Instead of encrypt(src, dst, key, iv) that encrypts all
data in one go, now we have encrypt_init(key,iv),
encrypt_update(src,dst), and encrypt_finish(dst).
This also causes collateral changes in the internal my_crypt.cc
encryption functions and in the encryption service.
There are wrappers to provide the old all-at-once encryption
functionality. But binlog events are often written piecewise,
they'll need the new api.
fix encryption of the last partial block
* now really encrypt it, using key and iv
* support the case of very short plaintext (less than one block)
* recommend aes_ctr over aes_cbc, because the former
doesn't have problems with partial blocks
Tell OpenSSL to use MD5 even if FIPS prohibits it.
This is fine as long as we do not use MD5 for cryptographical
purposes (md5 is used internally for P_S message digests and for view
checksums)
* no --encryption-algorithm option anymore
* encrypt/decrypt methods in the encryption plugin
* ecnrypt/decrypt methods in the encryption_km service
* file_km plugin has --file-key-management-encryption-algorithm
* debug_km always uses aes_cbc
* example_km changes between aes_cbc and aes_ecb for different key versions
Two problems:
- Read/Write outside of buffer at memcpy() because of incorrect parameters
. OPENSSL_assert(EVP_CIPHER_CTX_iv_length(&ctx.ctx) == iv_length); // ECB does not use IV, thus incorrect assertion
Added:
mysql-test/include/encryption_algorithms.combinations to run tests with methods cbc, ecb and ctr in
those systems where they are available (see suite.pm).
When wsrep is enabled, an md5 hash of the entire row is calculated
for tables with no PK. It, however segfaulted as the md5 context
object was not properly constructed.
Fixed by ensuring that the YaSSL's context object gets constructed
explicitly at the specified pre-allocated location (placement)
before its used.
Added a test case.
