Commit 7bf40959 authored by Vladislav Vaintroub's avatar Vladislav Vaintroub Committed by Sergei Golubchik

MDEV-11660 Make encryption plugins "pure"

Do not exporting mysqld entry points directly.
This is needed for mariabackup, to load encryption plugins on Windows.

All plugins are "pure" by default. To mark plugin "impure"
it should use RECOMPILE_FOR_EMBEDDED or STORAGE_ENGINE keyword.
parent db391074
...@@ -201,13 +201,15 @@ MACRO(MYSQL_ADD_PLUGIN) ...@@ -201,13 +201,15 @@ MACRO(MYSQL_ADD_PLUGIN)
# executable to the linker command line (it would result into link error). # executable to the linker command line (it would result into link error).
# Thus we skip TARGET_LINK_LIBRARIES on Linux, as it would only generate # Thus we skip TARGET_LINK_LIBRARIES on Linux, as it would only generate
# an additional dependency. # an additional dependency.
IF(NOT ARG_CLIENT) IF(ARG_RECOMPILE_FOR_EMBEDDED OR ARG_STORAGE_ENGINE)
IF(MSVC) IF(MSVC)
ADD_DEPENDENCIES(${target} gen_mysqld_lib) ADD_DEPENDENCIES(${target} gen_mysqld_lib)
TARGET_LINK_LIBRARIES(${target} mysqld_import_lib) TARGET_LINK_LIBRARIES(${target} mysqld_import_lib)
ELSEIF(NOT CMAKE_SYSTEM_NAME STREQUAL "Linux") ELSEIF(NOT CMAKE_SYSTEM_NAME STREQUAL "Linux")
TARGET_LINK_LIBRARIES (${target} mysqld) TARGET_LINK_LIBRARIES (${target} mysqld)
ENDIF() ENDIF()
ELSEIF(CMAKE_SYSTEM_NAME STREQUAL "Linux")
TARGET_LINK_LIBRARIES (${target} "-Wl,--no-undefined")
ENDIF() ENDIF()
IF(ARG_LINK_LIBRARIES) IF(ARG_LINK_LIBRARIES)
......
...@@ -28,7 +28,7 @@ select plugin_status from information_schema.plugins ...@@ -28,7 +28,7 @@ select plugin_status from information_schema.plugins
where plugin_name = 'file_key_management'; where plugin_name = 'file_key_management';
plugin_status plugin_status
install soname 'file_key_management'; install soname 'file_key_management';
ERROR HY000: Invalid key id at MYSQL_TMP_DIR/keys.txt line 2, column 11 ERROR HY000: Invalid key id at MYSQL_TMP_DIR/keys.txt line 2, column 10
call mtr.add_suppression("Invalid key id"); call mtr.add_suppression("Invalid key id");
call mtr.add_suppression("Plugin 'file_key_management' init function returned error"); call mtr.add_suppression("Plugin 'file_key_management' init function returned error");
call mtr.add_suppression("Plugin 'file_key_management' registration.*failed"); call mtr.add_suppression("Plugin 'file_key_management' registration.*failed");
......
...@@ -15,5 +15,8 @@ ...@@ -15,5 +15,8 @@
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
ADD_DEFINITIONS(-DNO_GET_TTY_PASSWORD) ADD_DEFINITIONS(-DNO_GET_TTY_PASSWORD)
IF(LIBDL)
SET(LLDL LINK_LIBRARIES dl)
ENDIF()
MYSQL_ADD_PLUGIN(dialog dialog.c ${CMAKE_SOURCE_DIR}/libmysql/get_password.c MYSQL_ADD_PLUGIN(dialog dialog.c ${CMAKE_SOURCE_DIR}/libmysql/get_password.c
MODULE_ONLY CLIENT COMPONENT ClientPlugins) MODULE_ONLY CLIENT ${LLDL} COMPONENT ClientPlugins)
...@@ -16,9 +16,7 @@ ...@@ -16,9 +16,7 @@
#include <my_global.h> #include <my_global.h>
#include <my_pthread.h> #include <typelib.h>
#include <my_sys.h>
#include <my_dir.h>
#include <mysql/plugin_encryption.h> #include <mysql/plugin_encryption.h>
#include <my_crypt.h> #include <my_crypt.h>
#include <string.h> #include <string.h>
...@@ -33,6 +31,10 @@ ...@@ -33,6 +31,10 @@
#include <sstream> #include <sstream>
#include <fstream> #include <fstream>
#ifndef _WIN32
#include <dirent.h>
#endif
#include <aws/core/Aws.h> #include <aws/core/Aws.h>
#include <aws/core/client/AWSError.h> #include <aws/core/client/AWSError.h>
#include <aws/core/utils/logging/AWSLogging.h> #include <aws/core/utils/logging/AWSLogging.h>
...@@ -48,9 +50,6 @@ using namespace std; ...@@ -48,9 +50,6 @@ using namespace std;
using namespace Aws::KMS; using namespace Aws::KMS;
using namespace Aws::KMS::Model; using namespace Aws::KMS::Model;
using namespace Aws::Utils::Logging; using namespace Aws::Utils::Logging;
extern void sql_print_error(const char *format, ...);
extern void sql_print_warning(const char *format, ...);
extern void sql_print_information(const char *format, ...);
/* Plaintext key info struct */ /* Plaintext key info struct */
...@@ -90,14 +89,8 @@ static int extract_id_and_version(const char *name, uint *id, uint *ver); ...@@ -90,14 +89,8 @@ static int extract_id_and_version(const char *name, uint *id, uint *ver);
static unsigned int get_latest_key_version(unsigned int key_id); static unsigned int get_latest_key_version(unsigned int key_id);
static unsigned int get_latest_key_version_nolock(unsigned int key_id); static unsigned int get_latest_key_version_nolock(unsigned int key_id);
static int load_key(KEY_INFO *info); static int load_key(KEY_INFO *info);
static std::mutex mtx;
/* Mutex to serialize access to caches */
static mysql_mutex_t mtx;
#ifdef HAVE_PSI_INTERFACE
static uint mtx_key;
