digestLeft);
memcpy(&iv[ivLen - ivLeft], &digest[digestSz - digestLeft], store);
keyOutput += store;
ivLeft -= store;
}
}
#elif defined(HAVE_OPENSSL)
const EVP_CIPHER *type = EVP_aes_256_cbc();
const EVP_MD *digest = EVP_sha1();
EVP_BytesToKey(type, digest, salt, (uchar*) secret, strlen(secret), 1, key, iv);
#endif
}
/**
......
......@@ -1616,7 +1616,7 @@ int plugin_init(int *argc, char **argv, int flags)
goto err_unlock;
/*
initialize the global default storage engine so that it may
set the global default storage engine variable so that it will
not be null in any child thread.
*/
global_system_variables.table_plugin=
......
......@@ -16874,7 +16874,6 @@ bool create_internal_tmp_table(TABLE *table, KEY *keyinfo,
MARIA_UNIQUEDEF uniquedef;
TABLE_SHARE *share= table->s;
MARIA_CREATE_INFO create_info;
my_bool encrypt= encrypt_tmp_disk_tables;
DBUG_ENTER("create_internal_tmp_table");
if (share->keys)
......@@ -16984,14 +16983,14 @@ bool create_internal_tmp_table(TABLE *table, KEY *keyinfo,
DYNAMIC_RECORD : BLOCK_RECORD);
uint create_flags= HA_CREATE_TMP_TABLE | HA_CREATE_INTERNAL_TABLE;
if (file_type != NO_RECORD && MY_TEST(encrypt))
if (file_type != NO_RECORD && encrypt_tmp_disk_tables)
{
/* encryption is only supported for BLOCK_RECORD */
file_type= BLOCK_RECORD;
create_flags|= HA_CREATE_ENCRYPTED;
if (table->keep_row_order)
{
create_flags|= HA_INSERT_ORDER;
create_flags|= HA_PRESERVE_INSERT_ORDER;
}
if (table->used_for_duplicate_elimination)
......
......@@ -474,5 +474,5 @@ ENDIF()
MYSQL_ADD_PLUGIN(innobase ${INNOBASE_SOURCES} STORAGE_ENGINE
MODULE_ONLY
MODULE_OUTPUT_NAME ha_innodb
LINK_LIBRARIES ${ZLIB_LIBRARY} ${LINKER_SCRIPT} pcre pcreposix)
LINK_LIBRARIES ${ZLIB_LIBRARY} ${LINKER_SCRIPT})
......@@ -64,7 +64,7 @@ IF(NOT WITH_ARIA_STORAGE_ENGINE)
ENDIF()
TARGET_LINK_LIBRARIES(aria myisam
mysys mysys_ssl ${LIBCRYPT} ${LIBDL} ${SSL_LIBRARIES})
mysys mysys_ssl)
MYSQL_ADD_EXECUTABLE(aria_ftdump maria_ftdump.c COMPONENT Server)
TARGET_LINK_LIBRARIES(aria_ftdump aria)
......
......@@ -74,7 +74,7 @@ int maria_create(const char *name, enum data_file_type datafile_type,
myf sync_dir= 0;
uchar *log_data= NULL;
my_bool encrypted= MY_TEST(flags & HA_CREATE_ENCRYPTED);
my_bool insert_order= MY_TEST(flags & HA_INSERT_ORDER);
my_bool insert_order= MY_TEST(flags & HA_PRESERVE_INSERT_ORDER);
uint crypt_page_header_space= 0;
DBUG_ENTER("maria_create");
DBUG_PRINT("enter", ("keys: %u columns: %u uniques: %u flags: %u",
......
/* Copyright 2013 Google Inc. All Rights Reserved. */
/*
Copyright (c) 2013 Google Inc.
Copyright (c) 2014, 2015 MariaDB Corporation
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
#include <my_global.h>
#include "ma_crypt.h"
......@@ -136,12 +151,10 @@ ma_crypt_read(MARIA_SHARE* share, uchar *buff)
return buff + 2 + iv_length;
}
static void ma_encrypt(MARIA_CRYPT_DATA *crypt_data,
const uchar *src, uchar *dst, uint size,
uint pageno, LSN lsn, uint *key_version);
static void ma_decrypt(MARIA_CRYPT_DATA *crypt_data,
const uchar *src, uchar *dst, uint size,
uint pageno, LSN lsn, uint key_version);
static void ma_encrypt(MARIA_CRYPT_DATA *, const uchar *, uchar *, uint,
uint, LSN, uint *);
static void ma_decrypt(MARIA_CRYPT_DATA *, const uchar *, uchar *, uint,
uint, LSN, uint);
static my_bool ma_crypt_pre_read_hook(PAGECACHE_IO_HOOK_ARGS *args)
{
......@@ -249,7 +262,7 @@ static my_bool ma_crypt_data_pre_write_hook(PAGECACHE_IO_HOOK_ARGS *args)
/* 1 - copy head */
memcpy(dst, src, head);
/* 2 - decrypt page */
/* 2 - encrypt page */
ma_encrypt(share->crypt_data,
src + head, dst + head, size - (head + tail), pageno, lsn,
&key_version);
......@@ -368,7 +381,7 @@ static my_bool ma_crypt_index_pre_write_hook(PAGECACHE_IO_HOOK_ARGS *args)
/* 1 - copy head */
memcpy(dst, src, head);
/* 2 - decrypt page */
/* 2 - encrypt page */
ma_encrypt(share->crypt_data,
src + head, dst + head, size, pageno, lsn, &key_version);
/* 3 - copy tail */
......@@ -456,6 +469,4 @@ static void ma_decrypt(MARIA_CRYPT_DATA *crypt_data,
fatal("failed to decrypt! rc: %d, dstlen: %d size: %d\n",
rc, dstlen, (int)size);
}
(void)key_version;
}
/* Copyright 2013 Google Inc. All Rights Reserved. */
/*
Copyright (c) 2013 Google Inc.
Copyright (c) 2014, 2015 MariaDB Corporation
#ifndef _ma_crypt_h
#define _ma_crypt_h
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
#ifndef STORAGE_MARIA_MA_CRYPT_INCLUDED
#define STORAGE_MARIA_MA_CRYPT_INCLUDED
#include <my_global.h>
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment