MySQL 9.0.1
Source Code Documentation
|
Encryption algorithm. More...
#include <os0enc.h>
Public Types | |
enum | Type { NONE = 0 , AES = 1 } |
Algorithm types supported. More... | |
enum | Version { VERSION_1 = 0 , VERSION_2 = 1 , VERSION_3 = 2 } |
Encryption information format version. More... | |
enum class | Progress { ENCRYPTION , DECRYPTION , NONE } |
Encryption progress type. More... | |
enum class | Resume_point { INIT , PROCESS , END , DONE } |
Encryption operation resume point after server restart. More... | |
Public Member Functions | |
Encryption () noexcept | |
Default constructor. More... | |
Encryption (Type type) noexcept | |
Specific constructor. More... | |
Encryption (const Encryption &other) noexcept=default | |
Copy constructor. More... | |
Encryption & | operator= (const Encryption &)=default |
bool | encrypt_log_block (byte *src_ptr, byte *dst_ptr) const noexcept |
Encrypt the redo log block (OS_FILE_LOG_BLOCK_SIZE bytes). More... | |
bool | encrypt_log (byte *src, size_t src_len, byte *dst) const noexcept |
Encrypt the redo log data blocks. More... | |
byte * | encrypt (const IORequest &type, byte *src, ulint src_len, byte *dst, ulint *dst_len) const noexcept |
Encrypt the page data contents. More... | |
dberr_t | decrypt_log_block (byte *buf) const noexcept |
Decrypt the log block (OS_FILE_LOG_BLOCK_SIZE bytes) in place. More... | |
dberr_t | decrypt_log (byte *buf, size_t buf_len) const noexcept |
Decrypt the redo log data blocks in place. More... | |
dberr_t | decrypt (const IORequest &type, byte *src, ulint src_len, byte *tmp, ulint tmp_len) const noexcept |
Decrypt the page data contents in place. More... | |
Type | get_type () const |
Get encryption type. More... | |
bool | is_none () const noexcept |
Check if the encryption algorithm is NONE. More... | |
void | set_type (Type type) |
Set encryption type. More... | |
void | set_key (const byte *key) |
Set encryption key. More... | |
ulint | get_key_length () const |
Get key length. More... | |
void | set_key_length (ulint klen) |
Set key length. More... | |
void | set_initial_vector (const byte *iv) |
Set initial vector. More... | |
void | set (const struct Encryption_metadata &metadata) noexcept |
Uses metadata to configure this instance. More... | |
Static Public Member Functions | |
static bool | is_encrypted_page (const byte *page) noexcept |
Check if page is encrypted page or not. More... | |
static bool | is_encrypted_log (const byte *block) noexcept |
Check if a log block is encrypted or not. More... | |
static dberr_t | validate (const char *option) noexcept |
Validate the algorithm string. More... | |
static const char * | to_string (Type type) noexcept |
Convert to a "string". More... | |
static bool | is_none (const char *algorithm) noexcept |
Check if the string is "empty" or "none". More... | |
static void | random_value (byte *value) noexcept |
Generate random encryption value for key and iv. More... | |
static void | set_or_generate (Type type, byte *key, byte *iv, Encryption_metadata &metadata) |
Copy the given encryption metadata to the given Encryption_metadata object, if both key != nullptr and iv != nullptr. More... | |
static void | create_master_key (byte **master_key) noexcept |
Create new master key for key rotation. More... | |
static void | get_master_key (uint32_t master_key_id, char *srv_uuid, byte **master_key) noexcept |
Get master key by key id. More... | |
static void | get_master_key (uint32_t *master_key_id, byte **master_key) noexcept |
Get current master key and key id. More... | |
static bool | fill_encryption_info (const Encryption_metadata &encryption_metadata, bool encrypt_key, byte *encrypt_info) noexcept |
Fill the encryption information. More... | |
static const byte * | get_master_key_from_info (const byte *encrypt_info, Version version, uint32_t *m_key_id, char *srv_uuid, byte **master_key) noexcept |
Get master key from encryption information. More... | |
static bool | is_encrypted_with_version (const byte *encryption_info, const char *version_magic_bytes) noexcept |
Checks if encryption info bytes represent data encrypted by the given version of the encryption mechanism. More... | |