static PSI_mutex_info mtx_info = {&mtx_key, "mtx", 0};
#endif
static Aws::KMS::KMSClient *client; static Aws::KMS::KMSClient *client;
...@@ -140,6 +133,33 @@ class MySQLLogSystem : public Aws::Utils::Logging::FormattedLogSystem ...@@ -140,6 +133,33 @@ class MySQLLogSystem : public Aws::Utils::Logging::FormattedLogSystem
} }
}; };
/* Get list of files in current directory */
static vector<string> traverse_current_directory()
{
vector<string> v;
#ifdef _WIN32
WIN32_FIND_DATA find_data;
HANDLE h= FindFirstFile("*.*", &find_data);
if (h == INVALID_HANDLE_VALUE)
return v;
do
{
v.push_back(find_data.cFileName);
}
while (FindNextFile(h, &find_data));
FindClose(h);
#else
DIR *dir = opendir(".");
if (!dir)
return v;
struct dirent *e;
while ((e= readdir(dir))
v.push_back(e->d_name);
closedir(dir);
#endif
return v;
}
Aws::SDKOptions sdkOptions; Aws::SDKOptions sdkOptions;
/* /*
...@@ -150,7 +170,6 @@ Aws::SDKOptions sdkOptions; ...@@ -150,7 +170,6 @@ Aws::SDKOptions sdkOptions;
*/ */
static int plugin_init(void *p) static int plugin_init(void *p)
{ {
DBUG_ENTER("plugin_init");
#ifdef HAVE_YASSL #ifdef HAVE_YASSL
sdkOptions.cryptoOptions.initAndCleanupOpenSSL = true; sdkOptions.cryptoOptions.initAndCleanupOpenSSL = true;
...@@ -176,46 +195,33 @@ static int plugin_init(void *p) ...@@ -176,46 +195,33 @@ static int plugin_init(void *p)
if (!client) if (!client)
{ {
my_printf_error(ER_UNKNOWN_ERROR, "Can not initialize KMS client", ME_ERROR_LOG,); my_printf_error(ER_UNKNOWN_ERROR, "Can not initialize KMS client", ME_ERROR_LOG,);
DBUG_RETURN(-1); return -1;
} }
#ifdef HAVE_PSI_INTERFACE vector<string> files= traverse_current_directory();
mysql_mutex_register("aws_key_management", &mtx_info, 1); for (size_t i=0; i < files.size(); i++)
#endif
mysql_mutex_init(mtx_key, &mtx, NULL);
MY_DIR *dirp = my_dir(".", MYF(0));
if (!dirp)
{
sql_print_error("Can't scan current directory");
DBUG_RETURN(-1);
}
for (unsigned int i=0; i < dirp->number_of_files; i++)
{ {
KEY_INFO info; KEY_INFO info;
if (extract_id_and_version(dirp->dir_entry[i].name, &info.key_id, &info.key_version) == 0) if (extract_id_and_version(files[i].c_str(), &info.key_id, &info.key_version) == 0)
{ {
key_info_cache[KEY_ID_AND_VERSION(info.key_id, info.key_version)]= info; key_info_cache[KEY_ID_AND_VERSION(info.key_id, info.key_version)]= info;
latest_version_cache[info.key_id]= max(info.key_version, latest_version_cache[info.key_id]); latest_version_cache[info.key_id]= max(info.key_version, latest_version_cache[info.key_id]);
} }
} }
my_dirend(dirp); return 0;
DBUG_RETURN(0);
} }
static int plugin_deinit(void *p) static int plugin_deinit(void *p)
{ {
DBUG_ENTER("plugin_deinit");
latest_version_cache.clear(); latest_version_cache.clear();
key_info_cache.clear(); key_info_cache.clear();
mysql_mutex_destroy(&mtx);
delete client; delete client;
ShutdownAWSLogging(); ShutdownAWSLogging();
Aws::ShutdownAPI(sdkOptions); Aws::ShutdownAPI(sdkOptions);
DBUG_RETURN(0); return 0;
} }
/* Generate filename to store the ciphered key */ /* Generate filename to store the ciphered key */
...@@ -242,8 +248,7 @@ static int load_key(KEY_INFO *info) ...@@ -242,8 +248,7 @@ static int load_key(KEY_INFO *info)
{ {
int ret; int ret;
char path[256]; char path[256];
DBUG_ENTER("load_key");
DBUG_PRINT("enter", ("id=%u,ver=%u", info->key_id, info->key_version));
format_keyfile_name(path, sizeof(path), info->key_id, info->key_version); format_keyfile_name(path, sizeof(path), info->key_id, info->key_version);
ret= aws_decrypt_key(path, info); ret= aws_decrypt_key(path, info);
if (ret) if (ret)
...@@ -262,7 +267,7 @@ static int load_key(KEY_INFO *info) ...@@ -262,7 +267,7 @@ static int load_key(KEY_INFO *info)
my_printf_error(ER_UNKNOWN_ERROR, "AWS KMS plugin: key %u, version %u could not be decrypted", ME_ERROR_LOG | ER_WARNING, my_printf_error(ER_UNKNOWN_ERROR, "AWS KMS plugin: key %u, version %u could not be decrypted", ME_ERROR_LOG | ER_WARNING,
info->key_id, info->key_version); info->key_id, info->key_version);
} }
DBUG_RETURN(ret); return ret;
} }
...@@ -281,19 +286,17 @@ static int load_key(KEY_INFO *info) ...@@ -281,19 +286,17 @@ static int load_key(KEY_INFO *info)
static unsigned int get_latest_key_version(unsigned int key_id) static unsigned int get_latest_key_version(unsigned int key_id)
{ {
unsigned int ret; unsigned int ret;
DBUG_ENTER("get_latest_key_version"); mtx.lock();
mysql_mutex_lock(&mtx);
ret= get_latest_key_version_nolock(key_id); ret= get_latest_key_version_nolock(key_id);
mysql_mutex_unlock(&mtx); mtx.unlock();
DBUG_PRINT("info", ("key=%u,ret=%u", key_id, ret)); return ret;
DBUG_RETURN(ret);
} }
static unsigned int get_latest_key_version_nolock(unsigned int key_id) static unsigned int get_latest_key_version_nolock(unsigned int key_id)
{ {
