mirror/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-01-30 18:41:56 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
mariadb/storage/innobase/include/log0crypt.h

126 lines
4.2 KiB
C
Raw Normal View History

MDEV-8410: Changing file-key-management to example-key-management causes crash and no real error MDEV-8409: Changing file-key-management-encryption-algorithm causes crash and no real info why Analysis: Both bugs has two different error cases. Firstly, at startup when server reads latest checkpoint but requested key_version, key management plugin or encryption algorithm or method is not found leading corrupted log entry. Secondly, similarly when reading system tablespace if requested key_version, key management plugin or encryption algorithm or method is not found leading buffer pool page corruption. Fix: Firsly, when reading checkpoint at startup check if the log record may be encrypted and if we find that it could be encrypted, print error message and do not start server. Secondly, if page is buffer pool seems corrupted but we find out that there is crypt_info, print additional error message before asserting.
2015-08-07 15:21:20 +03:00
/*****************************************************************************
Copyright (C) 2013, 2015, Google Inc. All Rights Reserved.
Cleanup: log upgrade and encryption log_crypt_101_read_checkpoint(), log_crypt_101_read_block(): Declare as ATTRIBUTE_COLD. These are only used when checking that a MariaDB 10.1 encrypted redo log is clean. log_block_calc_checksum_format_0(): Define in the only compilation unit where it is needed. This is only used when reading the checkpoint information from redo logs before MariaDB 10.2.2. crypt_info_t: Declare the byte arrays directly with alignas(). log_crypt(): Use memcpy_aligned instead of reinterpret_cast on integers.
2020-03-07 12:01:20 +02:00
Copyright (C) 2014, 2020, MariaDB Corporation.
MDEV-8410: Changing file-key-management to example-key-management causes crash and no real error MDEV-8409: Changing file-key-management-encryption-algorithm causes crash and no real info why Analysis: Both bugs has two different error cases. Firstly, at startup when server reads latest checkpoint but requested key_version, key management plugin or encryption algorithm or method is not found leading corrupted log entry. Secondly, similarly when reading system tablespace if requested key_version, key management plugin or encryption algorithm or method is not found leading buffer pool page corruption. Fix: Firsly, when reading checkpoint at startup check if the log record may be encrypted and if we find that it could be encrypted, print error message and do not start server. Secondly, if page is buffer pool seems corrupted but we find out that there is crypt_info, print additional error message before asserting.
2015-08-07 15:21:20 +03:00
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation; version 2 of the License.
This program is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with
this program; if not, write to the Free Software Foundation, Inc.,
Merge branch '5.5' into 10.1
2019-05-11 22:19:05 +03:00
51 Franklin St, Fifth Floor, Boston, MA 02110-1335 USA
MDEV-8410: Changing file-key-management to example-key-management causes crash and no real error MDEV-8409: Changing file-key-management-encryption-algorithm causes crash and no real info why Analysis: Both bugs has two different error cases. Firstly, at startup when server reads latest checkpoint but requested key_version, key management plugin or encryption algorithm or method is not found leading corrupted log entry. Secondly, similarly when reading system tablespace if requested key_version, key management plugin or encryption algorithm or method is not found leading buffer pool page corruption. Fix: Firsly, when reading checkpoint at startup check if the log record may be encrypted and if we find that it could be encrypted, print error message and do not start server. Secondly, if page is buffer pool seems corrupted but we find out that there is crypt_info, print additional error message before asserting.
2015-08-07 15:21:20 +03:00
*****************************************************************************/
Push for testing of encryption
2014-12-22 16:53:17 +02:00
/**************************************************//**
@file include/log0crypt.h
Innodb log encrypt/decrypt
Created 11/25/2013 Minli Zhu
MDEV-8410: Changing file-key-management to example-key-management causes crash and no real error MDEV-8409: Changing file-key-management-encryption-algorithm causes crash and no real info why Analysis: Both bugs has two different error cases. Firstly, at startup when server reads latest checkpoint but requested key_version, key management plugin or encryption algorithm or method is not found leading corrupted log entry. Secondly, similarly when reading system tablespace if requested key_version, key management plugin or encryption algorithm or method is not found leading buffer pool page corruption. Fix: Firsly, when reading checkpoint at startup check if the log record may be encrypted and if we find that it could be encrypted, print error message and do not start server. Secondly, if page is buffer pool seems corrupted but we find out that there is crypt_info, print additional error message before asserting.
2015-08-07 15:21:20 +03:00
Modified Jan Lindström jan.lindstrom@mariadb.com
MDEV-11782: Redefine the innodb_encrypt_log format Write only one encryption key to the checkpoint page. Use 4 bytes of nonce. Encrypt more of each redo log block, only skipping the 4-byte field LOG_BLOCK_HDR_NO which the initialization vector is derived from. Issue notes, not warning messages for rewriting the redo log files. recv_recovery_from_checkpoint_finish(): Do not generate any redo log, because we must avoid that before rewriting the redo log files, or otherwise a crash during a redo log rewrite (removing or adding encryption) may end up making the database unrecoverable. Instead, do these tasks in innobase_start_or_create_for_mysql(). Issue a firm "Missing MLOG_CHECKPOINT" error message. Remove some unreachable code and duplicated error messages for log corruption. LOG_HEADER_FORMAT_ENCRYPTED: A flag for identifying an encrypted redo log format. log_group_t::is_encrypted(), log_t::is_encrypted(): Determine if the redo log is in encrypted format. recv_find_max_checkpoint(): Interpret LOG_HEADER_FORMAT_ENCRYPTED. srv_prepare_to_delete_redo_log_files(): Display NOTE messages about adding or removing encryption. Do not issue warnings for redo log resizing any more. innobase_start_or_create_for_mysql(): Rebuild the redo logs also when the encryption changes. innodb_log_checksums_func_update(): Always use the CRC-32C checksum if innodb_encrypt_log. If needed, issue a warning that innodb_encrypt_log implies innodb_log_checksums. log_group_write_buf(): Compute the checksum on the encrypted block contents, so that transmission errors or incomplete blocks can be detected without decrypting. Rewrite most of the redo log encryption code. Only remember one encryption key at a time (but remember up to 5 when upgrading from the MariaDB 10.1 format.)
