Page encryption for XtraDB

.gitignore

@@ -1,3 +1,11 @@
+.cproject
+.project
+Debug/*
+pcre/*
+pcre3/*
+_32/*
+_64/*
+bld/*
 *-t
 *.a
 *.ctest

CMakeLists.txt

@@ -341,6 +341,7 @@ SET(CMAKE_INCLUDE_DIRECTORIES_PROJECT_BEFORE ON)
 ADD_DEFINITIONS(-DHAVE_CONFIG_H)
 INCLUDE_DIRECTORIES(${CMAKE_CURRENT_BINARY_DIR}/include)
 
+
 # Add bundled or system zlib.
 MYSQL_CHECK_ZLIB_WITH_COMPRESS()
 # Add bundled yassl/taocrypt or system openssl.
@@ -380,6 +381,7 @@ IF(WITH_UNIT_TESTS)
  ADD_SUBDIRECTORY(unittest/examples)
  ADD_SUBDIRECTORY(unittest/mysys)
  ADD_SUBDIRECTORY(unittest/my_decimal)
+ ADD_SUBDIRECTORY(unittest/eperi)
  IF(NOT WITHOUT_SERVER)
    ADD_SUBDIRECTORY(unittest/sql)
  ENDIF()

dbug/dbug.c

@@ -85,6 +85,7 @@
 #undef SAFE_MUTEX
 #include <m_string.h>
 #include <errno.h>
+#include <stdio.h>
 
 #ifndef DBUG_OFF
 
@@ -2184,6 +2185,51 @@ const char* _db_get_func_(void)
   return cs->func;
 }
 
+
+void dump_buffer(unsigned n, const unsigned char* buf) {
+int on_this_line = 0;
+int counter = 0;
+int cc =0;
+char ch =0;
+
+FILE* stream = stderr;
+fflush(stream);
+fprintf(stream, "%06X: ", counter);
+while (n-- > 0) {
+	fprintf(stream, "%02X ", *buf++);
+	on_this_line += 1;
+	if (on_this_line == 16 || n == 0) {
+		int i;
+		fprintf(stream, " ");
+		cc = on_this_line;
+		if (cc != 16) {
+
+
+		for (i = on_this_line; i < 16; i++) {
+			fprintf(stream,"   " );
+		}
+		}
+		for (i = on_this_line; i > 0; i--) {
+			ch =isprint(buf[-i]) ? buf[-i] : '.';
+			fprintf(stream,"%c",ch);
+		}
+
+		fprintf(stream,"\n" );
+
+		on_this_line = 0;
+		if (n!=0) fprintf(stream, "%06X: ", ++counter);
+
+
+	} else {
+	counter++;
+	}
+}
+fprintf( stream, "\n");
+fflush(stream);
+}
+
+
+
 #else
 
 /*

include/keyfile.h

@@ -0,0 +1,38 @@
+/* Copyright (C) 2014 eperi GmbH. All Rights Reserved.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 2 of the License.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA */
+
+/******************************************************************/
+#ifndef KEYFILE_H
+#define KEYFILE_H
+#include<stdio.h>
+
+struct keyentry {
+    int id;
+    char *iv;
+    char *key;
+};
+
+int
+parseFile(FILE * fp, struct keyentry **allKeys, const int k_len, const char *secret);
+
+int
+parseLine(const char *line, struct keyentry *entry, const int k_len);
+
+int
+isComment(char *line);
+
+char*
+trim(char *in);
+#endif

include/my_aes.h

@@ -1,6 +1,13 @@
 #ifndef MY_AES_INCLUDED
 #define MY_AES_INCLUDED
 
+#define AES_OK 0
+#define AES_BAD_DATA  -1
+#define AES_BAD_KEYSIZE -5
+#define AES_KEY_CREATION_FAILED -10
+
+#define MY_AES_BLOCK_SIZE 16 /* Block size in bytes */
+
 /* Copyright (c) 2002, 2006 MySQL AB, 2009 Sun Microsystems, Inc.
    Use is subject to license terms.
 