KEY_INFO info; KEY_INFO info;
uint ver; uint ver;
DBUG_ENTER("get_latest_key_version_nolock");
ver= latest_version_cache[key_id]; ver= latest_version_cache[key_id];
if (ver > 0) if (ver > 0)
{ {
...@@ -302,13 +305,13 @@ static unsigned int get_latest_key_version_nolock(unsigned int key_id) ...@@ -302,13 +305,13 @@ static unsigned int get_latest_key_version_nolock(unsigned int key_id)
if (info.load_failed) if (info.load_failed)
{ {
/* Decryption failed previously, don't retry */ /* Decryption failed previously, don't retry */
DBUG_RETURN(ENCRYPTION_KEY_VERSION_INVALID); return(ENCRYPTION_KEY_VERSION_INVALID);
} }
else if (ver > 0) else if (ver > 0)
{ {
/* Key exists already, return it*/ /* Key exists already, return it*/
if (info.length > 0) if (info.length > 0)
DBUG_RETURN(ver); return(ver);
} }
else // (ver == 0) else // (ver == 0)
{ {
...@@ -318,18 +321,18 @@ static unsigned int get_latest_key_version_nolock(unsigned int key_id) ...@@ -318,18 +321,18 @@ static unsigned int get_latest_key_version_nolock(unsigned int key_id)
my_printf_error(ER_UNKNOWN_ERROR, my_printf_error(ER_UNKNOWN_ERROR,
"Can't generate encryption key %u, because 'aws_key_management_master_key_id' parameter is not set", "Can't generate encryption key %u, because 'aws_key_management_master_key_id' parameter is not set",
MYF(0), key_id); MYF(0), key_id);
DBUG_RETURN(ENCRYPTION_KEY_VERSION_INVALID); return(ENCRYPTION_KEY_VERSION_INVALID);
} }
if (aws_generate_datakey(key_id, 1) != 0) if (aws_generate_datakey(key_id, 1) != 0)
DBUG_RETURN(ENCRYPTION_KEY_VERSION_INVALID); return(ENCRYPTION_KEY_VERSION_INVALID);
info.key_id= key_id; info.key_id= key_id;
info.key_version= 1; info.key_version= 1;
info.length= 0; info.length= 0;
} }
if (load_key(&info)) if (load_key(&info))
DBUG_RETURN(ENCRYPTION_KEY_VERSION_INVALID); return(ENCRYPTION_KEY_VERSION_INVALID);
DBUG_RETURN(info.key_version); return(info.key_version);
} }
...@@ -338,20 +341,19 @@ static unsigned int get_latest_key_version_nolock(unsigned int key_id) ...@@ -338,20 +341,19 @@ static unsigned int get_latest_key_version_nolock(unsigned int key_id)
*/ */
static int aws_decrypt_key(const char *path, KEY_INFO *info) static int aws_decrypt_key(const char *path, KEY_INFO *info)
{ {
DBUG_ENTER("aws_decrypt_key");
/* Read file content into memory */ /* Read file content into memory */
ifstream ifs(path, ios::binary | ios::ate); ifstream ifs(path, ios::binary | ios::ate);
if (!ifs.good()) if (!ifs.good())
{ {
my_printf_error(ER_UNKNOWN_ERROR, "can't open file %s", ME_ERROR_LOG, path); my_printf_error(ER_UNKNOWN_ERROR, "can't open file %s", ME_ERROR_LOG, path);
DBUG_RETURN(-1); return(-1);
} }
size_t pos = (size_t)ifs.tellg(); size_t pos = (size_t)ifs.tellg();
if (!pos || pos == SIZE_T_MAX) if (!pos || pos == SIZE_T_MAX)
{ {
my_printf_error(ER_UNKNOWN_ERROR, "invalid key file %s", ME_ERROR_LOG, path); my_printf_error(ER_UNKNOWN_ERROR, "invalid key file %s", ME_ERROR_LOG, path);
DBUG_RETURN(-1); return(-1);
} }
std::vector<char> contents(pos); std::vector<char> contents(pos);
ifs.seekg(0, ios::beg); ifs.seekg(0, ios::beg);
...@@ -366,7 +368,7 @@ static int aws_decrypt_key(const char *path, KEY_INFO *info) ...@@ -366,7 +368,7 @@ static int aws_decrypt_key(const char *path, KEY_INFO *info)
{ {
my_printf_error(ER_UNKNOWN_ERROR, "AWS KMS plugin: Decrypt failed for %s : %s", ME_ERROR_LOG, path, my_printf_error(ER_UNKNOWN_ERROR, "AWS KMS plugin: Decrypt failed for %s : %s", ME_ERROR_LOG, path,
outcome.GetError().GetMessage().c_str()); outcome.GetError().GetMessage().c_str());
DBUG_RETURN(-1); return(-1);
} }
Aws::Utils::ByteBuffer plaintext = outcome.GetResult().GetPlaintext(); Aws::Utils::ByteBuffer plaintext = outcome.GetResult().GetPlaintext();
size_t len = plaintext.GetLength(); size_t len = plaintext.GetLength();
...@@ -374,19 +376,17 @@ static int aws_decrypt_key(const char *path, KEY_INFO *info) ...@@ -374,19 +376,17 @@ static int aws_decrypt_key(const char *path, KEY_INFO *info)
if (len > (int)sizeof(info->data)) if (len > (int)sizeof(info->data))
{ {
my_printf_error(ER_UNKNOWN_ERROR, "AWS KMS plugin: encoding key too large for %s", ME_ERROR_LOG, path); my_printf_error(ER_UNKNOWN_ERROR, "AWS KMS plugin: encoding key too large for %s", ME_ERROR_LOG, path);
DBUG_RETURN(ENCRYPTION_KEY_BUFFER_TOO_SMALL); return(ENCRYPTION_KEY_BUFFER_TOO_SMALL);
} }
memcpy(info->data, plaintext.GetUnderlyingData(), len); memcpy(info->data, plaintext.GetUnderlyingData(), len);
info->length= len; info->length= len;
DBUG_RETURN(0); return(0);
} }
/* Generate a new datakey and store it a file */ /* Generate a new datakey and store it a file */
static int aws_generate_datakey(uint keyid, uint version) static int aws_generate_datakey(uint keyid, uint version)
{ {
DBUG_ENTER("aws_generate_datakey");