2017-02-10 12:11:42 +02:00
MDEV-11782: Rewritten for MariaDB 10.2 by Marko Mäkelä, MariaDB Corporation.
Push for testing of encryption
2014-12-22 16:53:17 +02:00
*******************************************************/
#ifndef log0crypt_h
#define log0crypt_h
MDEV-11782: Redefine the innodb_encrypt_log format Write only one encryption key to the checkpoint page. Use 4 bytes of nonce. Encrypt more of each redo log block, only skipping the 4-byte field LOG_BLOCK_HDR_NO which the initialization vector is derived from. Issue notes, not warning messages for rewriting the redo log files. recv_recovery_from_checkpoint_finish(): Do not generate any redo log, because we must avoid that before rewriting the redo log files, or otherwise a crash during a redo log rewrite (removing or adding encryption) may end up making the database unrecoverable. Instead, do these tasks in innobase_start_or_create_for_mysql(). Issue a firm "Missing MLOG_CHECKPOINT" error message. Remove some unreachable code and duplicated error messages for log corruption. LOG_HEADER_FORMAT_ENCRYPTED: A flag for identifying an encrypted redo log format. log_group_t::is_encrypted(), log_t::is_encrypted(): Determine if the redo log is in encrypted format. recv_find_max_checkpoint(): Interpret LOG_HEADER_FORMAT_ENCRYPTED. srv_prepare_to_delete_redo_log_files(): Display NOTE messages about adding or removing encryption. Do not issue warnings for redo log resizing any more. innobase_start_or_create_for_mysql(): Rebuild the redo logs also when the encryption changes. innodb_log_checksums_func_update(): Always use the CRC-32C checksum if innodb_encrypt_log. If needed, issue a warning that innodb_encrypt_log implies innodb_log_checksums. log_group_write_buf(): Compute the checksum on the encrypted block contents, so that transmission errors or incomplete blocks can be detected without decrypting. Rewrite most of the redo log encryption code. Only remember one encryption key at a time (but remember up to 5 when upgrading from the MariaDB 10.1 format.)
2017-02-10 12:11:42 +02:00
#include "log0log.h"
Push for testing of encryption
2014-12-22 16:53:17 +02:00
MDEV-11782: Redefine the innodb_encrypt_log format Write only one encryption key to the checkpoint page. Use 4 bytes of nonce. Encrypt more of each redo log block, only skipping the 4-byte field LOG_BLOCK_HDR_NO which the initialization vector is derived from. Issue notes, not warning messages for rewriting the redo log files. recv_recovery_from_checkpoint_finish(): Do not generate any redo log, because we must avoid that before rewriting the redo log files, or otherwise a crash during a redo log rewrite (removing or adding encryption) may end up making the database unrecoverable. Instead, do these tasks in innobase_start_or_create_for_mysql(). Issue a firm "Missing MLOG_CHECKPOINT" error message. Remove some unreachable code and duplicated error messages for log corruption. LOG_HEADER_FORMAT_ENCRYPTED: A flag for identifying an encrypted redo log format. log_group_t::is_encrypted(), log_t::is_encrypted(): Determine if the redo log is in encrypted format. recv_find_max_checkpoint(): Interpret LOG_HEADER_FORMAT_ENCRYPTED. srv_prepare_to_delete_redo_log_files(): Display NOTE messages about adding or removing encryption. Do not issue warnings for redo log resizing any more. innobase_start_or_create_for_mysql(): Rebuild the redo logs also when the encryption changes. innodb_log_checksums_func_update(): Always use the CRC-32C checksum if innodb_encrypt_log. If needed, issue a warning that innodb_encrypt_log implies innodb_log_checksums. log_group_write_buf(): Compute the checksum on the encrypted block contents, so that transmission errors or incomplete blocks can be detected without decrypting. Rewrite most of the redo log encryption code. Only remember one encryption key at a time (but remember up to 5 when upgrading from the MariaDB 10.1 format.)
2017-02-10 12:11:42 +02:00
/** innodb_encrypt_log: whether to encrypt the redo log */
Push for testing of encryption
2014-12-22 16:53:17 +02:00
extern my_bool srv_encrypt_log;
MDEV-13318 Crash recovery failure after the server is killed during innodb_encrypt_log startup This fixes several InnoDB bugs related to innodb_encrypt_log and two Mariabackup --backup bugs. log_crypt(): Properly derive the initialization vector from the start LSN of each block. Add a debug assertion. log_crypt_init(): Note that the function should only be used when creating redo log files and that the information is persisted in the checkpoint pages. xtrabackup_copy_log(): Validate data_len. xtrabackup_backup_func(): Always use the chosen checkpoint buffer. log_group_write_buf(), log_write_up_to(): Only log_crypt() the redo log payload, not the padding bytes. innobase_start_or_create_for_mysql(): Do not invoke log_crypt_init() or initiate a redo log checkpoint. recv_find_max_checkpoint(): Return the contents of LOG_CHECKPOINT_NO to xtrabackup_backup_func() in log_sys->next_checkpoint_no.
2017-09-11 16:47:23 +03:00
/** Initialize the redo log encryption key and random parameters
when creating a new redo log.
The random parameters will be persisted in the log checkpoint pages.
