MDEV-28279: Hashicorp: Cannot migrate hexadecimal keys from file key management

This commit fixes a bug in the algorithm for converting hexadecimal strings to binary key values, which leads to incompatibility with other plugins and reduces the effective information capacity of the keys. The new key conversion algorithm is incompatible with tables which alrady encrypted using a old plugin (plugin version less than or equalt to the 1.05).
2025-01-15 19:42:28 +01:00 · 2022-05-06 15:01:08 +02:00 · 2022-05-06 15:01:08 +02:00 · 2e14f2c889
commit 2e14f2c889
parent 94841ba656
4 changed files with 100 additions and 4 deletions
--- a/plugin/hashicorp_key_management/hashicorp_key_management_plugin.cc
+++ b/plugin/hashicorp_key_management/hashicorp_key_management_plugin.cc
@ -636,7 +636,7 @@ static inline int c2xdigit (int c)
 {
  if (c > 9)
  {
-    c -= 'A' - '0';
+    c -= 'A' - '0' - 10;
    if (c > 15)
    {
      c -= 'a' - 'A';
@ -1380,10 +1380,10 @@ maria_declare_plugin(hashicorp_key_management)
  PLUGIN_LICENSE_GPL,
  hashicorp_key_management_plugin_init,
  hashicorp_key_management_plugin_deinit,
-  0x0105 /* 1.05 */,
+  0x0200 /* 2.0 */,
  NULL, /* status variables */
  settings,
-  "1.05",
+  "2.0",
  MariaDB_PLUGIN_MATURITY_STABLE
 }
 maria_declare_plugin_end;
--- a/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_key_migration.result
+++ b/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_key_migration.result
@ -0,0 +1,39 @@
+# restart: with restart_parameters
+CREATE TABLE t1 (a VARCHAR(8)) ENGINE=InnoDB ENCRYPTED=YES ENCRYPTION_KEY_ID=1;
+INSERT INTO t1 VALUES ('foo'),('bar');
+SELECT * FROM t1;
+a
+foo
+bar
+# restart: with restart_parameters
+CREATE TABLE t2 (a VARCHAR(8)) ENGINE=InnoDB ENCRYPTED=YES ENCRYPTION_KEY_ID=1;
+INSERT INTO t2 VALUES ('baz'),('qux');
+SELECT * FROM t2;
+a
+baz
+qux
+#
+# This should not fail, but it does if the bug is not fixed
+#
+SELECT * FROM t1;
+a
+foo
+bar
+SHOW WARNINGS;
+Level	Code	Message
+# restart: with restart_parameters
+SELECT * FROM t1;
+a
+foo
+bar
+#
+# This should not fail, but it does if the bug is not fixed
+#
+SELECT * FROM t2;
+a
+baz
+qux
+SHOW WARNINGS;
+Level	Code	Message
+DROP TABLE t1, t2;
+# restart
--- a/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_init.inc
+++ b/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_init.inc
@ -1,7 +1,7 @@
 --exec vault secrets disable mariadbtest > /dev/null
 --exec vault secrets enable -path /mariadbtest -version=2 kv > /dev/null
 --exec vault kv put /mariadbtest/1 data="123456789ABCDEF0123456789ABCDEF0" > /dev/null
--exec vault kv put /mariadbtest/2 data="23456789ABCDEF0123456789ABCDEF01" > /dev/null
+--exec vault kv put /mariadbtest/2 data="23456789ABCDEF0123456789ABCDef01" > /dev/null
 --exec vault kv put /mariadbtest/3 data="00000000000000000000000000000000" > /dev/null
 --exec vault kv put /mariadbtest/3 data="00000000000000000000000000000001" > /dev/null
 --exec vault kv put /mariadbtest/4 data="456789ABCDEF0123456789ABCDEF0123" > /dev/null
--- a/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_key_migration.test
+++ b/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_key_migration.test
@ -0,0 +1,57 @@
+# MDEV-28279: Cannot migrate hexadecimal keys from file key management
+
+# The test presumes that the local vault is running at $VAULT_ADDR,
+# and the token is configured in $VAULT_TOKEN.
+
+--source include/have_innodb.inc
+--source hashicorp_plugin.inc
+
+--let $my_key=012345678901234567890123456789aB
+--exec echo "1;$my_key" > $MYSQL_TMP_DIR/mykeys.txt
+--let $restart_parameters=--plugin-load-add=file_key_management --loose-file-key-management-filename=$MYSQL_TMP_DIR/mykeys.txt --hashicorp-key-management=off
+--let $restart_noprint=1
+--source include/restart_mysqld.inc
+
+if (`SELECT COUNT(*)=0 FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME = 'file_key_management' AND PLUGIN_STATUS='ACTIVE'`)
+{
+  --skip Test requires file_key_management plugin
+}
+
+CREATE TABLE t1 (a VARCHAR(8)) ENGINE=InnoDB ENCRYPTED=YES ENCRYPTION_KEY_ID=1;
+INSERT INTO t1 VALUES ('foo'),('bar');
+SELECT * FROM t1;
+
+--exec vault secrets disable bug > /dev/null
+--exec vault secrets enable -path /bug -version=2 kv > /dev/null
+--exec vault kv put /bug/1 data=$my_key > /dev/null
+--let $restart_parameters=--plugin-load-add=hashicorp_key_management --hashicorp-key-management-vault-url="$VAULT_ADDR/v1/bug/" --hashicorp-key-management-token="$VAULT_TOKEN"
+--source include/restart_mysqld.inc
+
+CREATE TABLE t2 (a VARCHAR(8)) ENGINE=InnoDB ENCRYPTED=YES ENCRYPTION_KEY_ID=1;
+INSERT INTO t2 VALUES ('baz'),('qux');
+SELECT * FROM t2;
+--echo #
+--echo # This should not fail, but it does if the bug is not fixed
+--echo #
+--error 0,1932,1877
+SELECT * FROM t1;
+SHOW WARNINGS;
+
+--let $restart_parameters=--plugin-load-add=file_key_management --file-key-management-filename=$MYSQL_TMP_DIR/mykeys.txt --hashicorp-key-management=off
+--source include/restart_mysqld.inc
+
+SELECT * FROM t1;
+--echo #
+--echo # This should not fail, but it does if the bug is not fixed
+--echo #
+--error 0,1932,1877
+SELECT * FROM t2;
+SHOW WARNINGS;
+
+# Cleanup
+DROP TABLE t1, t2;
+
+--exec vault secrets disable bug > /dev/null
+
+--let $restart_parameters=
+--source include/restart_mysqld.inc