GenerateDataKeyWithoutPlaintextRequest request; GenerateDataKeyWithoutPlaintextRequest request;
request.SetKeyId(master_key_id); request.SetKeyId(master_key_id);
request.SetKeySpec(DataKeySpecMapper::GetDataKeySpecForName(key_spec_names[key_spec])); request.SetKeySpec(DataKeySpecMapper::GetDataKeySpecForName(key_spec_names[key_spec]));
...@@ -398,7 +398,7 @@ static int aws_generate_datakey(uint keyid, uint version) ...@@ -398,7 +398,7 @@ static int aws_generate_datakey(uint keyid, uint version)
my_printf_error(ER_UNKNOWN_ERROR, "AWS KMS plugin : GenerateDataKeyWithoutPlaintext failed : %s - %s", ME_ERROR_LOG, my_printf_error(ER_UNKNOWN_ERROR, "AWS KMS plugin : GenerateDataKeyWithoutPlaintext failed : %s - %s", ME_ERROR_LOG,
outcome.GetError().GetExceptionName().c_str(), outcome.GetError().GetExceptionName().c_str(),
outcome.GetError().GetMessage().c_str()); outcome.GetError().GetMessage().c_str());
DBUG_RETURN(-1); return(-1);
} }
string out; string out;
...@@ -406,24 +406,24 @@ static int aws_generate_datakey(uint keyid, uint version) ...@@ -406,24 +406,24 @@ static int aws_generate_datakey(uint keyid, uint version)
Aws::Utils::ByteBuffer byteBuffer = outcome.GetResult().GetCiphertextBlob(); Aws::Utils::ByteBuffer byteBuffer = outcome.GetResult().GetCiphertextBlob();
format_keyfile_name(filename, sizeof(filename), keyid, version); format_keyfile_name(filename, sizeof(filename), keyid, version);
int fd= my_open(filename, O_RDWR | O_CREAT, 0); int fd= open(filename, O_WRONLY |O_CREAT|O_BINARY, IF_WIN(_S_IREAD, S_IRUSR| S_IRGRP| S_IROTH));
if (fd < 0) if (fd < 0)
{ {
my_printf_error(ER_UNKNOWN_ERROR, "AWS KMS plugin: Can't create file %s", ME_ERROR_LOG, filename); my_printf_error(ER_UNKNOWN_ERROR, "AWS KMS plugin: Can't create file %s", ME_ERROR_LOG, filename);
DBUG_RETURN(-1); return(-1);
} }
size_t len= byteBuffer.GetLength(); size_t len= byteBuffer.GetLength();
if (my_write(fd, byteBuffer.GetUnderlyingData(), len, 0) != len) if (write(fd, byteBuffer.GetUnderlyingData(), len) != len)
{ {
my_printf_error(ER_UNKNOWN_ERROR, "AWS KMS plugin: can't write to %s", ME_ERROR_LOG, filename); my_printf_error(ER_UNKNOWN_ERROR, "AWS KMS plugin: can't write to %s", ME_ERROR_LOG, filename);
my_close(fd, 0); close(fd);
my_delete(filename, 0); unlink(filename);
DBUG_RETURN(-1); return(-1);
} }
my_close(fd, 0); close(fd);
my_printf_error(ER_UNKNOWN_ERROR, "AWS KMS plugin: generated encrypted datakey for key id=%u, version=%u", ME_ERROR_LOG | ER_NOTE, my_printf_error(ER_UNKNOWN_ERROR, "AWS KMS plugin: generated encrypted datakey for key id=%u, version=%u", ME_ERROR_LOG | ER_NOTE,
keyid, version); keyid, version);
DBUG_RETURN(0); return(0);
} }
/* Key rotation for a single key */ /* Key rotation for a single key */
...@@ -479,7 +479,7 @@ static void update_rotate(MYSQL_THD, struct st_mysql_sys_var *, void *, const vo ...@@ -479,7 +479,7 @@ static void update_rotate(MYSQL_THD, struct st_mysql_sys_var *, void *, const vo
"aws_key_management_master_key_id must be set to generate new data keys", MYF(ME_JUST_WARNING)); "aws_key_management_master_key_id must be set to generate new data keys", MYF(ME_JUST_WARNING));
return; return;
} }
mysql_mutex_lock(&mtx); mtx.lock();
rotate_key= *(int *)val; rotate_key= *(int *)val;
switch (rotate_key) switch (rotate_key)
{ {
...@@ -493,7 +493,7 @@ static void update_rotate(MYSQL_THD, struct st_mysql_sys_var *, void *, const vo ...@@ -493,7 +493,7 @@ static void update_rotate(MYSQL_THD, struct st_mysql_sys_var *, void *, const vo
break; break;
} }
rotate_key= 0; rotate_key= 0;
mysql_mutex_unlock(&mtx); mtx.unlock();
} }
static unsigned int get_key( static unsigned int get_key(
...@@ -504,8 +504,7 @@ static unsigned int get_key( ...@@ -504,8 +504,7 @@ static unsigned int get_key(
{ {
KEY_INFO info; KEY_INFO info;
DBUG_ENTER("get_key"); mtx.lock();
mysql_mutex_lock(&mtx);
info= key_info_cache[KEY_ID_AND_VERSION(key_id, version)]; info= key_info_cache[KEY_ID_AND_VERSION(key_id, version)];
if (info.length == 0 && !info.load_failed) if (info.length == 0 && !info.load_failed)
{ {
...@@ -513,17 +512,17 @@ static unsigned int get_key( ...@@ -513,17 +512,17 @@ static unsigned int get_key(
info.key_version= version; info.key_version= version;
load_key(&info); load_key(&info);
} }
mysql_mutex_unlock(&mtx); mtx.unlock();
if (info.load_failed) if (info.load_failed)
DBUG_RETURN(ENCRYPTION_KEY_VERSION_INVALID); return(ENCRYPTION_KEY_VERSION_INVALID);
if (*buflen < info.length) if (*buflen < info.length)
{ {
*buflen= info.length; *buflen= info.length;
DBUG_RETURN(ENCRYPTION_KEY_BUFFER_TOO_SMALL); return(ENCRYPTION_KEY_BUFFER_TOO_SMALL);
} }
*buflen= info.length; *buflen= info.length;
memcpy(dstbuf, info.data, info.length); memcpy(dstbuf, info.data, info.length);
DBUG_RETURN(0); return(0);
} }
......