@see log_crypt_write_checkpoint_buf()
@see log_crypt_read_checkpoint_buf()
MDEV-11782: Redefine the innodb_encrypt_log format Write only one encryption key to the checkpoint page. Use 4 bytes of nonce. Encrypt more of each redo log block, only skipping the 4-byte field LOG_BLOCK_HDR_NO which the initialization vector is derived from. Issue notes, not warning messages for rewriting the redo log files. recv_recovery_from_checkpoint_finish(): Do not generate any redo log, because we must avoid that before rewriting the redo log files, or otherwise a crash during a redo log rewrite (removing or adding encryption) may end up making the database unrecoverable. Instead, do these tasks in innobase_start_or_create_for_mysql(). Issue a firm "Missing MLOG_CHECKPOINT" error message. Remove some unreachable code and duplicated error messages for log corruption. LOG_HEADER_FORMAT_ENCRYPTED: A flag for identifying an encrypted redo log format. log_group_t::is_encrypted(), log_t::is_encrypted(): Determine if the redo log is in encrypted format. recv_find_max_checkpoint(): Interpret LOG_HEADER_FORMAT_ENCRYPTED. srv_prepare_to_delete_redo_log_files(): Display NOTE messages about adding or removing encryption. Do not issue warnings for redo log resizing any more. innobase_start_or_create_for_mysql(): Rebuild the redo logs also when the encryption changes. innodb_log_checksums_func_update(): Always use the CRC-32C checksum if innodb_encrypt_log. If needed, issue a warning that innodb_encrypt_log implies innodb_log_checksums. log_group_write_buf(): Compute the checksum on the encrypted block contents, so that transmission errors or incomplete blocks can be detected without decrypting. Rewrite most of the redo log encryption code. Only remember one encryption key at a time (but remember up to 5 when upgrading from the MariaDB 10.1 format.)
2017-02-10 12:11:42 +02:00
@return whether the operation succeeded */
Push for testing of encryption
2014-12-22 16:53:17 +02:00
UNIV_INTERN
MDEV-11782: Redefine the innodb_encrypt_log format Write only one encryption key to the checkpoint page. Use 4 bytes of nonce. Encrypt more of each redo log block, only skipping the 4-byte field LOG_BLOCK_HDR_NO which the initialization vector is derived from. Issue notes, not warning messages for rewriting the redo log files. recv_recovery_from_checkpoint_finish(): Do not generate any redo log, because we must avoid that before rewriting the redo log files, or otherwise a crash during a redo log rewrite (removing or adding encryption) may end up making the database unrecoverable. Instead, do these tasks in innobase_start_or_create_for_mysql(). Issue a firm "Missing MLOG_CHECKPOINT" error message. Remove some unreachable code and duplicated error messages for log corruption. LOG_HEADER_FORMAT_ENCRYPTED: A flag for identifying an encrypted redo log format. log_group_t::is_encrypted(), log_t::is_encrypted(): Determine if the redo log is in encrypted format. recv_find_max_checkpoint(): Interpret LOG_HEADER_FORMAT_ENCRYPTED. srv_prepare_to_delete_redo_log_files(): Display NOTE messages about adding or removing encryption. Do not issue warnings for redo log resizing any more. innobase_start_or_create_for_mysql(): Rebuild the redo logs also when the encryption changes. innodb_log_checksums_func_update(): Always use the CRC-32C checksum if innodb_encrypt_log. If needed, issue a warning that innodb_encrypt_log implies innodb_log_checksums. log_group_write_buf(): Compute the checksum on the encrypted block contents, so that transmission errors or incomplete blocks can be detected without decrypting. Rewrite most of the redo log encryption code. Only remember one encryption key at a time (but remember up to 5 when upgrading from the MariaDB 10.1 format.)
2017-02-10 12:11:42 +02:00
bool
log_crypt_init();
Push for testing of encryption
2014-12-22 16:53:17 +02:00
/*********************************************************************//**
Writes the crypto (version, msg and iv) info, which has been used for
log blocks with lsn <= this checkpoint's lsn, to a log header's
checkpoint buf. */
UNIV_INTERN
void
log_crypt_write_checkpoint_buf(
/*===========================*/
byte* buf); /*!< in/out: checkpoint buffer */
MDEV-11782 preparation: Add separate code for validating the 10.1 redo log. log_crypt_101_read_checkpoint(): Read the encryption information from a MariaDB 10.1 checkpoint page. log_crypt_101_read_block(): Attempt to decrypt a MariaDB 10.1 redo log page. recv_log_format_0_recover(): Only attempt decryption on checksum mismatch. NOTE: With the MariaDB 10.1 innodb_encrypt_log format, we can actually determine from the cleartext portion of the redo log whether the redo log is empty. We do not really have to decrypt the redo log here, if we did not want to determine if the checksum is valid.
2017-02-10 20:26:02 +02:00
/** Read the MariaDB 10.1 checkpoint crypto (version, msg and iv) info.
@param[in] buf checkpoint buffer
@return whether the operation was successful */
Cleanup: log upgrade and encryption log_crypt_101_read_checkpoint(), log_crypt_101_read_block(): Declare as ATTRIBUTE_COLD. These are only used when checking that a MariaDB 10.1 encrypted redo log is clean. log_block_calc_checksum_format_0(): Define in the only compilation unit where it is needed. This is only used when reading the checkpoint information from redo logs before MariaDB 10.2.2. crypt_info_t: Declare the byte arrays directly with alignas(). log_crypt(): Use memcpy_aligned instead of reinterpret_cast on integers.
2020-03-07 12:01:20 +02:00
ATTRIBUTE_COLD bool log_crypt_101_read_checkpoint(const byte* buf);
MDEV-11782 preparation: Add separate code for validating the 10.1 redo log. log_crypt_101_read_checkpoint(): Read the encryption information from a MariaDB 10.1 checkpoint page. log_crypt_101_read_block(): Attempt to decrypt a MariaDB 10.1 redo log page. recv_log_format_0_recover(): Only attempt decryption on checksum mismatch. NOTE: With the MariaDB 10.1 innodb_encrypt_log format, we can actually determine from the cleartext portion of the redo log whether the redo log is empty. We do not really have to decrypt the redo log here, if we did not want to determine if the checksum is valid.
