2015-03-26 17:16:37 +01:00
|
|
|
/*
|
|
|
|
Copyright (c) 2014 Google Inc.
|
|
|
|
Copyright (c) 2014, 2015 MariaDB Corporation
|
|
|
|
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
the Free Software Foundation; version 2 of the License.
|
|
|
|
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
along with this program; if not, write to the Free Software
|
|
|
|
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
|
|
|
|
|
|
|
|
/**
|
|
|
|
Example key management plugin. It demonstrates how to return
|
|
|
|
keys on request, how to change them. That the engine can have
|
|
|
|
different pages in the same tablespace encrypted with different keys
|
|
|
|
and what the background re-encryption thread does.
|
|
|
|
|
|
|
|
THIS IS AN EXAMPLE ONLY! ENCRYPTION KEYS ARE HARD-CODED AND *NOT* SECRET!
|
|
|
|
DO NOT USE THIS PLUGIN IN PRODUCTION! EVER!
|
|
|
|
*/
|
2014-12-22 15:53:17 +01:00
|
|
|
|
|
|
|
#include <my_global.h>
|
|
|
|
#include <my_pthread.h>
|
2015-03-27 09:45:22 +01:00
|
|
|
#include <mysql/plugin_encryption.h>
|
2015-03-31 19:32:35 +02:00
|
|
|
#include <my_crypt.h>
|
2014-12-22 15:53:17 +01:00
|
|
|
|
|
|
|
/* rotate key randomly between 45 and 90 seconds */
|
|
|
|
#define KEY_ROTATION_MIN 45
|
|
|
|
#define KEY_ROTATION_MAX 90
|
|
|
|
|
2015-11-20 09:00:06 +01:00
|
|
|
static time_t key_version = 0;
|
|
|
|
static time_t next_key_version = 0;
|
2014-12-22 15:53:17 +01:00
|
|
|
static pthread_mutex_t mutex;
|
|
|
|
|
2017-04-25 15:44:18 +02:00
|
|
|
|
|
|
|
/* Random double value in 0..1 range */
|
|
|
|
static double double_rnd()
|
|
|
|
{
|
|
|
|
return ((double)rand()) / RAND_MAX;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2015-01-05 13:36:14 +01:00
|
|
|
static unsigned int
|
2015-04-09 00:37:47 +02:00
|
|
|
get_latest_key_version(unsigned int key_id)
|
2014-12-22 15:53:17 +01:00
|
|
|
{
|
2015-11-20 09:00:06 +01:00
|
|
|
time_t now = time(0);
|
2014-12-22 15:53:17 +01:00
|
|
|
pthread_mutex_lock(&mutex);
|
|
|
|
if (now >= next_key_version)
|
|
|
|
{
|
|
|
|
key_version = now;
|
|
|
|
unsigned int interval = KEY_ROTATION_MAX - KEY_ROTATION_MIN;
|
2015-11-20 09:00:06 +01:00
|
|
|
next_key_version = (time_t) (now + KEY_ROTATION_MIN +
|
2017-04-25 15:44:18 +02:00
|
|
|
double_rnd() * interval);
|
2014-12-22 15:53:17 +01:00
|
|
|
}
|
|
|
|
pthread_mutex_unlock(&mutex);
|
|
|
|
|
2015-11-20 09:00:06 +01:00
|
|
|
return (unsigned int) key_version;
|
2014-12-22 15:53:17 +01:00
|
|
|
}
|
|
|
|
|
2015-03-31 19:00:51 +02:00
|
|
|
static unsigned int
|
2015-04-09 00:37:47 +02:00
|
|
|
get_key(unsigned int key_id, unsigned int version,
|
|
|
|
unsigned char* dstbuf, unsigned *buflen)
|
2014-12-22 15:53:17 +01:00
|
|
|
{
|
2015-03-31 19:32:35 +02:00
|
|
|
if (*buflen < MY_MD5_HASH_SIZE)
|
2014-12-22 15:53:17 +01:00
|
|
|
{
|
2015-03-31 19:32:35 +02:00
|
|
|
*buflen= MY_MD5_HASH_SIZE;
|
2015-04-01 21:25:02 +02:00
|
|
|
return ENCRYPTION_KEY_BUFFER_TOO_SMALL;
|
2014-12-22 15:53:17 +01:00
|
|
|
}
|
2015-03-31 19:32:35 +02:00
|
|
|
*buflen= MY_MD5_HASH_SIZE;
|
2015-03-31 19:00:51 +02:00
|
|
|
if (!dstbuf)
|
|
|
|
return 0;
|
2014-12-22 15:53:17 +01:00
|
|
|
|
2015-05-11 14:21:44 +02:00
|
|
|
my_md5_multi(dstbuf, (const char*)&key_id, sizeof(key_id),
|
|
|
|
(const char*)&version, sizeof(version), NULL);
|
2014-12-22 15:53:17 +01:00
|
|
|
|
2015-03-31 19:00:51 +02:00
|
|
|
return 0;
|
2014-12-22 15:53:17 +01:00
|
|
|
}
|
|
|
|
|
2015-03-31 19:32:35 +02:00
|
|
|
/*
|
|