...@@ -13,7 +13,8 @@ ...@@ -13,7 +13,8 @@
# along with this program; if not, write to the Free Software # along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
MYSQL_ADD_PLUGIN(daemon_example daemon_example.cc MYSQL_ADD_PLUGIN(daemon_example daemon_example.cc RECOMPILE_FOR_EMBEDDED
MODULE_ONLY MODULE_OUTPUT_NAME "libdaemon_example" COMPONENT Test) MODULE_ONLY MODULE_OUTPUT_NAME "libdaemon_example" COMPONENT Test)
INSTALL(FILES daemon_example.ini DESTINATION ${INSTALL_PLUGINDIR} COMPONENT Test) INSTALL(FILES daemon_example.ini DESTINATION ${INSTALL_PLUGINDIR}
COMPONENT Test)
...@@ -28,18 +28,24 @@ ...@@ -28,18 +28,24 @@
#include <my_global.h> #include <my_global.h>
#include <my_pthread.h> #include <my_pthread.h>
#include <mysql/plugin_encryption.h> #include <mysql/plugin_encryption.h>
#include <my_rnd.h>
#include <my_crypt.h> #include <my_crypt.h>
/* rotate key randomly between 45 and 90 seconds */ /* rotate key randomly between 45 and 90 seconds */
#define KEY_ROTATION_MIN 45 #define KEY_ROTATION_MIN 45
#define KEY_ROTATION_MAX 90 #define KEY_ROTATION_MAX 90
static struct my_rnd_struct seed;
static time_t key_version = 0; static time_t key_version = 0;
static time_t next_key_version = 0; static time_t next_key_version = 0;
static pthread_mutex_t mutex; static pthread_mutex_t mutex;
/* Random double value in 0..1 range */
static double double_rnd()
{
return ((double)rand()) / RAND_MAX;
}
static unsigned int static unsigned int
get_latest_key_version(unsigned int key_id) get_latest_key_version(unsigned int key_id)
{ {
...@@ -50,7 +56,7 @@ get_latest_key_version(unsigned int key_id) ...@@ -50,7 +56,7 @@ get_latest_key_version(unsigned int key_id)
key_version = now; key_version = now;
unsigned int interval = KEY_ROTATION_MAX - KEY_ROTATION_MIN; unsigned int interval = KEY_ROTATION_MAX - KEY_ROTATION_MIN;
next_key_version = (time_t) (now + KEY_ROTATION_MIN + next_key_version = (time_t) (now + KEY_ROTATION_MIN +
my_rnd(&seed) * interval); double_rnd() * interval);
} }
pthread_mutex_unlock(&mutex); pthread_mutex_unlock(&mutex);
...@@ -101,7 +107,6 @@ static unsigned int get_length(unsigned int slen, unsigned int key_id, ...@@ -101,7 +107,6 @@ static unsigned int get_length(unsigned int slen, unsigned int key_id,
static int example_key_management_plugin_init(void *p) static int example_key_management_plugin_init(void *p)
{ {
/* init */ /* init */
my_rnd_init(&seed, time(0), 0);
pthread_mutex_init(&mutex, NULL); pthread_mutex_init(&mutex, NULL);
get_latest_key_version(1); get_latest_key_version(1);
......
...@@ -66,22 +66,14 @@ static struct st_mysql_sys_var* settings[] = { ...@@ -66,22 +66,14 @@ static struct st_mysql_sys_var* settings[] = {
NULL NULL
}; };
Dynamic_array<keyentry> keys(static_cast<uint>(0)); std::map<unsigned int,keyentry> keys;
static keyentry *get_key(unsigned int key_id) static keyentry *get_key(unsigned int key_id)
{ {
keyentry *a= keys.front(), *b= keys.back() + 1, *c; keyentry &key= keys[key_id];
while (b - a > 1) if (key.id == 0)
{ return 0;
c= a + (b - a)/2; return &key;
if (c->id == key_id)
return c;
else if (c->id < key_id)
a= c;
else
b= c;
}
return a->id == key_id ? a : 0;
} }
/* the version is always the same, no automatic key rotation */ /* the version is always the same, no automatic key rotation */
......