2017-02-10 20:26:02 +02:00
/** Decrypt a MariaDB 10.1 redo log block.
Cleanup: Remove srv_start_lsn Most of the time, we can refer to recv_sys.recovered_lsn.
2020-03-02 14:34:52 +02:00
@param[in,out] buf log block
@param[in] start_lsn server start LSN
MDEV-11782 preparation: Add separate code for validating the 10.1 redo log. log_crypt_101_read_checkpoint(): Read the encryption information from a MariaDB 10.1 checkpoint page. log_crypt_101_read_block(): Attempt to decrypt a MariaDB 10.1 redo log page. recv_log_format_0_recover(): Only attempt decryption on checksum mismatch. NOTE: With the MariaDB 10.1 innodb_encrypt_log format, we can actually determine from the cleartext portion of the redo log whether the redo log is empty. We do not really have to decrypt the redo log here, if we did not want to determine if the checksum is valid.
2017-02-10 20:26:02 +02:00
@return whether the decryption was successful */
Cleanup: log upgrade and encryption log_crypt_101_read_checkpoint(), log_crypt_101_read_block(): Declare as ATTRIBUTE_COLD. These are only used when checking that a MariaDB 10.1 encrypted redo log is clean. log_block_calc_checksum_format_0(): Define in the only compilation unit where it is needed. This is only used when reading the checkpoint information from redo logs before MariaDB 10.2.2. crypt_info_t: Declare the byte arrays directly with alignas(). log_crypt(): Use memcpy_aligned instead of reinterpret_cast on integers.
2020-03-07 12:01:20 +02:00
ATTRIBUTE_COLD bool log_crypt_101_read_block(byte* buf, lsn_t start_lsn);
MDEV-11782 preparation: Add separate code for validating the 10.1 redo log. log_crypt_101_read_checkpoint(): Read the encryption information from a MariaDB 10.1 checkpoint page. log_crypt_101_read_block(): Attempt to decrypt a MariaDB 10.1 redo log page. recv_log_format_0_recover(): Only attempt decryption on checksum mismatch. NOTE: With the MariaDB 10.1 innodb_encrypt_log format, we can actually determine from the cleartext portion of the redo log whether the redo log is empty. We do not really have to decrypt the redo log here, if we did not want to determine if the checksum is valid.
2017-02-10 20:26:02 +02:00
MDEV-11782: Redefine the innodb_encrypt_log format Write only one encryption key to the checkpoint page. Use 4 bytes of nonce. Encrypt more of each redo log block, only skipping the 4-byte field LOG_BLOCK_HDR_NO which the initialization vector is derived from. Issue notes, not warning messages for rewriting the redo log files. recv_recovery_from_checkpoint_finish(): Do not generate any redo log, because we must avoid that before rewriting the redo log files, or otherwise a crash during a redo log rewrite (removing or adding encryption) may end up making the database unrecoverable. Instead, do these tasks in innobase_start_or_create_for_mysql(). Issue a firm "Missing MLOG_CHECKPOINT" error message. Remove some unreachable code and duplicated error messages for log corruption. LOG_HEADER_FORMAT_ENCRYPTED: A flag for identifying an encrypted redo log format. log_group_t::is_encrypted(), log_t::is_encrypted(): Determine if the redo log is in encrypted format. recv_find_max_checkpoint(): Interpret LOG_HEADER_FORMAT_ENCRYPTED. srv_prepare_to_delete_redo_log_files(): Display NOTE messages about adding or removing encryption. Do not issue warnings for redo log resizing any more. innobase_start_or_create_for_mysql(): Rebuild the redo logs also when the encryption changes. innodb_log_checksums_func_update(): Always use the CRC-32C checksum if innodb_encrypt_log. If needed, issue a warning that innodb_encrypt_log implies innodb_log_checksums. log_group_write_buf(): Compute the checksum on the encrypted block contents, so that transmission errors or incomplete blocks can be detected without decrypting. Rewrite most of the redo log encryption code. Only remember one encryption key at a time (but remember up to 5 when upgrading from the MariaDB 10.1 format.)
2017-02-10 12:11:42 +02:00
/** Read the checkpoint crypto (version, msg and iv) info.
@param[in] buf checkpoint buffer
@return whether the operation was successful */
Cleanup: log upgrade and encryption log_crypt_101_read_checkpoint(), log_crypt_101_read_block(): Declare as ATTRIBUTE_COLD. These are only used when checking that a MariaDB 10.1 encrypted redo log is clean. log_block_calc_checksum_format_0(): Define in the only compilation unit where it is needed. This is only used when reading the checkpoint information from redo logs before MariaDB 10.2.2. crypt_info_t: Declare the byte arrays directly with alignas(). log_crypt(): Use memcpy_aligned instead of reinterpret_cast on integers.
2020-03-07 12:01:20 +02:00
bool log_crypt_read_checkpoint_buf(const byte* buf);
MDEV-8410: Changing file-key-management to example-key-management causes crash and no real error MDEV-8409: Changing file-key-management-encryption-algorithm causes crash and no real info why Analysis: Both bugs has two different error cases. Firstly, at startup when server reads latest checkpoint but requested key_version, key management plugin or encryption algorithm or method is not found leading corrupted log entry. Secondly, similarly when reading system tablespace if requested key_version, key management plugin or encryption algorithm or method is not found leading buffer pool page corruption. Fix: Firsly, when reading checkpoint at startup check if the log record may be encrypted and if we find that it could be encrypted, print error message and do not start server. Secondly, if page is buffer pool seems corrupted but we find out that there is crypt_info, print additional error message before asserting.
