2015-03-26 17:16:37 +01:00
|
|
|
/*
|
|
|
|
|
Copyright (c) 2014 Google Inc.
|
|
|
|
|
Copyright (c) 2014, 2015 MariaDB Corporation
|
|
|
|
|
|
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
|
the Free Software Foundation; version 2 of the License.
|
|
|
|
|
|
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
|
along with this program; if not, write to the Free Software
|
|
|
|
|
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
Example key management plugin. It demonstrates how to return
|
|
|
|
|
keys on request, how to change them. That the engine can have
|
|
|
|
|
different pages in the same tablespace encrypted with different keys
|
|
|
|
|
and what the background re-encryption thread does.
|
|
|
|
|
|
|
|
|
|
THIS IS AN EXAMPLE ONLY! ENCRYPTION KEYS ARE HARD-CODED AND *NOT* SECRET!
|
|
|
|
|
DO NOT USE THIS PLUGIN IN PRODUCTION! EVER!
|
|
|
|
|
*/
|
2014-12-22 15:53:17 +01:00
|
|
|
|
|
|
|
|
#include <my_global.h>
|
|
|
|
|
#include <my_pthread.h>
|
2015-03-27 09:45:22 +01:00
|
|
|
#include <mysql/plugin_encryption.h>
|
2014-12-22 15:53:17 +01:00
|
|
|
#include <my_rnd.h>
|
2015-03-31 19:32:35 +02:00
|
|
|
#include <my_crypt.h>
|
2014-12-22 15:53:17 +01:00
|
|
|
|
|
|
|
|
/* rotate key randomly between 45 and 90 seconds */
|
|
|
|
|
#define KEY_ROTATION_MIN 45
|
|
|
|
|
#define KEY_ROTATION_MAX 90
|
|
|
|
|
|
|
|
|
|
static struct my_rnd_struct seed;
|
|
|
|
|
static unsigned int key_version = 0;
|
|
|
|
|
static unsigned int next_key_version = 0;
|
|
|
|
|
static pthread_mutex_t mutex;
|
|
|
|
|
|
2015-01-05 13:36:14 +01:00
|
|
|
static unsigned int
|
2014-12-22 15:53:17 +01:00
|
|
|
get_latest_key_version()
|
|
|
|
|
{
|
|
|
|
|
uint now = time(0);
|
|
|
|
|
pthread_mutex_lock(&mutex);
|
|
|
|
|
if (now >= next_key_version)
|
|
|
|
|
{
|
|
|
|
|
key_version = now;
|
|
|
|
|
unsigned int interval = KEY_ROTATION_MAX - KEY_ROTATION_MIN;
|
|
|
|
|
next_key_version = now + KEY_ROTATION_MIN + my_rnd(&seed) * interval;
|
|
|
|
|
}
|
|
|
|
|
pthread_mutex_unlock(&mutex);
|
|
|
|
|
|
|
|
|
|
return key_version;
|
|
|
|
|
}
|
|
|
|
|
|
2015-03-31 19:00:51 +02:00
|
|
|
static unsigned int
|
|
|
|
|
get_key(unsigned int version, unsigned char* dstbuf, unsigned *buflen)
|
2014-12-22 15:53:17 +01:00
|
|
|
{
|
2015-03-31 19:32:35 +02:00
|
|
|
if (*buflen < MY_MD5_HASH_SIZE)
|
2014-12-22 15:53:17 +01:00
|
|
|
{
|
2015-03-31 19:32:35 +02:00
|
|
|
*buflen= MY_MD5_HASH_SIZE;
|
2015-04-01 21:25:02 +02:00
|
|
|
return ENCRYPTION_KEY_BUFFER_TOO_SMALL;
|
2014-12-22 15:53:17 +01:00
|
|
|
}
|
2015-03-31 19:32:35 +02:00
|
|
|
*buflen= MY_MD5_HASH_SIZE;
|
2015-03-31 19:00:51 +02:00
|
|
|
if (!dstbuf)
|
|
|
|
|
return 0;
|
2014-12-22 15:53:17 +01:00
|
|
|
|
2015-03-31 19:00:51 +02:00
|
|
|
my_md5(dstbuf, (const char*)&version, sizeof(version));
|
2014-12-22 15:53:17 +01:00
|
|
|
|
2015-03-31 19:00:51 +02:00
|
|
|
return 0;
|
2014-12-22 15:53:17 +01:00
|
|
|
}
|
|
|
|
|
|
2015-03-31 19:32:35 +02:00
|
|
|
/*
|
|
|
|
|
for the sake of an example, let's use different encryption algorithms/modes
|
|
|
|
|
for different keys.
