1/* Copyright (C) 2015 MariaDB
2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 of the License.
6
7 This program is distributed in the hope that it will be useful,
8 but WITHOUT ANY WARRANTY; without even the implied warranty of
9 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 GNU General Public License for more details.
11
12 You should have received a copy of the GNU General Public License
13 along with this program; if not, write to the Free Software
14 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
15
16#include "mariadb.h"
17#include <mysql/plugin_encryption.h>
18#include "log.h"
19#include "sql_plugin.h"
20#include <my_crypt.h>
21
22/* there can be only one encryption plugin enabled */
23static plugin_ref encryption_manager= 0;
24struct encryption_service_st encryption_handler;
25
26extern "C" {
27
28uint no_key(uint)
29{
30 return ENCRYPTION_KEY_VERSION_INVALID;
31}
32uint zero_size(uint,uint)
33{
34 return 0;
35}
36
37static int ctx_init(void *ctx, const unsigned char* key, unsigned int klen,
38 const unsigned char* iv, unsigned int ivlen, int flags,
39 unsigned int key_id, unsigned int key_version)
40{
41 return my_aes_crypt_init(ctx, MY_AES_CBC, flags, key, klen, iv, ivlen);
42}
43
44static unsigned int get_length(unsigned int slen, unsigned int key_id,
45 unsigned int key_version)
46{
47 return my_aes_get_size(MY_AES_CBC, slen);
48}
49
50} /* extern "C" */
51
52int initialize_encryption_plugin(st_plugin_int *plugin)
53{
54 if (encryption_manager)
55 return 1;
56
57 if (plugin->plugin->init && plugin->plugin->init(plugin))
58 {
59 sql_print_error("Plugin '%s' init function returned error.",
60 plugin->name.str);
61 return 1;
62 }
63
64 encryption_manager= plugin_lock(NULL, plugin_int_to_ref(plugin));
65 st_mariadb_encryption *handle=
66 (struct st_mariadb_encryption*) plugin->plugin->info;
67
68 /*
69 Copmiler on Spark doesn't like the '?' operator here as it
70 belives the (uint (*)...) implies the C++ call model.
71 */
72 if (handle->crypt_ctx_size)
73 encryption_handler.encryption_ctx_size_func= handle->crypt_ctx_size;
74 else
75 encryption_handler.encryption_ctx_size_func=
76 (uint (*)(unsigned int, unsigned int))my_aes_ctx_size;
77
78 encryption_handler.encryption_ctx_init_func=
79 handle->crypt_ctx_init ? handle->crypt_ctx_init : ctx_init;
80
81 encryption_handler.encryption_ctx_update_func=
82 handle->crypt_ctx_update ? handle->crypt_ctx_update : my_aes_crypt_update;
83
84 encryption_handler.encryption_ctx_finish_func=
85 handle->crypt_ctx_finish ? handle->crypt_ctx_finish : my_aes_crypt_finish;
86
87 encryption_handler.encryption_encrypted_length_func=
88 handle->encrypted_length ? handle->encrypted_length : get_length;
89
90 encryption_handler.encryption_key_get_func=
91 handle->get_key;
92
93 encryption_handler.encryption_key_get_latest_version_func=
94 handle->get_latest_key_version; // must be the last
95
96 return 0;
97}
98
99int finalize_encryption_plugin(st_plugin_int *plugin)
100{
101 bool used= plugin_ref_to_int(encryption_manager) == plugin;
102
103 if (used)
104 {
105 encryption_handler.encryption_key_get_func=
106 (uint (*)(uint, uint, uchar*, uint*))no_key;
107 encryption_handler.encryption_key_get_latest_version_func= no_key;
108 encryption_handler.encryption_ctx_size_func= zero_size;
109 }
110
111 if (plugin && plugin->plugin->deinit && plugin->plugin->deinit(NULL))
112 {
113 DBUG_PRINT("warning", ("Plugin '%s' deinit function returned error.",
114 plugin->name.str));
115 }
116
117 if (used)
118 {
119 plugin_unlock(NULL, encryption_manager);
120 encryption_manager= 0;
121 }
122 return 0;
123}
124
125/******************************************************************
126 Encryption Scheme service
127******************************************************************/
128static uint scheme_get_key(st_encryption_scheme *scheme,
129 st_encryption_scheme_key *key)
130{
131 if (scheme->locker)
132 scheme->locker(scheme, 0);
133
134 // Check if we already have key
135 for (uint i = 0; i < array_elements(scheme->key); i++)
136 {
137 if (scheme->key[i].version == 0) // no more keys
138 break;
139
140 if (scheme->key[i].version == key->version)
141 {
142 *key= scheme->key[i];
143 if (scheme->locker)
144 scheme->locker(scheme, 1);
145 return 0;
146 }
147 }
148
149 // Not found!