2015-08-07 15:21:20 +03:00
MDEV-12041: innodb_encrypt_log key rotation This will change the InnoDB encrypted redo log format only. Unencrypted redo log will keep using the MariaDB 10.3 format. In the new encrypted redo log format, 4 additional bytes will be reserved in the redo log block trailer for storing the encryption key version. For performance reasons, the encryption key rotation (checking if the latest encryption key version is being used) is only done at log_checkpoint(). LOG_HEADER_FORMAT_CURRENT: Remove. LOG_HEADER_FORMAT_ENC_10_4: The encrypted 10.4 format. LOG_BLOCK_KEY: The encryption key version field. LOG_BLOCK_TRL_SIZE: Remove. log_t: Add accessors framing_size(), payload_size(), trailer_offset(), to be used instead of referring to LOG_BLOCK_TRL_SIZE. log_crypt_t: An operation passed to log_crypt(). log_crypt(): Perform decryption, encryption, or encryption with key rotation. Return an error if key rotation at decryption fails. On encryption, keep using the previous key if the rotation fails. At startup, old-format encrypted redo log may be written before the redo log is upgraded (rebuilt) to the latest format. log_write_up_to(): Add the parameter rotate_key=false. log_checkpoint(): Invoke log_write_up_to() with rotate_key=true.
2018-08-13 16:04:37 +03:00
/** log_crypt() operation code */
enum log_crypt_t {
/** encrypt a log block without rotating key */
LOG_ENCRYPT,
/** decrypt a log block */
LOG_DECRYPT,
/** attempt to rotate the key, and encrypt a log block */
LOG_ENCRYPT_ROTATE_KEY
};
MDEV-11782: Redefine the innodb_encrypt_log format Write only one encryption key to the checkpoint page. Use 4 bytes of nonce. Encrypt more of each redo log block, only skipping the 4-byte field LOG_BLOCK_HDR_NO which the initialization vector is derived from. Issue notes, not warning messages for rewriting the redo log files. recv_recovery_from_checkpoint_finish(): Do not generate any redo log, because we must avoid that before rewriting the redo log files, or otherwise a crash during a redo log rewrite (removing or adding encryption) may end up making the database unrecoverable. Instead, do these tasks in innobase_start_or_create_for_mysql(). Issue a firm "Missing MLOG_CHECKPOINT" error message. Remove some unreachable code and duplicated error messages for log corruption. LOG_HEADER_FORMAT_ENCRYPTED: A flag for identifying an encrypted redo log format. log_group_t::is_encrypted(), log_t::is_encrypted(): Determine if the redo log is in encrypted format. recv_find_max_checkpoint(): Interpret LOG_HEADER_FORMAT_ENCRYPTED. srv_prepare_to_delete_redo_log_files(): Display NOTE messages about adding or removing encryption. Do not issue warnings for redo log resizing any more. innobase_start_or_create_for_mysql(): Rebuild the redo logs also when the encryption changes. innodb_log_checksums_func_update(): Always use the CRC-32C checksum if innodb_encrypt_log. If needed, issue a warning that innodb_encrypt_log implies innodb_log_checksums. log_group_write_buf(): Compute the checksum on the encrypted block contents, so that transmission errors or incomplete blocks can be detected without decrypting. Rewrite most of the redo log encryption code. Only remember one encryption key at a time (but remember up to 5 when upgrading from the MariaDB 10.1 format.)
2017-02-10 12:11:42 +02:00
/** Encrypt or decrypt log blocks.
@param[in,out] buf log blocks to encrypt or decrypt
MDEV-13318 Crash recovery failure after the server is killed during innodb_encrypt_log startup This fixes several InnoDB bugs related to innodb_encrypt_log and two Mariabackup --backup bugs. log_crypt(): Properly derive the initialization vector from the start LSN of each block. Add a debug assertion. log_crypt_init(): Note that the function should only be used when creating redo log files and that the information is persisted in the checkpoint pages. xtrabackup_copy_log(): Validate data_len. xtrabackup_backup_func(): Always use the chosen checkpoint buffer. log_group_write_buf(), log_write_up_to(): Only log_crypt() the redo log payload, not the padding bytes. innobase_start_or_create_for_mysql(): Do not invoke log_crypt_init() or initiate a redo log checkpoint. recv_find_max_checkpoint(): Return the contents of LOG_CHECKPOINT_NO to xtrabackup_backup_func() in log_sys->next_checkpoint_no.
2017-09-11 16:47:23 +03:00
@param[in] lsn log sequence number of the start of the buffer
MDEV-11782: Redefine the innodb_encrypt_log format Write only one encryption key to the checkpoint page. Use 4 bytes of nonce. Encrypt more of each redo log block, only skipping the 4-byte field LOG_BLOCK_HDR_NO which the initialization vector is derived from. Issue notes, not warning messages for rewriting the redo log files. recv_recovery_from_checkpoint_finish(): Do not generate any redo log, because we must avoid that before rewriting the redo log files, or otherwise a crash during a redo log rewrite (removing or adding encryption) may end up making the database unrecoverable. Instead, do these tasks in innobase_start_or_create_for_mysql(). Issue a firm "Missing MLOG_CHECKPOINT" error message. Remove some unreachable code and duplicated error messages for log corruption. LOG_HEADER_FORMAT_ENCRYPTED: A flag for identifying an encrypted redo log format. log_group_t::is_encrypted(), log_t::is_encrypted(): Determine if the redo log is in encrypted format. recv_find_max_checkpoint(): Interpret LOG_HEADER_FORMAT_ENCRYPTED. srv_prepare_to_delete_redo_log_files(): Display NOTE messages about adding or removing encryption. Do not issue warnings for redo log resizing any more. innobase_start_or_create_for_mysql(): Rebuild the redo logs also when the encryption changes. innodb_log_checksums_func_update(): Always use the CRC-32C checksum if innodb_encrypt_log. If needed, issue a warning that innodb_encrypt_log implies innodb_log_checksums. log_group_write_buf(): Compute the checksum on the encrypted block contents, so that transmission errors or incomplete blocks can be detected without decrypting. Rewrite most of the redo log encryption code. Only remember one encryption key at a time (but remember up to 5 when upgrading from the MariaDB 10.1 format.)