|
|
|
|
|
*/
|
|
|
|
|
int encrypt(const unsigned char* src, unsigned int slen,
|
|
|
|
|
unsigned char* dst, unsigned int* dlen,
|
|
|
|
|
const unsigned char* key, unsigned int klen,
|
|
|
|
|
const unsigned char* iv, unsigned int ivlen,
|
|
|
|
|
int no_padding, unsigned int key_version)
|
|
|
|
|
{
|
|
|
|
|
return ((key_version & 1) ? my_aes_encrypt_cbc : my_aes_encrypt_ecb)
|
|
|
|
|
(src, slen, dst, dlen, key, klen, iv, ivlen, no_padding);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int decrypt(const unsigned char* src, unsigned int slen,
|
|
|
|
|
unsigned char* dst, unsigned int* dlen,
|
|
|
|
|
const unsigned char* key, unsigned int klen,
|
|
|
|
|
const unsigned char* iv, unsigned int ivlen,
|
|
|
|
|
int no_padding, unsigned int key_version)
|
|
|
|
|
{
|
|
|
|
|
return ((key_version & 1) ? my_aes_decrypt_cbc : my_aes_decrypt_ecb)
|
|
|
|
|
(src, slen, dst, dlen, key, klen, iv, ivlen, no_padding);
|
|
|
|
|
}
|
|
|
|
|
|
2014-12-22 15:53:17 +01:00
|
|
|
static int example_key_management_plugin_init(void *p)
|
|
|
|
|
{
|
|
|
|
|
/* init */
|
|
|
|
|
my_rnd_init(&seed, time(0), 0);
|
|
|
|
|
get_latest_key_version();
|
|
|
|
|
pthread_mutex_init(&mutex, NULL);
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int example_key_management_plugin_deinit(void *p)
|
|
|
|
|
{
|
|
|
|
|
pthread_mutex_destroy(&mutex);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2015-03-27 09:45:22 +01:00
|
|
|
struct st_mariadb_encryption example_key_management_plugin= {
|
|
|
|
|
MariaDB_ENCRYPTION_INTERFACE_VERSION,
|
2015-01-05 13:36:14 +01:00
|
|
|
get_latest_key_version,
|
2015-03-31 19:32:35 +02:00
|
|
|
get_key,
|
|
|
|
|
encrypt,
|
|
|
|
|
decrypt
|
2014-12-22 15:53:17 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
Plugin library descriptor
|
|
|
|
|
*/
|
2015-03-27 15:58:02 +01:00
|
|
|
maria_declare_plugin(example_key_management)
|
2014-12-22 15:53:17 +01:00
|
|
|
{
|
2015-03-27 09:45:22 +01:00
|
|
|
MariaDB_ENCRYPTION_PLUGIN,
|
2014-12-22 15:53:17 +01:00
|
|
|
&example_key_management_plugin,
|
2015-03-27 15:58:02 +01:00
|
|
|
"example_key_management",
|
2014-12-22 15:53:17 +01:00
|
|
|
"Jonas Oreland",
|
|
|
|
|
"Example key management plugin",
|
|
|
|
|
PLUGIN_LICENSE_GPL,
|
|
|
|
|
example_key_management_plugin_init,
|
|
|
|
|
example_key_management_plugin_deinit,
|
|
|
|
|
0x0100 /* 1.0 */,
|
|
|
|
|
NULL, /* status variables */
|
|
|
|
|
NULL, /* system variables */
|
|
|
|
|
"1.0",
|
2015-01-05 13:36:14 +01:00
|
|
|
MariaDB_PLUGIN_MATURITY_EXPERIMENTAL
|
2014-12-22 15:53:17 +01:00
|
|
|
}
|
|
|
|
|
maria_declare_plugin_end;
|