@@ -27,6 +34,57 @@ C_MODE_START
 
 #define AES_KEY_LENGTH 128		/* Must be 128 192 or 256 */
 
+
+/**
+  Crypt buffer with AES encryption algorithm.
+
+  SYNOPSIS
+     my_aes_encrypt()
+     @param source         [in]  Pointer to data for encryption
+     @param source_length  [in]  Size of encryption data
+     @param dest           [out] Buffer to place encrypted data (must be large enough)
+	 @param dest_length    [out] Pointer to size of encrypted data
+ 	 @param key            [in]  Key to be used for encryption
+     @param key_length     [in]  Length of the key. 16, 24 or 32
+	 @param iv             [in]  Iv to be used for encryption
+     @param iv_length      [in]  Length of the iv. should be 16.
+	 @param noPadding	   [in]  if set to true, no padding is used, input data size must be a mulitple of the AES block size
+
+  @return
+    != 0           error
+    0             no error
+*/
+int my_aes_encrypt_cbc(const char* source, uint32 source_length,
+					char* dest, uint32 *dest_length,
+					const unsigned char* key, uint8 key_length,
+					const unsigned char* iv, uint8 iv_length,
+					int noPadding);
+
+
+/**
+ * Calculate key and iv from a given salt and secret as it is handled in openssl encrypted files via console
+ *
+ * SYNOPSIS
+ * 	my_Bytes_To_Key()
+ * 	@param salt   [in]  the given salt as extracted from the encrypted file
+ * 	@param secret [in]  the given secret as String, provided by the user
+ * 	@param key    [out] 32 Bytes of key are written to this pointer
+ * 	@param iv     [out] 16 Bytes of iv are written to this pointer
+ */
+void my_bytes_to_key(const unsigned char *salt,
+		const char *secret, unsigned char *key,
+		unsigned char *iv);
+/**
+ 	 Decode Hexencoded String to uint8[].
+ 	 my_aes_hexToUint()
+ 	 @param iv		[in]	Pointer to hexadecimal encoded IV String
+ 	 @param dest	[out]	Pointer to output uint8 array. Memory needs to be allocated by caller
+ 	 @param iv_length [in]  Size of destination array.
+ */
+void my_aes_hexToUint(const char* in,
+		unsigned char *out,
+		int dest_length);
+
 /*
   my_aes_encrypt	- Crypt buffer with AES encryption algorithm.
   source		- Pointer to data for encryption
@@ -41,6 +99,31 @@ C_MODE_START
 int my_aes_encrypt(const char *source, int source_length, char *dest,
 		   const char *key, int key_length);
 
+/**
+  AES decryption - CBC mode
+
+  SYNOPSIS
+     my_aes_encrypt()
+     @param source         [in]  Pointer to data to decrypt
+     @param source_length  [in]  Size of data
+     @param dest           [out] Buffer to place decrypted data (must be large enough)
+	 @param dest_length    [out] Pointer to size of decrypted data
+ 	 @param key            [in]  Key to be used for decryption
+     @param key_length     [in]  Length of the key. 16, 24 or 32
+ 	 @param iv             [in]  Iv to be used for encryption
+     @param iv_length      [in]  Length of the iv. should be 16.
+	 @param noPadding	   [in]  if set to true, no padding is used, input data size must be a mulitple of the AES block size
+
+  @return
+    != 0           error
+    0             no error
+*/
+int my_aes_decrypt_cbc(const char* source, uint32 source_length,
+					char* dest, uint32 *dest_length,
+					const unsigned char* key, uint8 key_length,
+					const unsigned char* iv, uint8 iv_length,
+					int noPadding);
+
 /*
   my_aes_decrypt	- DeCrypt buffer with AES encryption algorithm.
   source		- Pointer to data for decryption

include/my_dbug.h

@@ -52,6 +52,9 @@ extern  void _db_return_(uint _line_, struct _db_stack_frame_ *_stack_frame_);
 extern  void _db_pargs_(uint _line_,const char *keyword);
 extern  void _db_doprnt_(const char *format,...)
   ATTRIBUTE_FORMAT(printf, 1, 2);
+
+extern void dump_buffer(unsigned n, const unsigned char* buf);
+
 extern  void _db_dump_(uint _line_,const char *keyword,
                        const unsigned char *memory, size_t length);
 extern  void _db_end_(void);

include/mysql/plugin.h

@@ -175,6 +175,9 @@ enum enum_mysql_show_type
   SHOW_always_last
 };
 
+
+
+
 /* backward compatibility mapping. */
 #define SHOW_INT      SHOW_UINT
 #define SHOW_LONG     SHOW_ULONG

mysql-test/r/enc.result

@@ -0,0 +1,20 @@
+DROP TABLE IF EXISTS t1;
+DROP DATABASE IF EXISTS test;
+CREATE DATABASE test;
+USE test;
+set @save_storage_engine= @@storage_engine;
+set storage_engine=InnoDB;
+CREATE TABLE t1 (id int)
+PAGE_ENCRYPTION='abc';
+ERROR HY000: Incorrect value 'abc' for option 'PAGE_ENCRYPTION'
+CREATE TABLE t1 (id int)
+PAGE_ENCRYPTION=1
+PAGE_ENCRYPTION_KEY='0xFFC';
+ERROR HY000: Incorrect value '0xFFC' for option 'PAGE_ENCRYPTION_KEY'
+CREATE TABLE t1 (id int(11)) 
+PAGE_ENCRYPTION=1 
+PAGE_ENCRYPTION_KEY=42;
+INSERT INTO t1(id) values(1);
+SELECT * FROM t1;
+id
+1

mysql-test/t/enc.test

@@ -0,0 +1,28 @@
+-- source include/have_xtradb.inc
+
+--disable_warnings
+DROP TABLE IF EXISTS t1;
+DROP DATABASE IF EXISTS test;
+--enable_warnings
+
+CREATE DATABASE test;
+USE test;
+set @save_storage_engine= @@storage_engine;
+set storage_engine=InnoDB;
+
+--error ER_BAD_OPTION_VALUE
+CREATE TABLE t1 (id int)
+ PAGE_ENCRYPTION='abc';
+
+--error ER_BAD_OPTION_VALUE
+CREATE TABLE t1 (id int)
+ PAGE_ENCRYPTION=1
+ PAGE_ENCRYPTION_KEY='0xFFC';
+
+CREATE TABLE t1 (id int(11)) 
+ PAGE_ENCRYPTION=1 
+ PAGE_ENCRYPTION_KEY=42;
+
+INSERT INTO t1(id) values(1);
+SELECT * FROM t1;
+

mysys/CMakeLists.txt

@@ -41,7 +41,7 @@ SET(MYSYS_SOURCES  array.c charset-def.c charset.c checksum.c my_default.c
 				my_atomic.c my_getncpus.c my_safehash.c my_chmod.c my_rnd.c
                                 my_uuid.c wqueue.c waiting_threads.c ma_dyncol.c
 				my_rdtsc.c my_context.c psi_noop.c
-                                file_logger.c)
+                                file_logger.c )
 
 IF (WIN32)
  SET (MYSYS_SOURCES ${MYSYS_SOURCES} my_winthread.c my_wincond.c my_winerr.c my_winfile.c my_windac.c my_conio.c)
@@ -70,7 +70,7 @@ IF(HAVE_MLOCK)
 ENDIF()
 
 ADD_CONVENIENCE_LIBRARY(mysys ${MYSYS_SOURCES})
-TARGET_LINK_LIBRARIES(mysys dbug strings ${ZLIB_LIBRARY} 
+TARGET_LINK_LIBRARIES(mysys dbug strings mysys_ssl ${ZLIB_LIBRARY} 
  ${LIBNSL} ${LIBM} ${LIBRT} ${LIBSOCKET} ${LIBEXECINFO})
 DTRACE_INSTRUMENT(mysys)