2017-02-10 12:11:42 +02:00
@param[in] size size of the buffer, in bytes
MDEV-12041: innodb_encrypt_log key rotation This will change the InnoDB encrypted redo log format only. Unencrypted redo log will keep using the MariaDB 10.3 format. In the new encrypted redo log format, 4 additional bytes will be reserved in the redo log block trailer for storing the encryption key version. For performance reasons, the encryption key rotation (checking if the latest encryption key version is being used) is only done at log_checkpoint(). LOG_HEADER_FORMAT_CURRENT: Remove. LOG_HEADER_FORMAT_ENC_10_4: The encrypted 10.4 format. LOG_BLOCK_KEY: The encryption key version field. LOG_BLOCK_TRL_SIZE: Remove. log_t: Add accessors framing_size(), payload_size(), trailer_offset(), to be used instead of referring to LOG_BLOCK_TRL_SIZE. log_crypt_t: An operation passed to log_crypt(). log_crypt(): Perform decryption, encryption, or encryption with key rotation. Return an error if key rotation at decryption fails. On encryption, keep using the previous key if the rotation fails. At startup, old-format encrypted redo log may be written before the redo log is upgraded (rebuilt) to the latest format. log_write_up_to(): Add the parameter rotate_key=false. log_checkpoint(): Invoke log_write_up_to() with rotate_key=true.
2018-08-13 16:04:37 +03:00
@param[in] op whether to decrypt, encrypt, or rotate key and encrypt
@return whether the operation succeeded (encrypt always does) */
bool log_crypt(byte* buf, lsn_t lsn, ulint size, log_crypt_t op = LOG_ENCRYPT);
MDEV-9793: getting mysqld crypto key from key version failed Make sure that we read all possible encryption keys from checkpoint and if log block checksum does not match, print all found checkpoint encryption keys.
2016-03-30 16:08:05 +03:00
Merge 10.1 into 10.2 This should also fix the MariaDB 10.2.2 bug MDEV-13826 CREATE FULLTEXT INDEX on encrypted table fails. MDEV-12634 FIXME: Modify innodb-index-online, innodb-table-online so that they will write and read merge sort files. InnoDB 5.7 introduced some optimizations to avoid using the files for small tables. Many collation test results have been adjusted for MDEV-10191.
2017-09-16 22:31:53 +03:00
/** Encrypt or decrypt a temporary file block.
@param[in] src block to encrypt or decrypt
MDEV-12634: Uninitialised ROW_MERGE_RESERVE_SIZE bytes written to tem… …porary file Fixed by removing writing key version to start of every block that was encrypted. Instead we will use single key version from log_sys crypt info. After this MDEV also blocks writen to row log are encrypted and blocks read from row log aren decrypted if encryption is configured for the table. innodb_status_variables[], struct srv_stats_t Added status variables for merge block and row log block encryption and decryption amounts. Removed ROW_MERGE_RESERVE_SIZE define. row_merge_fts_doc_tokenize Remove ROW_MERGE_RESERVE_SIZE row_log_t Add index, crypt_tail, crypt_head to be used in case of encryption. row_log_online_op, row_log_table_close_func Before writing a block encrypt it if encryption is enabled row_log_table_apply_ops, row_log_apply_ops After reading a block decrypt it if encryption is enabled row_log_allocate Allocate temporary buffers crypt_head and crypt_tail if needed. row_log_free Free temporary buffers crypt_head and crypt_tail if they exist. row_merge_encrypt_buf, row_merge_decrypt_buf Removed. row_merge_buf_create, row_merge_buf_write Remove ROW_MERGE_RESERVE_SIZE row_merge_build_indexes Allocate temporary buffer used in decryption and encryption if needed. log_tmp_blocks_crypt, log_tmp_block_encrypt, log_temp_block_decrypt New functions used in block encryption and decryption log_tmp_is_encrypted New function to check is encryption enabled. Added test case innodb-rowlog to force creating a row log and verify that operations are done using introduced status variables.
2017-09-14 09:23:20 +03:00
@param[in] size size of the block
Merge 10.1 into 10.2 This should also fix the MariaDB 10.2.2 bug MDEV-13826 CREATE FULLTEXT INDEX on encrypted table fails. MDEV-12634 FIXME: Modify innodb-index-online, innodb-table-online so that they will write and read merge sort files. InnoDB 5.7 introduced some optimizations to avoid using the files for small tables. Many collation test results have been adjusted for MDEV-10191.
2017-09-16 22:31:53 +03:00
@param[out] dst destination block
MDEV-12634: Uninitialised ROW_MERGE_RESERVE_SIZE bytes written to tem… …porary file Fixed by removing writing key version to start of every block that was encrypted. Instead we will use single key version from log_sys crypt info. After this MDEV also blocks writen to row log are encrypted and blocks read from row log aren decrypted if encryption is configured for the table. innodb_status_variables[], struct srv_stats_t Added status variables for merge block and row log block encryption and decryption amounts. Removed ROW_MERGE_RESERVE_SIZE define. row_merge_fts_doc_tokenize Remove ROW_MERGE_RESERVE_SIZE row_log_t Add index, crypt_tail, crypt_head to be used in case of encryption. row_log_online_op, row_log_table_close_func Before writing a block encrypt it if encryption is enabled row_log_table_apply_ops, row_log_apply_ops After reading a block decrypt it if encryption is enabled row_log_allocate Allocate temporary buffers crypt_head and crypt_tail if needed. row_log_free Free temporary buffers crypt_head and crypt_tail if they exist. row_merge_encrypt_buf, row_merge_decrypt_buf Removed. row_merge_buf_create, row_merge_buf_write Remove ROW_MERGE_RESERVE_SIZE row_merge_build_indexes Allocate temporary buffer used in decryption and encryption if needed. log_tmp_blocks_crypt, log_tmp_block_encrypt, log_temp_block_decrypt New functions used in block encryption and decryption log_tmp_is_encrypted New function to check is encryption enabled. Added test case innodb-rowlog to force creating a row log and verify that operations are done using introduced status variables.