static bool | is_encrypted_with_v3 (const byte *encryption_info) noexcept |
Checks if encryption info bytes represent data encrypted by version V3 of the encryption mechanism. More... | |
static bool | is_encrypted (const byte *encryption_info) noexcept |
Checks if encryption info bytes represent data encrypted by any of known versions of the encryption mechanism. More... | |
static bool | decode_encryption_info (Encryption_metadata &encryption_metadata, const byte *encryption_info, bool decrypt_key) noexcept |
Decoding the encryption info from the given array of bytes, which are assumed not to be related to any particular tablespace. More... | |
static bool | decode_encryption_info (space_id_t space_id, Encryption_key &e_key, const byte *encryption_info, bool decrypt_key) noexcept |
Decoding the encryption info from the given array of bytes, which are assumed to be related to a given tablespace (unless space_id == dict_sys_t::s_invalid_space_id). More... | |
static bool | check_keyring () noexcept |
Check if keyring plugin loaded. More... | |
static uint32_t | get_master_key_id () |
Get master key id. More... | |
Static Public Attributes | |
static constexpr char | KEY_MAGIC_V1 [] = "lCA" |
Encryption magic bytes for 5.7.11, it's for checking the encryption information version. More... | |
static constexpr char | KEY_MAGIC_V2 [] = "lCB" |
Encryption magic bytes for 5.7.12+, it's for checking the encryption information version. More... | |
static constexpr char | KEY_MAGIC_V3 [] = "lCC" |
Encryption magic bytes for 8.0.5+, it's for checking the encryption information version. More... | |
static constexpr char | MASTER_KEY_PREFIX [] = "INNODBKey" |
Encryption master key prifix. More... | |
static constexpr size_t | KEY_LEN = 32 |
Encryption key length. More... | |
static constexpr char | DEFAULT_MASTER_KEY [] = "DefaultMasterKey" |
Default master key for bootstrap. More... | |
static constexpr size_t | MAGIC_SIZE = 3 |
Encryption magic bytes size. More... | |
static constexpr size_t | MASTER_KEY_PRIFIX_LEN = 9 |
Encryption master key prifix size. More... | |
static constexpr size_t | MASTER_KEY_NAME_MAX_LEN = 100 |
Encryption master key prifix size. More... | |
static constexpr size_t | SERVER_UUID_LEN = 36 |
UUID of server instance, it's needed for composing master key name. More... | |
static constexpr size_t | INFO_SIZE |
Encryption information total size: magic number + master_key_id + key + iv + server_uuid + checksum. More... | |
static constexpr size_t | INFO_MAX_SIZE = INFO_SIZE + sizeof(uint32) |
Maximum size of Encryption information considering all formats v1, v2 & v3. More... | |
static constexpr uint32_t | DEFAULT_MASTER_KEY_ID = 0 |
Default master key id for bootstrap. More... | |
static constexpr size_t | OPERATION_INFO_SIZE = 1 |
(De)Encryption Operation information size More... | |
static constexpr size_t | PROGRESS_INFO_SIZE = sizeof(uint) |
Encryption Progress information size. More... | |
static constexpr size_t | ENCRYPT_IN_PROGRESS = 1 << 0 |
Flag bit to indicate if Encryption/Decryption is in progress. More... | |
static constexpr size_t | DECRYPT_IN_PROGRESS = 1 << 1 |
Decryption in progress. More... | |
static std::vector< space_id_t > | s_tablespaces_to_reencrypt |
Tablespaces whose key needs to be reencrypted. More... | |
Private Member Functions | |
bool | encrypt_low (byte *src, ulint src_len, byte *dst, ulint *dst_len) const noexcept |
Encrypt the page data contents. More... | |
Private Attributes | |
Type | m_type |
Encrypt type. More... | |
const byte * | m_key |
Encrypt key. More... | |
ulint | m_klen |
Encrypt key length. More... | |
const byte * | m_iv |
Encrypt initial vector. More... | |
Static Private Attributes | |
static uint32_t | s_master_key_id = Encryption::DEFAULT_MASTER_KEY_ID |
Current master key id. More... | |
static char | s_uuid [SERVER_UUID_LEN+1] = {0} |
Current uuid of server instance. More... | |
Encryption algorithm.
|
strong |
|
strong |
enum Encryption::Type |
enum Encryption::Version |
|
inlinenoexcept |
Default constructor.
|
inlineexplicitnoexcept |
Specific constructor.