150 scheme->keyserver_requests++;
151
152 uchar global_key[MY_AES_MAX_KEY_LENGTH];
153 uint global_key_len= sizeof(global_key), key_len;
154
155 uint rc = encryption_key_get(scheme->key_id, key->version,
156 global_key, & global_key_len);
157 if (rc)
158 goto ret;
159
160 /* Now generate the local key by encrypting IV using the global key */
161 rc = my_aes_crypt(MY_AES_ECB, ENCRYPTION_FLAG_ENCRYPT | ENCRYPTION_FLAG_NOPAD,
162 scheme->iv, sizeof(scheme->iv), key->key, &key_len,
163 global_key, global_key_len, NULL, 0);
164
165 DBUG_ASSERT(key_len == sizeof(key->key));
166
167 if (rc)
168 goto ret;
169
170 // Rotate keys to make room for a new
171 for (uint i = array_elements(scheme->key) - 1; i; i--)
172 scheme->key[i] = scheme->key[i - 1];
173
174 scheme->key[0]= *key;
175
176ret:
177 if (scheme->locker)
178 scheme->locker(scheme, 1);
179 return rc;
180}
181
182int do_crypt(const unsigned char* src, unsigned int slen,
183 unsigned char* dst, unsigned int* dlen,
184 struct st_encryption_scheme *scheme,
185 unsigned int key_version, unsigned int i32_1,
186 unsigned int i32_2, unsigned long long i64,
187 int flag)
188{
189 compile_time_assert(ENCRYPTION_SCHEME_KEY_INVALID ==
190 (int)ENCRYPTION_KEY_VERSION_INVALID);
191
192 // Maybe temporal solution for MDEV-8173
193 // Rationale: scheme->type is currently global/object
194 // and when used here might not represent actual state
195 // of smaller granularity objects e.g. InnoDB page state
196 // as type is stored to tablespace (FIL) and could represent
197 // state where key rotation is trying to reach
198 //DBUG_ASSERT(scheme->type == 1);
199
200 if (key_version == ENCRYPTION_KEY_VERSION_INVALID ||
201 key_version == ENCRYPTION_KEY_NOT_ENCRYPTED)
202 return ENCRYPTION_SCHEME_KEY_INVALID;
203
204 st_encryption_scheme_key key;
205 key.version= key_version;
206 uint rc= scheme_get_key(scheme, &key);
207 if (rc)
208 return (int)rc;
209
210 unsigned char iv[4 + 4 + 8];
211 int4store(iv + 0, i32_1);
212 int4store(iv + 4, i32_2);
213 int8store(iv + 8, i64);
214
215 return encryption_crypt(src, slen, dst, dlen, key.key, sizeof(key.key),
216 iv, sizeof(iv), flag, scheme->key_id, key_version);
217}
218
219int encryption_scheme_encrypt(const unsigned char* src, unsigned int slen,
220 unsigned char* dst, unsigned int* dlen,
221 struct st_encryption_scheme *scheme,
222 unsigned int key_version, unsigned int i32_1,
223 unsigned int i32_2, unsigned long long i64)
224{
225 return do_crypt(src, slen, dst, dlen, scheme, key_version, i32_1,
226 i32_2, i64, ENCRYPTION_FLAG_NOPAD | ENCRYPTION_FLAG_ENCRYPT);
227}
228
229
230int encryption_scheme_decrypt(const unsigned char* src, unsigned int slen,
231 unsigned char* dst, unsigned int* dlen,
232 struct st_encryption_scheme *scheme,
233 unsigned int key_version, unsigned int i32_1,
234 unsigned int i32_2, unsigned long long i64)
235{
236 return do_crypt(src, slen, dst, dlen, scheme, key_version, i32_1,
237 i32_2, i64, ENCRYPTION_FLAG_NOPAD | ENCRYPTION_FLAG_DECRYPT);
238}
239