2017-09-14 09:23:20 +03:00
@param[in] offs offset to block
Merge 10.1 into 10.2 This should also fix the MariaDB 10.2.2 bug MDEV-13826 CREATE FULLTEXT INDEX on encrypted table fails. MDEV-12634 FIXME: Modify innodb-index-online, innodb-table-online so that they will write and read merge sort files. InnoDB 5.7 introduced some optimizations to avoid using the files for small tables. Many collation test results have been adjusted for MDEV-10191.
2017-09-16 22:31:53 +03:00
@param[in] encrypt true=encrypt; false=decrypt
@return whether the operation succeeded */
MDEV-12634: Uninitialised ROW_MERGE_RESERVE_SIZE bytes written to tem… …porary file Fixed by removing writing key version to start of every block that was encrypted. Instead we will use single key version from log_sys crypt info. After this MDEV also blocks writen to row log are encrypted and blocks read from row log aren decrypted if encryption is configured for the table. innodb_status_variables[], struct srv_stats_t Added status variables for merge block and row log block encryption and decryption amounts. Removed ROW_MERGE_RESERVE_SIZE define. row_merge_fts_doc_tokenize Remove ROW_MERGE_RESERVE_SIZE row_log_t Add index, crypt_tail, crypt_head to be used in case of encryption. row_log_online_op, row_log_table_close_func Before writing a block encrypt it if encryption is enabled row_log_table_apply_ops, row_log_apply_ops After reading a block decrypt it if encryption is enabled row_log_allocate Allocate temporary buffers crypt_head and crypt_tail if needed. row_log_free Free temporary buffers crypt_head and crypt_tail if they exist. row_merge_encrypt_buf, row_merge_decrypt_buf Removed. row_merge_buf_create, row_merge_buf_write Remove ROW_MERGE_RESERVE_SIZE row_merge_build_indexes Allocate temporary buffer used in decryption and encryption if needed. log_tmp_blocks_crypt, log_tmp_block_encrypt, log_temp_block_decrypt New functions used in block encryption and decryption log_tmp_is_encrypted New function to check is encryption enabled. Added test case innodb-rowlog to force creating a row log and verify that operations are done using introduced status variables.
2017-09-14 09:23:20 +03:00
UNIV_INTERN
bool
log_tmp_block_encrypt(
Merge 10.1 into 10.2 This should also fix the MariaDB 10.2.2 bug MDEV-13826 CREATE FULLTEXT INDEX on encrypted table fails. MDEV-12634 FIXME: Modify innodb-index-online, innodb-table-online so that they will write and read merge sort files. InnoDB 5.7 introduced some optimizations to avoid using the files for small tables. Many collation test results have been adjusted for MDEV-10191.
2017-09-16 22:31:53 +03:00
const byte* src,
ulint size,
byte* dst,
uint64_t offs,
bool encrypt = true)
MY_ATTRIBUTE((warn_unused_result, nonnull));
/** Decrypt a temporary file block.
@param[in] src block to decrypt
MDEV-12634: Uninitialised ROW_MERGE_RESERVE_SIZE bytes written to tem… …porary file Fixed by removing writing key version to start of every block that was encrypted. Instead we will use single key version from log_sys crypt info. After this MDEV also blocks writen to row log are encrypted and blocks read from row log aren decrypted if encryption is configured for the table. innodb_status_variables[], struct srv_stats_t Added status variables for merge block and row log block encryption and decryption amounts. Removed ROW_MERGE_RESERVE_SIZE define. row_merge_fts_doc_tokenize Remove ROW_MERGE_RESERVE_SIZE row_log_t Add index, crypt_tail, crypt_head to be used in case of encryption. row_log_online_op, row_log_table_close_func Before writing a block encrypt it if encryption is enabled row_log_table_apply_ops, row_log_apply_ops After reading a block decrypt it if encryption is enabled row_log_allocate Allocate temporary buffers crypt_head and crypt_tail if needed. row_log_free Free temporary buffers crypt_head and crypt_tail if they exist. row_merge_encrypt_buf, row_merge_decrypt_buf Removed. row_merge_buf_create, row_merge_buf_write Remove ROW_MERGE_RESERVE_SIZE row_merge_build_indexes Allocate temporary buffer used in decryption and encryption if needed. log_tmp_blocks_crypt, log_tmp_block_encrypt, log_temp_block_decrypt New functions used in block encryption and decryption log_tmp_is_encrypted New function to check is encryption enabled. Added test case innodb-rowlog to force creating a row log and verify that operations are done using introduced status variables.
2017-09-14 09:23:20 +03:00
@param[in] size size of the block
Merge 10.1 into 10.2 This should also fix the MariaDB 10.2.2 bug MDEV-13826 CREATE FULLTEXT INDEX on encrypted table fails. MDEV-12634 FIXME: Modify innodb-index-online, innodb-table-online so that they will write and read merge sort files. InnoDB 5.7 introduced some optimizations to avoid using the files for small tables. Many collation test results have been adjusted for MDEV-10191.