[in] | type | Algorithm type |
|
defaultnoexcept |
Copy constructor.
|
staticnoexcept |
Check if keyring plugin loaded.
|
staticnoexcept |
Create new master key for key rotation.
[in,out] | master_key | master key |
|
staticnoexcept |
Decoding the encryption info from the given array of bytes, which are assumed not to be related to any particular tablespace.
[out] | encryption_metadata | decoded encryption metadata |
[in] | encryption_info | encryption info to decode |
[in] | decrypt_key | decrypt key using master key |
|
staticnoexcept |
Decoding the encryption info from the given array of bytes, which are assumed to be related to a given tablespace (unless space_id == dict_sys_t::s_invalid_space_id).
The given tablespace is noted down in s_tablespaces_to_reencrypt if the encryption info became successfully decrypted using the master key and the space_id is not dict_sys_t::s_invalid_space_id. For such tablespaces the encryption info is later re-encrypted using the rotated master key in innobase_dict_recover().
[in] | space_id | Tablespace id |
[in,out] | e_key | key, iv |
[in] | encryption_info | encryption info to decode |
[in] | decrypt_key | decrypt key using master key |
|
noexcept |
Decrypt the page data contents in place.
Page type must be FIL_PAGE_ENCRYPTED, FIL_PAGE_COMPRESSED_AND_ENCRYPTED, FIL_PAGE_ENCRYPTED_RTREE, if not then the source contents are left unchanged and DB_SUCCESS is returned.
[in] | type | IORequest |
[in,out] | src | data read from disk, decrypt data will be copied to this page |
[in] | src_len | source data length |
[in,out] | tmp | scratch area to use for decrypt |
[in] | tmp_len | size of the scratch area in bytes |
Decrypt the redo log data blocks in place.
[in,out] | buf | pointer to the first block to decrypt in place |
[in] | buf_len | lenght of the buffer in bytes, must be a multiple of OS_FILE_LOG_BLOCK_SIZE |
Decrypt the log block (OS_FILE_LOG_BLOCK_SIZE bytes) in place.
[in,out] | buf | a buffer which contains a single redo log block to be decrypted in place |
|
noexcept |
Encrypt the page data contents.
Page type can't be FIL_PAGE_ENCRYPTED, FIL_PAGE_COMPRESSED_AND_ENCRYPTED, FIL_PAGE_ENCRYPTED_RTREE.
[in] | type | IORequest |
[in,out] | src | page data to encrypt |
[in] | src_len | size of the source in bytes |
[in,out] | dst | destination area |
[in,out] | dst_len | size of the destination in bytes |
Encrypt the redo log data blocks.
On success the buffer provided by caller as dst will contain src_len bytes of encrypted redo log.
[in,out] | src | pointer to the first block to encrypt |
[in] | src_len | size of the source in bytes, must be a multiple of OS_FILE_LOG_BLOCK_SIZE |
[in,out] | dst | destination area. Must be at least src_len bytes long. Must not overlap with src. |
Encrypt the redo log block (OS_FILE_LOG_BLOCK_SIZE bytes).
[in,out] | src_ptr | redo log block to encrypt |
[in,out] | dst_ptr | destination area, must not overlap with src_ptr |
|
privatenoexcept |
Encrypt the page data contents.
Page type can't be FIL_PAGE_ENCRYPTED, FIL_PAGE_COMPRESSED_AND_ENCRYPTED, FIL_PAGE_ENCRYPTED_RTREE.
[in] | src | page data to encrypt |
[in] | src_len | size of the source in bytes |
[in,out] | dst | destination area |
[in,out] | dst_len | size of the destination in bytes |
|
staticnoexcept |
Fill the encryption information.
[in] | encryption_metadata | encryption metadata (key,iv) |
[in] | encrypt_key | encrypt with master key |
[out] | encrypt_info | encryption information |
ulint Encryption::get_key_length | ( | ) | const |
Get key length.
|
staticnoexcept |
Get current master key and key id.
[in,out] | master_key_id | master key id |
[in,out] | master_key | master key |
|
staticnoexcept |
Get master key by key id.
[in] | master_key_id | master key id |
[in] | srv_uuid | uuid of server instance |
[in,out] | master_key | master key |
|
staticnoexcept |
Get master key from encryption information.
[in] | encrypt_info | encryption information |
[in] | version | version of encryption information |
[in,out] | m_key_id | master key id |
[in,out] | srv_uuid | server uuid |
[in,out] | master_key | master key |
|
static |
Get master key id.
Encryption::Type Encryption::get_type | ( | ) | const |
Get encryption type.
|
staticnoexcept |
Checks if encryption info bytes represent data encrypted by any of known versions of the encryption mechanism.
Note, that if the encryption_info is read from file created by a newer MySQL version, it could be considered to be unknown for this MySQL version, and this function would return false.
[in] | encryption_info | encryption info bytes |
|
staticnoexcept |
Check if a log block is encrypted or not.
[in] | block | block to check |
|
staticnoexcept |
Check if page is encrypted page or not.
[in] | page | page to check |
|
staticnoexcept |
Checks if encryption info bytes represent data encrypted by version V3 of the encryption mechanism.
[in] | encryption_info | encryption info bytes |
|
staticnoexcept |
Checks if encryption info bytes represent data encrypted by the given version of the encryption mechanism.
[in] | encryption_info | encryption info bytes |
[in] | version_magic_bytes | magic bytes which represent version of the encryption mechanism, for example: Encryption::KEY_MAGIC_V3 |
|
inlinenoexcept |
Check if the encryption algorithm is NONE.
|
staticnoexcept |
Check if the string is "empty" or "none".
[in] | algorithm | Encryption algorithm to check |
|
default |
|
staticnoexcept |
Generate random encryption value for key and iv.
[in,out] | value | Encryption value |
|
noexcept |
Uses metadata to configure this instance.
Caller must ensure that the metadata is not freed before this instance, because iv and key will reference those inside metadata object. The key_len and type are copied by value.
void Encryption::set_initial_vector | ( | const byte * | iv | ) |
Set initial vector.
[in] | iv | initial_vector |
void Encryption::set_key | ( | const byte * | key | ) |
Set encryption key.
[in] | key | encryption key |
void Encryption::set_key_length | ( | ulint | klen | ) |
Set key length.
[in] | klen | key length |
|
static |
Copy the given encryption metadata to the given Encryption_metadata object, if both key != nullptr and iv != nullptr.
Generate randomly the new metadata, if both key == nullptr and iv == nullptr, and store it to the given Encryption_metadata object. Cannot be called with key, iv such that: (key == nullptr) != (iv == nullptr).
[in] | type | encryption algorithm type to store |
[in] | key | encryption key to copy or nullptr to generate |
[in] | iv | encryption iv to copy or nullptr to generate |
[out] | metadata | filled Encryption_metadata object |
void Encryption::set_type | ( | Encryption::Type | type | ) |
Set encryption type.
[in] | type | encryption type |
|
staticnoexcept |
Convert to a "string".
[in] | type | The encryption type |
|
staticnoexcept |
Validate the algorithm string.
[in] | option | Encryption option |
|
staticconstexpr |
Decryption in progress.
|
staticconstexpr |
Default master key for bootstrap.
|
staticconstexpr |
Default master key id for bootstrap.
|
staticconstexpr |
Flag bit to indicate if Encryption/Decryption is in progress.
Maximum size of Encryption information considering all formats v1, v2 & v3.
|
staticconstexpr |
Encryption information total size: magic number + master_key_id + key + iv + server_uuid + checksum.
|
staticconstexpr |
Encryption key length.
|
staticconstexpr |
Encryption magic bytes for 5.7.11, it's for checking the encryption information version.
|
staticconstexpr |
Encryption magic bytes for 5.7.12+, it's for checking the encryption information version.
|
staticconstexpr |
Encryption magic bytes for 8.0.5+, it's for checking the encryption information version.
|
private |
Encrypt initial vector.
|
private |
Encrypt key.
|
private |
Encrypt key length.
|
private |
Encrypt type.
|
staticconstexpr |
Encryption magic bytes size.
|
staticconstexpr |
Encryption master key prifix size.
|
staticconstexpr |
Encryption master key prifix.
|
staticconstexpr |
Encryption master key prifix size.
|
staticconstexpr |
(De)Encryption Operation information size
|
staticconstexpr |
Encryption Progress information size.
|
staticprivate |
Current master key id.
|
static |
Tablespaces whose key needs to be reencrypted.
|
staticprivate |
Current uuid of server instance.
|
staticconstexpr |
UUID of server instance, it's needed for composing master key name.