...@@ -143,13 +143,13 @@ void Parser::bytes_to_key(const unsigned char *salt, const char *input, ...@@ -143,13 +143,13 @@ void Parser::bytes_to_key(const unsigned char *salt, const char *input,
} }
bool Parser::parse(Dynamic_array<keyentry> *keys) bool Parser::parse(std::map<uint,keyentry> *keys)
{ {
const char *secret= filekey; const char *secret= filekey;
char buf[MAX_SECRET_SIZE + 1]; char buf[MAX_SECRET_SIZE + 1];
//If secret starts with FILE: interpret the secret as a filename. //If secret starts with FILE: interpret the secret as a filename.
if (is_prefix(filekey, FILE_PREFIX)) if (strncmp(filekey, FILE_PREFIX,sizeof(FILE_PREFIX) -1) == 0)
{ {
if (read_filekey(filekey + sizeof(FILE_PREFIX) - 1, buf)) if (read_filekey(filekey + sizeof(FILE_PREFIX) - 1, buf))
return 1; return 1;
...@@ -166,22 +166,26 @@ bool Parser::parse(Dynamic_array<keyentry> *keys) ...@@ -166,22 +166,26 @@ bool Parser::parse(Dynamic_array<keyentry> *keys)
bool Parser::read_filekey(const char *filekey, char *secret) bool Parser::read_filekey(const char *filekey, char *secret)
{ {
int f= my_open(filekey, O_RDONLY, MYF(MY_WME)); int f= open(filekey, O_RDONLY|O_BINARY);
if (f == -1) if (f == -1)
{
my_error(EE_FILENOTFOUND,ME_ERROR_LOG, filekey, errno);
return 1; return 1;
int len= my_read(f, (uchar*)secret, MAX_SECRET_SIZE, MYF(MY_WME)); }
my_close(f, MYF(MY_WME));
int len= read(f, secret, MAX_SECRET_SIZE);
if (len <= 0) if (len <= 0)
{
my_error(EE_READ,ME_ERROR_LOG, filekey, errno);
close(f);
return 1; return 1;
}
close(f);
while (secret[len - 1] == '\r' || secret[len - 1] == '\n') len--; while (secret[len - 1] == '\r' || secret[len - 1] == '\n') len--;
secret[len]= '\0'; secret[len]= '\0';
return 0; return 0;
} }
static int sort_keys(const keyentry *k1, const keyentry *k2)
{
return k1->id < k2->id ? -1 : k1->id > k2->id;
}
/** /**
Get the keys from the key file <filename> and decrypt it with the Get the keys from the key file <filename> and decrypt it with the
...@@ -191,7 +195,7 @@ static int sort_keys(const keyentry *k1, const keyentry *k2) ...@@ -191,7 +195,7 @@ static int sort_keys(const keyentry *k1, const keyentry *k2)
@return 0 when ok, 1 for an error @return 0 when ok, 1 for an error
*/ */
bool Parser::parse_file(Dynamic_array<keyentry> *keys, const char *secret) bool Parser::parse_file(std::map<uint,keyentry> *keys, const char *secret)
{ {
char *buffer= read_and_decrypt_file(secret); char *buffer= read_and_decrypt_file(secret);
...@@ -208,19 +212,16 @@ bool Parser::parse_file(Dynamic_array<keyentry> *keys, const char *secret) ...@@ -208,19 +212,16 @@ bool Parser::parse_file(Dynamic_array<keyentry> *keys, const char *secret)
case 1: // comment case 1: // comment
break; break;
case -1: // error case -1: // error
my_free(buffer); free(buffer);
return 1; return 1;
case 0: case 0:
if (keys->push(key)) (*keys)[key.id] = key;
return 1;
break; break;
} }
} }
keys->sort(sort_keys); free(buffer);
my_free(buffer); if (keys->size() == 0 || (*keys)[1].id == 0)
if (keys->elements() == 0 || keys->at(0).id != 1)
{ {
report_error("System key id 1 is missing", 0); report_error("System key id 1 is missing", 0);
return 1; return 1;
...@@ -247,16 +248,25 @@ int Parser::parse_line(char **line_ptr, keyentry *key) ...@@ -247,16 +248,25 @@ int Parser::parse_line(char **line_ptr, keyentry *key)
while (isspace(*p) && *p != '\n') p++; while (isspace(*p) && *p != '\n') p++;
if (*p != '#' && *p != '\n') if (*p != '#' && *p != '\n')
{ {
int error; if (!isdigit(*p))
p+= 100; // the number will surely end here (on a non-digit or with an overflow)
longlong id= my_strtoll10(p - 100, &p, &error);
if (error)
{ {
report_error("Syntax error", p - *line_ptr); report_error("Syntax error", p - *line_ptr);
return -1; return -1;
} }
if (id < 1 || id > UINT_MAX32) longlong id = 0;
while (isdigit(*p))
{
id = id * 10 + *p - '0';
if (id > UINT_MAX32)
{
report_error("Invalid key id", p - *line_ptr);
return -1;
}
p++;
}
if (id < 1)
{ {
report_error("Invalid key id", p - *line_ptr); report_error("Invalid key id", p - *line_ptr);
return -1; return -1;
...@@ -269,7 +279,7 @@ int Parser::parse_line(char **line_ptr, keyentry *key) ...@@ -269,7 +279,7 @@ int Parser::parse_line(char **line_ptr, keyentry *key)
} }
p++; p++;
key->id= id; key->id= (unsigned int)id;
key->length=0; key->length=0;
while (isxdigit(p[0]) && isxdigit(p[1]) && key->length < sizeof(key->key)) while (isxdigit(p[0]) && isxdigit(p[1]) && key->length < sizeof(key->key))
{ {
...@@ -295,9 +305,13 @@ int Parser::parse_line(char **line_ptr, keyentry *key) ...@@ -295,9 +305,13 @@ int Parser::parse_line(char **line_ptr, keyentry *key)
'secret'. Store the content of the decrypted file in 'buffer'. The 'secret'. Store the content of the decrypted file in 'buffer'. The
buffer has to be freed in the calling function. buffer has to be freed in the calling function.