2017-09-16 22:31:53 +03:00
@param[out] dst destination block
MDEV-12634: Uninitialised ROW_MERGE_RESERVE_SIZE bytes written to tem… …porary file Fixed by removing writing key version to start of every block that was encrypted. Instead we will use single key version from log_sys crypt info. After this MDEV also blocks writen to row log are encrypted and blocks read from row log aren decrypted if encryption is configured for the table. innodb_status_variables[], struct srv_stats_t Added status variables for merge block and row log block encryption and decryption amounts. Removed ROW_MERGE_RESERVE_SIZE define. row_merge_fts_doc_tokenize Remove ROW_MERGE_RESERVE_SIZE row_log_t Add index, crypt_tail, crypt_head to be used in case of encryption. row_log_online_op, row_log_table_close_func Before writing a block encrypt it if encryption is enabled row_log_table_apply_ops, row_log_apply_ops After reading a block decrypt it if encryption is enabled row_log_allocate Allocate temporary buffers crypt_head and crypt_tail if needed. row_log_free Free temporary buffers crypt_head and crypt_tail if they exist. row_merge_encrypt_buf, row_merge_decrypt_buf Removed. row_merge_buf_create, row_merge_buf_write Remove ROW_MERGE_RESERVE_SIZE row_merge_build_indexes Allocate temporary buffer used in decryption and encryption if needed. log_tmp_blocks_crypt, log_tmp_block_encrypt, log_temp_block_decrypt New functions used in block encryption and decryption log_tmp_is_encrypted New function to check is encryption enabled. Added test case innodb-rowlog to force creating a row log and verify that operations are done using introduced status variables.
2017-09-14 09:23:20 +03:00
@param[in] offs offset to block
Merge 10.1 into 10.2 This should also fix the MariaDB 10.2.2 bug MDEV-13826 CREATE FULLTEXT INDEX on encrypted table fails. MDEV-12634 FIXME: Modify innodb-index-online, innodb-table-online so that they will write and read merge sort files. InnoDB 5.7 introduced some optimizations to avoid using the files for small tables. Many collation test results have been adjusted for MDEV-10191.
2017-09-16 22:31:53 +03:00
@return whether the operation succeeded */
inline
MDEV-12634: Uninitialised ROW_MERGE_RESERVE_SIZE bytes written to tem… …porary file Fixed by removing writing key version to start of every block that was encrypted. Instead we will use single key version from log_sys crypt info. After this MDEV also blocks writen to row log are encrypted and blocks read from row log aren decrypted if encryption is configured for the table. innodb_status_variables[], struct srv_stats_t Added status variables for merge block and row log block encryption and decryption amounts. Removed ROW_MERGE_RESERVE_SIZE define. row_merge_fts_doc_tokenize Remove ROW_MERGE_RESERVE_SIZE row_log_t Add index, crypt_tail, crypt_head to be used in case of encryption. row_log_online_op, row_log_table_close_func Before writing a block encrypt it if encryption is enabled row_log_table_apply_ops, row_log_apply_ops After reading a block decrypt it if encryption is enabled row_log_allocate Allocate temporary buffers crypt_head and crypt_tail if needed. row_log_free Free temporary buffers crypt_head and crypt_tail if they exist. row_merge_encrypt_buf, row_merge_decrypt_buf Removed. row_merge_buf_create, row_merge_buf_write Remove ROW_MERGE_RESERVE_SIZE row_merge_build_indexes Allocate temporary buffer used in decryption and encryption if needed. log_tmp_blocks_crypt, log_tmp_block_encrypt, log_temp_block_decrypt New functions used in block encryption and decryption log_tmp_is_encrypted New function to check is encryption enabled. Added test case innodb-rowlog to force creating a row log and verify that operations are done using introduced status variables.
2017-09-14 09:23:20 +03:00
bool
log_tmp_block_decrypt(
Merge 10.1 into 10.2 This should also fix the MariaDB 10.2.2 bug MDEV-13826 CREATE FULLTEXT INDEX on encrypted table fails. MDEV-12634 FIXME: Modify innodb-index-online, innodb-table-online so that they will write and read merge sort files. InnoDB 5.7 introduced some optimizations to avoid using the files for small tables. Many collation test results have been adjusted for MDEV-10191.
2017-09-16 22:31:53 +03:00
const byte* src,
ulint size,
byte* dst,
MDEV-17228 Encrypted temporary tables are not encrypted - Introduce a new variable called innodb_encrypt_temporary_tables which is a boolean variable. It decides whether to encrypt the temporary tablespace. - Encrypts the temporary tablespace based on full checksum format. - Introduced a new counter to track encrypted and decrypted temporary tablespace pages. - Warnings issued if temporary table creation has conflict value with innodb_encrypt_temporary_tables - Added a new test case which reads and writes the pages from/to temporary tablespace.
2019-06-27 16:23:03 +05:30
uint64_t offs)
Merge 10.1 into 10.2 This should also fix the MariaDB 10.2.2 bug MDEV-13826 CREATE FULLTEXT INDEX on encrypted table fails. MDEV-12634 FIXME: Modify innodb-index-online, innodb-table-online so that they will write and read merge sort files. InnoDB 5.7 introduced some optimizations to avoid using the files for small tables. Many collation test results have been adjusted for MDEV-10191.
2017-09-16 22:31:53 +03:00
{
MDEV-17228 Encrypted temporary tables are not encrypted - Introduce a new variable called innodb_encrypt_temporary_tables which is a boolean variable. It decides whether to encrypt the temporary tablespace. - Encrypts the temporary tablespace based on full checksum format. - Introduced a new counter to track encrypted and decrypted temporary tablespace pages. - Warnings issued if temporary table creation has conflict value with innodb_encrypt_temporary_tables - Added a new test case which reads and writes the pages from/to temporary tablespace.
2019-06-27 16:23:03 +05:30
return(log_tmp_block_encrypt(src, size, dst, offs, false));
Merge 10.1 into 10.2 This should also fix the MariaDB 10.2.2 bug MDEV-13826 CREATE FULLTEXT INDEX on encrypted table fails. MDEV-12634 FIXME: Modify innodb-index-online, innodb-table-online so that they will write and read merge sort files. InnoDB 5.7 introduced some optimizations to avoid using the files for small tables. Many collation test results have been adjusted for MDEV-10191.
2017-09-16 22:31:53 +03:00
}
/** @return whether temporary files are encrypted */
inline bool log_tmp_is_encrypted() { return srv_encrypt_log; }
Push for testing of encryption
2014-12-22 16:53:17 +02:00
#endif // log0crypt.h
Reference in a new issue Copy permalink