|
|
for the sake of an example, let's use different encryption algorithms/modes
|
2015-09-04 10:32:52 +02:00
|
|
|
for different keys versions:
|
2015-03-31 19:32:35 +02:00
|
|
|
*/
|
2015-09-04 10:32:52 +02:00
|
|
|
static inline enum my_aes_mode mode(unsigned int key_version)
|
2015-03-31 19:32:35 +02:00
|
|
|
{
|
2015-09-04 10:32:52 +02:00
|
|
|
return key_version & 1 ? MY_AES_ECB : MY_AES_CBC;
|
2015-03-31 19:32:35 +02:00
|
|
|
}
|
|
|
|
|
2015-09-04 10:32:52 +02:00
|
|
|
int ctx_init(void *ctx, const unsigned char* key, unsigned int klen, const
|
|
|
|
unsigned char* iv, unsigned int ivlen, int flags, unsigned int
|
|
|
|
key_id, unsigned int key_version)
|
2015-03-31 19:32:35 +02:00
|
|
|
{
|
2015-09-04 10:32:52 +02:00
|
|
|
return my_aes_crypt_init(ctx, mode(key_version), flags, key, klen, iv, ivlen);
|
|
|
|
}
|
|
|
|
|
|
|
|
static unsigned int get_length(unsigned int slen, unsigned int key_id,
|
|
|
|
unsigned int key_version)
|
|
|
|
{
|
|
|
|
return my_aes_get_size(mode(key_version), slen);
|
2015-03-31 19:32:35 +02:00
|
|
|
}
|
|
|
|
|
2014-12-22 15:53:17 +01:00
|
|
|
static int example_key_management_plugin_init(void *p)
|
|
|
|
{
|
|
|
|
/* init */
|
|
|
|
pthread_mutex_init(&mutex, NULL);
|
2015-04-10 09:46:21 +02:00
|
|
|
get_latest_key_version(1);
|
2014-12-22 15:53:17 +01:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int example_key_management_plugin_deinit(void *p)
|
|
|
|
{
|
|
|
|
pthread_mutex_destroy(&mutex);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2017-04-18 18:37:57 +02:00
|
|
|
|
|
|
|
static int ctx_update(void *ctx, const unsigned char *src, unsigned int slen,
|
|
|
|
unsigned char *dst, unsigned int *dlen)
|
|
|
|
{
|
|
|
|
return my_aes_crypt_update(ctx, src, slen, dst, dlen);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int ctx_finish(void *ctx, unsigned char *dst, unsigned int *dlen)
|
|
|
|
{
|
|
|
|
return my_aes_crypt_finish(ctx, dst, dlen);
|
|
|
|
}
|
|
|
|
|
|
|
|
static uint ctx_size(unsigned int , unsigned int key_version)
|
|
|
|
{
|
|
|
|
return my_aes_ctx_size(mode(key_version));
|
|
|
|
}
|
|
|
|
|
2015-03-27 09:45:22 +01:00
|
|
|
struct st_mariadb_encryption example_key_management_plugin= {
|
|
|
|
MariaDB_ENCRYPTION_INTERFACE_VERSION,
|
2015-01-05 13:36:14 +01:00
|
|
|
get_latest_key_version,
|
2015-03-31 19:32:35 +02:00
|
|
|
get_key,
|
2017-04-18 18:37:57 +02:00
|
|
|
ctx_size,
|
2015-09-04 10:32:52 +02:00
|
|
|
ctx_init,
|
2017-04-18 18:37:57 +02:00
|
|
|
ctx_update,
|
|
|
|
ctx_finish,
|
2015-09-04 10:32:52 +02:00
|
|
|
get_length
|
2014-12-22 15:53:17 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
/*
|
|
|
|
Plugin library descriptor
|
|
|
|
*/
|
2015-03-27 15:58:02 +01:00
|
|
|
maria_declare_plugin(example_key_management)
|
2014-12-22 15:53:17 +01:00
|
|
|
{
|
2015-03-27 09:45:22 +01:00
|
|
|
MariaDB_ENCRYPTION_PLUGIN,
|
2014-12-22 15:53:17 +01:00
|
|
|
&example_key_management_plugin,
|
2015-03-27 15:58:02 +01:00
|
|
|
"example_key_management",
|
2014-12-22 15:53:17 +01:00
|
|
|
"Jonas Oreland",
|
|
|
|
"Example key management plugin",
|
|
|
|
PLUGIN_LICENSE_GPL,
|
|
|
|
example_key_management_plugin_init,
|
|
|
|
example_key_management_plugin_deinit,
|
|
|
|
0x0100 /* 1.0 */,
|
|
|
|
NULL, /* status variables */
|
|
|
|
NULL, /* system variables */
|
|
|
|
"1.0",
|
2015-01-05 13:36:14 +01:00
|
|
|
MariaDB_PLUGIN_MATURITY_EXPERIMENTAL
|
2014-12-22 15:53:17 +01:00
|
|
|
}
|
|
|
|
maria_declare_plugin_end;
|