*/ */
#ifdef _WIN32
#define lseek _lseeki64
#endif
char* Parser::read_and_decrypt_file(const char *secret) char* Parser::read_and_decrypt_file(const char *secret)
{ {
int f;
if (!filename || !filename[0]) if (!filename || !filename[0])
{ {
my_printf_error(EE_CANT_OPEN_STREAM, "file-key-management-filename is not set", my_printf_error(EE_CANT_OPEN_STREAM, "file-key-management-filename is not set",
...@@ -305,15 +319,21 @@ char* Parser::read_and_decrypt_file(const char *secret) ...@@ -305,15 +319,21 @@ char* Parser::read_and_decrypt_file(const char *secret)
goto err0; goto err0;
} }
int f; f= open(filename, O_RDONLY|O_BINARY, 0);
if ((f= my_open(filename, O_RDONLY, MYF(MY_WME))) < 0) if (f < 0)
{
my_error(EE_FILENOTFOUND, ME_ERROR_LOG, filename, errno);
goto err0; goto err0;
}
my_off_t file_size; my_off_t file_size;
file_size= my_seek(f, 0, SEEK_END, MYF(MY_WME)); file_size= lseek(f, 0, SEEK_END);
if (file_size == MY_FILEPOS_ERROR) if (file_size == MY_FILEPOS_ERROR || (my_off_t)lseek(f, 0, SEEK_SET) == MY_FILEPOS_ERROR)
{
my_error(EE_CANT_SEEK, MYF(0), filename, errno);
goto err1; goto err1;
}
if (file_size > MAX_KEY_FILE_SIZE) if (file_size > MAX_KEY_FILE_SIZE)
{ {
...@@ -323,29 +343,39 @@ char* Parser::read_and_decrypt_file(const char *secret) ...@@ -323,29 +343,39 @@ char* Parser::read_and_decrypt_file(const char *secret)
//Read file into buffer //Read file into buffer
uchar *buffer; uchar *buffer;
buffer= (uchar*)my_malloc(file_size + 1, MYF(MY_WME)); buffer= (uchar*)malloc((size_t)file_size + 1);
if (!buffer) if (!buffer)
{
my_error(EE_OUTOFMEMORY, ME_ERROR_LOG| ME_FATAL, file_size);
goto err1; goto err1;
}
if (my_pread(f, buffer, file_size, 0, MYF(MY_WME)) != file_size) if (read(f, buffer, (int)file_size) != (int)file_size)
{
my_printf_error(EE_READ,
"read from %s failed, errno %d",
MYF(ME_ERROR_LOG|ME_FATAL), filename, errno);
goto err2; goto err2;
}
// Check for file encryption // Check for file encryption
uchar *decrypted; uchar *decrypted;
if (file_size > OpenSSL_prefix_len && is_prefix((char*)buffer, OpenSSL_prefix)) if (file_size > OpenSSL_prefix_len && strncmp((char*)buffer, OpenSSL_prefix, OpenSSL_prefix_len) == 0)
{ {
uchar key[OpenSSL_key_len]; uchar key[OpenSSL_key_len];
uchar iv[OpenSSL_iv_len]; uchar iv[OpenSSL_iv_len];
decrypted= (uchar*)my_malloc(file_size, MYF(MY_WME)); decrypted= (uchar*)malloc((size_t)file_size);
if (!decrypted) if (!decrypted)
{
my_error(EE_OUTOFMEMORY, ME_ERROR_LOG | ME_FATAL, file_size);
goto err2; goto err2;
}
bytes_to_key(buffer + OpenSSL_prefix_len, secret, key, iv); bytes_to_key(buffer + OpenSSL_prefix_len, secret, key, iv);
uint32 d_size; uint32 d_size;
if (my_aes_crypt(MY_AES_CBC, ENCRYPTION_FLAG_DECRYPT, if (my_aes_crypt(MY_AES_CBC, ENCRYPTION_FLAG_DECRYPT,
buffer + OpenSSL_prefix_len + OpenSSL_salt_len, buffer + OpenSSL_prefix_len + OpenSSL_salt_len,
file_size - OpenSSL_prefix_len - OpenSSL_salt_len, (unsigned int)file_size - OpenSSL_prefix_len - OpenSSL_salt_len,
decrypted, &d_size, key, OpenSSL_key_len, decrypted, &d_size, key, OpenSSL_key_len,
iv, OpenSSL_iv_len)) iv, OpenSSL_iv_len))
...@@ -354,7 +384,7 @@ char* Parser::read_and_decrypt_file(const char *secret) ...@@ -354,7 +384,7 @@ char* Parser::read_and_decrypt_file(const char *secret)
goto err3; goto err3;
} }
my_free(buffer); free(buffer);
buffer= decrypted; buffer= decrypted;
file_size= d_size; file_size= d_size;
} }
...@@ -365,15 +395,15 @@ char* Parser::read_and_decrypt_file(const char *secret) ...@@ -365,15 +395,15 @@ char* Parser::read_and_decrypt_file(const char *secret)
} }
buffer[file_size]= '\0'; buffer[file_size]= '\0';
my_close(f, MYF(MY_WME)); close(f);
return (char*) buffer; return (char*) buffer;
err3: err3:
my_free(decrypted); free(decrypted);
err2: err2:
my_free(buffer); free(buffer);
err1: err1:
my_close(f, MYF(MY_WME)); close(f);
err0: err0:
return NULL; return NULL;
} }
...@@ -22,7 +22,7 @@ Created 09/15/2014 ...@@ -22,7 +22,7 @@ Created 09/15/2014
#include <my_crypt.h> #include <my_crypt.h>
#include <ctype.h> #include <ctype.h>
#include <sql_array.h> #include <map>
struct keyentry { struct keyentry {
unsigned int id; unsigned int id;
...@@ -42,7 +42,7 @@ class Parser ...@@ -42,7 +42,7 @@ class Parser
void bytes_to_key(const unsigned char *salt, const char *secret, void bytes_to_key(const unsigned char *salt, const char *secret,
unsigned char *key, unsigned char *iv); unsigned char *key, unsigned char *iv);
bool read_filekey(const char *filekey, char *secret); bool read_filekey(const char *filekey, char *secret);
bool parse_file(Dynamic_array<keyentry> *keys, const char *secret); bool parse_file(std::map<unsigned int ,keyentry> *keys, const char *secret);
void report_error(const char *reason, unsigned int position); void report_error(const char *reason, unsigned int position);
int parse_line(char **line_ptr, keyentry *key); int parse_line(char **line_ptr, keyentry *key);
char* read_and_decrypt_file(const char *secret); char* read_and_decrypt_file(const char *secret);
...@@ -50,5 +50,5 @@ class Parser ...@@ -50,5 +50,5 @@ class Parser
public: public:
Parser(const char* fn, const char *fk) : Parser(const char* fn, const char *fk) :
filename(fn), filekey(fk), line_number(0) { } filename(fn), filekey(fk), line_number(0) { }
bool parse(Dynamic_array<keyentry> *keys); bool parse(std::map<unsigned int ,keyentry> *keys);
}; };
...@@ -34,6 +34,6 @@ SET(HANDLERSOCKET_SOURCES ...@@ -34,6 +34,6 @@ SET(HANDLERSOCKET_SOURCES
MYSQL_ADD_PLUGIN(handlersocket MYSQL_ADD_PLUGIN(handlersocket
${HANDLERSOCKET_SOURCES} ${HANDLERSOCKET_SOURCES}
MODULE_ONLY COMPONENT Server MODULE_ONLY COMPONENT Server
LINK_LIBRARIES hsclient LINK_LIBRARIES hsclient RECOMPILE_FOR_EMBEDDED
) )
INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/sql ${CMAKE_SOURCE_DIR}/regex INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/sql ${CMAKE_SOURCE_DIR}/regex
${CMAKE_SOURCE_DIR}/extra/yassl/include) ${CMAKE_SOURCE_DIR}/extra/yassl/include)
MYSQL_ADD_PLUGIN(LOCALES locale_info.cc) MYSQL_ADD_PLUGIN(LOCALES locale_info.cc RECOMPILE_FOR_EMBEDDED)
SET(METADATA_LOCK_INFO_SOURCES metadata_lock_info.cc) SET(METADATA_LOCK_INFO_SOURCES metadata_lock_info.cc)
MYSQL_ADD_PLUGIN(metadata_lock_info ${METADATA_LOCK_INFO_SOURCES} MODULE_OUTPUT_NAME "metadata_lock_info") MYSQL_ADD_PLUGIN(metadata_lock_info ${METADATA_LOCK_INFO_SOURCES}
RECOMPILE_FOR_EMBEDDED)
...@@ -2,4 +2,4 @@ INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/sql ...@@ -2,4 +2,4 @@ INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/sql
${PCRE_INCLUDES} ${PCRE_INCLUDES}
${CMAKE_SOURCE_DIR}/extra/yassl/include) ${CMAKE_SOURCE_DIR}/extra/yassl/include)
MYSQL_ADD_PLUGIN(QUERY_CACHE_INFO qc_info.cc) MYSQL_ADD_PLUGIN(QUERY_CACHE_INFO qc_info.cc RECOMPILE_FOR_EMBEDDED)
ADD_DEFINITIONS(-DHAVE_RESPONSE_TIME_DISTRIBUTION) ADD_DEFINITIONS(-DHAVE_RESPONSE_TIME_DISTRIBUTION)
MYSQL_ADD_PLUGIN(QUERY_RESPONSE_TIME query_response_time.cc plugin.cc) MYSQL_ADD_PLUGIN(QUERY_RESPONSE_TIME query_response_time.cc plugin.cc
RECOMPILE_FOR_EMBEDDED)
...@@ -17,10 +17,12 @@ SET(SEMISYNC_MASTER_SOURCES ...@@ -17,10 +17,12 @@ SET(SEMISYNC_MASTER_SOURCES
semisync.cc semisync_master.cc semisync_master_plugin.cc semisync.cc semisync_master.cc semisync_master_plugin.cc
semisync.h semisync_master.h) semisync.h semisync_master.h)
MYSQL_ADD_PLUGIN(semisync_master ${SEMISYNC_MASTER_SOURCES}) MYSQL_ADD_PLUGIN(semisync_master ${SEMISYNC_MASTER_SOURCES}
RECOMPILE_FOR_EMBEDDED)
SET(SEMISYNC_SLAVE_SOURCES semisync.cc semisync_slave.cc SET(SEMISYNC_SLAVE_SOURCES semisync.cc semisync_slave.cc
semisync_slave_plugin.cc semisync.h semisync_slave.h ) semisync_slave_plugin.cc semisync.h semisync_slave.h )
MYSQL_ADD_PLUGIN(semisync_slave ${SEMISYNC_SLAVE_SOURCES}) MYSQL_ADD_PLUGIN(semisync_slave ${SEMISYNC_SLAVE_SOURCES}
RECOMPILE_FOR_EMBEDDED)
...@@ -13,7 +13,6 @@ ...@@ -13,7 +13,6 @@
# along with this program; if not, write to the Free Software # along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02111-1301 USA # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02111-1301 USA
SET(SERVER_AUDIT_SOURCES SET(SOURCES server_audit.c test_audit_v4.c plugin_audit_v4.h)
server_audit.c test_audit_v4.c plugin_audit_v4.h)
MYSQL_ADD_PLUGIN(server_audit ${SERVER_AUDIT_SOURCES} MODULE_ONLY) MYSQL_ADD_PLUGIN(server_audit ${SOURCES} MODULE_ONLY RECOMPILE_FOR_EMBEDDED)
IF (WITH_WSREP) IF (WITH_WSREP)
INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/sql INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/sql
${CMAKE_SOURCE_DIR}/wsrep) ${CMAKE_SOURCE_DIR}/wsrep)
MYSQL_ADD_PLUGIN(WSREP_INFO plugin.cc MODULE_ONLY) MYSQL_ADD_PLUGIN(WSREP_INFO plugin.cc MODULE_ONLY RECOMPILE_FOR_EMBEDDED)
ENDIF() ENDIF()
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment