MySQL 9.0.0
Source Code Documentation
rpl_log_encryption.h
Go to the documentation of this file.
1/* Copyright (c) 2018, 2024, Oracle and/or its affiliates.
2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License, version 2.0,
5 as published by the Free Software Foundation.
6
7 This program is designed to work with certain software (including
8 but not limited to OpenSSL) that is licensed under separate terms,
9 as designated in a particular file or component or in included license
10 documentation. The authors of MySQL hereby grant you an additional
11 permission to link the program and your derivative works with the
12 separately licensed software that they have either included with
13 the program or referenced in the documentation.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License, version 2.0, for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
23
24#ifndef RPL_LOG_ENCRYPTION_INCLUDED
25#define RPL_LOG_ENCRYPTION_INCLUDED
26
27#include <openssl/evp.h>
28#include <sql/stream_cipher.h>
29#include <stdint.h>
30#include <map>
31#include <string>
32#include "my_inttypes.h"
33
34class Basic_istream;
35class Basic_ostream;
36class THD;
37
38/**
39 @file rpl_log_encryption.h
40
41 @brief This file includes the major components for encrypting/decrypting
42 binary log files.
43
44 * Replication logs
45
46 Here, replication logs includes both the binary and relay log files.
47
48 * File Level Encryption
49
50 - All standard binary log file data (including BINLOG_MAGIC) in replication
51 logs are encrypted.
52
53 - A replication log file is either encrypted or not (standard binary log
54 file). It is not possible that part of a log file is encrypted and part
55 of it is non-encrypted.
56
57 - There is an encryption header in the begin of each encrypted replication
58 log file.
59
60 <pre>
61 +--------------------+
62 | Encryption Header |
63 +--------------------+
64 | Encrypted Data |
65 +--------------------+
66 </pre>
67
68 The encrypted replication file header includes necessary information to
69 decrypt the encrypted data of the file (the standard binary log file
70 data). For detail, check Rpl_encryption_header class.
71
72 * Two Tier Keys
73
74 Replication logs are encrypted with two tier keys. A 'File Password' for
75 encrypting the standard binary log file data and a 'Replication Encryption
76 Key' for encrypting the 'File Password'.
77
78 - File password
79
80 Each replication log file has a password. A file key used to encrypt the
81 file is generated from the file password. The encrypted 'File Password'
82 is stored into encryption header of the file. For details, check
83 Rpl_encryption_header class.
84
85 - Replication encryption key
86
87 A replication encryption key is used to encrypt/decrypt the file
88 password stored in an encrypted replication file header. It is generated
89 by keyring and stored in/retrieved from keyring.
90*/
91#ifdef MYSQL_SERVER
92
93/**
94 The Rpl_encryption class is the container for the binlog encryption feature
95 generic and server instance functions.
96*/
98 public:
100 std::string m_id;
102 };
103
104 Rpl_encryption() = default;
109
110 enum class Keyring_status {
111 SUCCESS = 0,
113 KEY_NOT_FOUND = 2,
120 };
121 /**
122 A wrapper function to throw a binlog encryption keyring error.
123 The wrapper will decide if the error will be reported to the client session
124 or to the server error log according to current_thd.
125
126 @param error The Keyring_status to be reported.
127 */
129 /**
130 A wrapper function to throw a replication logs encryption keyring error,
131 reporting also the key ID.
132 The wrapper will decide if the error will be reported to the client session
133 or to the server error log according to current_thd.
134
135 @param error The Keyring_status to be reported.
136 @param key_id The key ID to appear in the error message.
137 */
138 static void report_keyring_error(Keyring_status error, const char *key_id);
139
140 /**
141 Replication encryption master key rotation process is recoverable. The
142 steps defined in the enum class below are the steps from which the rotation
143 process may continue after an unexpected interruption.
144 */
145 enum class Key_rotation_step {
146 START,
154 };
155
156 /**
157 Initialize the rpl_encryption instance. This initialization shall be called
158 after generating/loading the server UUID and before opening new binary and
159 relay log files for writing.
160
161 When the replication_logs_encrypt option is on at server startup, the
162 initialization process will try to recover master key and may generate
163 a new replication master key if needed.
164
165 @retval false Success.
166 @retval true Error.
167 */
168 bool initialize();
169 /**
170 Remove remaining old/new master key index in order to cleanup any previous
171 master key rotation.
172
173 @retval false Success.
174 @retval true Error.
175 */
177 /**
178 Recover the replication encryption master key from keyring.
179
180 The recovery of the master key process starts by trying to read the
181 replication master key information from keyring (the master key sequence
182 number, and the master key itself).
183
184 Then, if detected that a key rotation did not completed properly, tries to
185 continue the master key rotation.
186
187 When recovery is successful, the m_master_key_recovered flag is set true.
188
189 @retval false Success.
190 @retval true Error.
191 */
192 bool recover_master_key();
193 /**
194 Return the current replication encryption master key.
195
196 @return The current replication encryption master key.
197 */
198 const Rpl_encryption_key get_master_key();
199
200 /**
201 Get the key with given key ID. The key to be returned will be retrieved
202 from the keyring or from a cached copy in memory.
203
204 @param[in] key_id ID of the key to be returned.
205 @param[in] key_type Expected type of the key to be returned.
206
207 @return A pair containing the status of the operation (Keyring_status) and
208 a Key_string. Errors shall be checked by consulting the status.
209 */
210 static std::pair<Keyring_status, Key_string> get_key(
211 const std::string &key_id, const std::string &key_type);
212
213 /**
214 Get the key with given key ID. The key to be returned will be retrieved
215 from the keyring or from a cached copy in memory.
216
217 @param[in] key_id ID of the key to be returned.
218 @param[in] key_type Expected type of the key to be returned.
219 @param[in] key_size Expected size of the key to be returned.
220
221 @return A pair containing the status of the operation (Keyring_status) and
222 a Key_string. Errors shall be checked by consulting the status.
223 */
224 static std::pair<Keyring_status, Key_string> get_key(
225 const std::string &key_id, const std::string &key_type, size_t key_size);
226
227 /**
228 Enable binlog encryption option. It will generate a new global key if
229 there is no master key yet. Then rotate replication logs to make encryption
230 effective immediately.
231
232 Replication logs rotation errors don't fail, but they will throw a warning.
233
234 @param[in] thd the thd object of the session.
235
236 @retval false Success.
237 @retval true Error. If error happens when generating new key, it will fail.
238 */
239 bool enable(THD *thd);
240 /**
241 Disable binlog encryption option. It rotates replication logs to make
242 encryption ineffective immediately.
243
244 Replication logs rotation errors don't fail, but they will throw a warning.
245
246 @param[in] thd the thd object of the session.
247 */
248 void disable(THD *thd);
249 /**
250 Return is the replication logs encryption feature is enabled.
251
252 @retval false The feature is disabled.
253 @retval true The feature is enabled.
254 */
255 bool is_enabled();
256 const bool &get_enabled_var();
258 /**
259 Purge unused master keys from Keyring.
260
261 @retval false Success.
262 @retval true Error.
263 */
264 bool purge_unused_keys();
265 /**
266 Rotate the master key.
267
268 @param step Step to start the process (it might be recovering).
269 @param new_master_key_seqno When recovering, this is the new master key
270 sequence number detected by recovery process.
271 @retval false Success.
272 @retval true Error.
273 */
275 uint32_t new_master_key_seqno = 0);
276
277 private:
278 /* Define the keyring key type for keys storing sequence numbers */
279 static const char *SEQNO_KEY_TYPE;
280 /* Define the keyring key length for keys storing sequence numbers */
281 static const int SEQNO_KEY_LENGTH = 16;
282 /*
283 Sys_binlog_encryption uses m_enabled as the storage of global var
284 binlog_encryption.
285 */
286 bool m_enabled = false;
287 /*
288 Sys_binlog_rotate_encryption_master_key_at_startup uses
289 m_rotate_at_startup as the storage of global var
290 binlog_rotate_encryption_master_key_at_startup.
291 */
293#ifndef NDEBUG
294 /*
295 This variable is only used to assert that enable(), disable() and
296 get_master_key() functions are called only after initialize() was called.
297 */
298 bool m_initialized = false;
299#endif
300 /*
301 The replication logs encryption only needs to recover the current
302 replication master key if the binlog_encryption option is enabled.
303
304 This flag will be set true after a successful replication master key
305 recovery.
306 */
308 /* The sequence number of the replication master key. */
309 uint32_t m_master_key_seqno = 0;
310 /* The current replication master key */
312 /*
313 Flag to avoid double logs rotation when enabling the option and
314 recovering from master key rotation.
315 */
317
318 /**
319 Fetch a key from keyring. When error happens, it either reports an error to
320 user or write an error to log accordingly.
321
322 @param[in] key_id ID of the key to be returned.
323 @param[in] key_type Expected type of the key to be returned.
324
325 @return A tuple containing the status of the operation (Keyring_status), a
326 pointer to the fetched key (nullptr if the key was not fetched) and
327 the returned key size. Errors shall be checked by consulting the
328 status.
329 */
330 static std::tuple<Keyring_status, void *, size_t> fetch_key_from_keyring(
331 const std::string &key_id, const std::string &key_type);
332
333 /**
334 Rotate replication logs excluding relay logs of group replication channels.
335 If error happens, it will either report a warning to session user.
336
337 @param[in] thd The thd object of current session.
338 */
339 void rotate_logs(THD *thd);
340
341 /**
342 Get a sequence number from the keyring. The sequence number to be returned
343 will be extracted from the key retrieved from the keyring. No caching shall
344 be used for this function.
345
346 @param[in] key_id ID of the key to extract the sequence number from.
347
348 @return A pair containing the status of the operation (Keyring_status) and
349 a sequence number. Errors shall be checked by consulting the status.
350 */
351 std::pair<Rpl_encryption::Keyring_status, uint32_t> get_seqno_from_keyring(
352 std::string key_id);
353 /**
354 Set a sequence number into a key and store it into keyring.
355
356 @param[in] key_id ID of the key to set the sequence number.
357 @param[in] seqno The sequence number to be set.
358
359 @retval false Success.
360 @retval true Error.
361 */
362 bool set_seqno_on_keyring(std::string key_id, uint32_t seqno);
363 /**
364 Remove a key from the keyring.
365
366 @param[in] key_id ID of the key to be removed from keyring.
367
368 @retval false Success.
369 @retval true Error.
370 */
371 bool remove_key_from_keyring(std::string key_id);
372 /**
373 Returns the key ID of the keyring key that stores the master key sequence
374 number.
375
376 @return The key ID.
377 */
378 std::string get_master_key_seqno_key_id();
379 /**
380 Get the master key sequence number from keyring.
381
382 @return A pair containing the status of the operation (Keyring_status) and
383 a sequence number. Errors shall be checked by consulting the status.
384 */
385 std::pair<Rpl_encryption::Keyring_status, uint32_t>
387 /**
388 Set the master key sequence number into a key and store it into keyring.
389
390 @retval false Success.
391 @retval true Error.
392 */
394 /**
395 Remove the master key sequence number key from the keyring.
396
397 @retval false Success.
398 @retval true Error.
399 */
401 /**
402 Returns the key ID of the keyring key that stores the "new" master key
403 sequence number.
404
405 @return The key ID.
406 */
408 /**
409 Returns the key ID of the keyring key that stores the "last_purged"
410 master key sequence number.
411
412 @return The key ID.
413 */
415 /**
416 Returns the key ID of the keyring key that stores the "old" master key
417 sequence number.
418
419 @return The key ID.
420 */
422 /**
423 Get the "new" master key sequence number from keyring.
424
425 @return A pair containing the status of the operation (Keyring_status) and
426 a sequence number. Errors shall be checked by consulting the status.
427 */
428 std::pair<Rpl_encryption::Keyring_status, uint32_t>
430 /**
431 Get the "old" master key sequence number from keyring.
432
433 @return A pair containing the status of the operation (Keyring_status) and
434 a sequence number. Errors shall be checked by consulting the status.
435 */
436 std::pair<Rpl_encryption::Keyring_status, uint32_t>
438 /**
439 Get the "last_purged" master key sequence number from keyring.
440
441 @return A pair containing the status of the operation (Keyring_status) and
442 a sequence number. Errors shall be checked by consulting the status.
443 */
444 std::pair<Rpl_encryption::Keyring_status, uint32_t>
446 /**
447 Set the "new" master key sequence number into a key and store it into
448 keyring.
449
450 @retval false Success.
451 @retval true Error.
452 */
454 /**
455 Set the "last_purged" master key sequence number into a key and store it
456 into keyring.
457
458 @retval false Success.
459 @retval true Error.
460 */
462 /**
463 Set the "old" master key sequence number into a key and store it into
464 keyring.
465
466 @retval false Success.
467 @retval true Error.
468 */
470 /**
471 Remove the "new" master key sequence number key from the keyring.
472
473 @retval false Success.
474 @retval true Error.
475 */
477 /**
478 Remove the "last_purged" master key sequence number key from the keyring.
479
480 @retval false Success.
481 @retval true Error.
482 */
484 /**
485 Remove the "old" master key sequence number key from the keyring.
486
487 @retval false Success.
488 @retval true Error.
489 */
491 /**
492 Generate a new replication master key on keyring and retrieve it.
493
494 @param[in] seqno The sequence number of the master key.
495
496 @retval false Success.
497 @retval true Error.
498 */
500};
501
503#endif // MYSQL_SERVER
504
505/**
506 @class Rpl_encryption_header
507
508 This is the base class to serialize and deserialize a replication log file
509 encryption header.
510
511 The new encrypted binary log file format is composed of two parts:
512
513 <pre>
514 +---------------------+
515 | Encryption Header |
516 +---------------------+
517 | Encrypted Data |
518 +---------------------+
519 </pre>
520
521 The encryption header exists only in the begin of encrypted replication log
522 files.
523
524 <pre>
525 +------------------------+----------------------------------------------+
526 | MAGIC HEADER (4 bytes) | Replication logs encryption version (1 byte) |
527 +------------------------+----------------------------------------------+
528 | Version specific encryption header data |
529 +-----------------------------------------------------------------------+
530 Encryption Header Format
531 </pre>
532
533 <table>
534 <caption>Encryption Header Format</caption>
535 <tr>
536 <th>Name</th>
537 <th>Format</th>
538 <th>Description</th>
539 </tr>
540 <tr>
541 <td>Magic Header</td>
542 <td>4 Bytes</td>
543 <td>
544 The content is always 0xFD62696E. It is similar to Binlog Magic Header.
545 Binlog magic header is: 0xFE62696e.
546 </td>
547 <tr>
548 <td>Replication logs encryption version</td>
549 <td>1 Byte</td>
550 <td>
551 The replication logs encryption version defines how the header shall be
552 deserialized and how the Encrypted Data shall be decrypted.
553 </td>
554 </tr>
555 <tr>
556 <td>Version specific encryption data header</td>
557 <td>Depends on the version field</td>
558 <td>
559 Data required to fetch a replication key from keyring and deserialize
560 the Encrypted Data.
561 </td>
562 </tr>
563 </table>
564*/
566 public:
567 /* Same as BINLOG_MAGIC_SIZE */
568 static const int ENCRYPTION_MAGIC_SIZE = 4;
569 /* The magic for an encrypted replication log file */
570 static const char *ENCRYPTION_MAGIC;
571
572 virtual ~Rpl_encryption_header();
573
574 /**
575 Deserialize the replication encrypted log file header from the given stream.
576 This function shall be called right after reading the magic from the stream.
577 It will read the version of the encrypted log file header, instantiate a
578 proper Rpl_encryption_header based on version and delegate the rest of the
579 header deserialization to the new instance.
580
581 @param istream The stream containing the header to deserialize.
582
583 @return A Rpl_encryption_header on success or nullptr on failure.
584 */
585 static std::unique_ptr<Rpl_encryption_header> get_header(
586 Basic_istream *istream);
587 /**
588 Generate a new replication encryption header based on the default
589 replication encrypted log file header version.
590
591 @return A Rpl_encryption_header of default version.
592 */
593 static std::unique_ptr<Rpl_encryption_header> get_new_default_header();
594 /**
595 Serialize the header into an output stream.
596
597 @param ostream The output stream to serialize the header.
598
599 @retval false Success.
600 @retval true Error.
601 */
602 virtual bool serialize(Basic_ostream *ostream) = 0;
603 /**
604 Deserialize encryption header from a stream.
605
606 @param[in] istream The input stream for deserializing the encryption
607 header.
608
609 @retval false Success.
610 @retval true Error.
611 */
612 virtual bool deserialize(Basic_istream *istream) = 0;
613 /**
614 Get the header version.
615
616 @return The header version.
617 */
618 virtual char get_version() const = 0;
619 /**
620 Return the header size to be taken into account when serializing an
621 deserializing encrypted file headers from replication log files.
622
623 @return The size of the header for the header version.
624 */
625 virtual int get_header_size() = 0;
626 /**
627 Decrypt the file password.
628 */
630 /**
631 Factory to generate ciphers to encrypt streams based on current header.
632
633 @return A Stream_cipher for this header version or nullptr on failure.
634 */
635 virtual std::unique_ptr<Stream_cipher> get_encryptor() = 0;
636 /**
637 Factory to generate ciphers to decrypt streams based on current header.
638
639 @return A Stream_cipher for this header version or nullptr on failure.
640 */
641 virtual std::unique_ptr<Stream_cipher> get_decryptor() = 0;
642 /**
643 Setup the header with current master key and generates a new random file
644 password. This function shall be called when creating new replication
645 log files.
646
647 @return The new file password, or an empty password if error happens.
648 */
650#ifdef MYSQL_SERVER
651 /**
652 Encrypt a file password using current replication encryption master key.
653
654 @param[in] password_str The plain file password.
655
656 @retval false Success.
657 @retval true Error.
658 */
659 virtual bool encrypt_file_password(Key_string password_str) = 0;
660#endif
661 /**
662 Build a key id prefix using default header version.
663
664 @return A key ID prefix.
665 */
666 static std::string key_id_prefix();
667 /**
668 Build a key id using the given sequence number using default header version.
669
670 @param[in] seqno The sequence number used to build key id.
671
672 @return A key ID with a sequence number.
673 */
674 static std::string seqno_to_key_id(uint32_t seqno);
675 /**
676 Build a key id using the given suffix using default header version.
677
678 @param[in] suffix The suffix used to build key id.
679
680 @return A key ID with a suffix.
681 */
682 static std::string key_id_with_suffix(const char *suffix);
683 /**
684 Return the default header version encryption key type.
685
686 @return The encrypted key type.
687 */
688 static const char *get_key_type();
689
690 protected:
691 /* Offset of the version field in the header */
693 /* Size of the version field in the header */
694 static const int VERSION_SIZE = 1;
695 /* Offset of the optional header fields in the header */
697
698 private:
699 /* The default header version for new headers */
700 static const char m_default_version = 1;
701};
702
703/**
704 @class Rpl_encryption_header_v1
705
706 <pre>
707 +------------------------+----------------------------------------------+
708 | MAGIC HEADER (4 bytes) | Replication logs encryption version (1 byte) |
709 +------------------------+----------------------------------------------+
710 | Replication Encryption Key ID (60 to 69 bytes) |
711 +-----------------------------------------------------------------------+
712 | Encrypted File Password (33 bytes) |
713 +-----------------------------------------------------------------------+
714 | IV For Encrypting File Password (17 bytes) |
715 +-----------------------------------------------------------------------+
716 | Padding (388 to 397 bytes) |
717 +-----------------------------------------------------------------------+
718 Encrypted binary log file header format version 1
719 </pre>
720
721 <table>
722 <caption>Encrypted binary log file header format version 1</caption>
723 <tr>
724 <th>Name</th>
725 <th>Format</th>
726 <th>Description</th>
727 </tr>
728 <tr>
729 <td>Replication Encryption Key ID</td>
730 <td>
731 Variable length field that uses Type, Length, Value (TLV) format. Type
732 takes 1 byte. Length takes 1 byte. Values takes Length bytes.
733 </td>
734 <td>
735 ID of the key that shall be retrieved from keyring to be used to decrypt
736 the file password field.
737 </td>
738 </tr>
739 <tr>
740 <td>Encrypted File Password</td>
741 <td>
742 Fixed length field that uses Type, Value format. Type takes 1 byte.
743 Value takes 32 bytes.</td>
744 <td>It is the encrypted file password.</td>
745 </tr>
746 <tr>
747 <td>IV for Encrypting File Password</td>
748 <td>
749 Fixed length field that uses Type, Value format. Type takes 1 byte.
750 Value takes 16 bytes.</td>
751 <td>
752 The iv, together with the key, is used to encrypt/decrypt the
753 file password.
754 </td>
755 </tr>
756 <tr>
757 <td>Padding</td>
758 <td>Variable length, all bytes are 0.</td>
759 <td>
760 Encryption header has 512 bytes. Above fields don't take all bytes. All
761 unused bytes are filled with 0 as padding.
762 </td>
763 </tr>
764 </table>
765*/
767 public:
768 static const char *KEY_TYPE;
769 static const int KEY_LENGTH = 32;
770 static const int HEADER_SIZE = 512;
771 static const int IV_FIELD_SIZE = 16;
772 static const int PASSWORD_FIELD_SIZE = 32;
773
775
776 ~Rpl_encryption_header_v1() override;
777
778 bool serialize(Basic_ostream *ostream) override;
779 bool deserialize(Basic_istream *istream) override;
780 char get_version() const override;
781 int get_header_size() override;
783 std::unique_ptr<Stream_cipher> get_encryptor() override;
784 std::unique_ptr<Stream_cipher> get_decryptor() override;
786#ifdef MYSQL_SERVER
787 bool encrypt_file_password(Key_string password_str) override;
788#endif
789
790 /**
791 Build a key id prefix.
792 */
793 static std::string key_id_prefix();
794 /**
795 Build a key id using the given sequence number.
796
797 @param[in] seqno The sequence number used to build key id.
798 */
799 static std::string seqno_to_key_id(uint32_t seqno);
800 /**
801 Build a key id using the given suffix.
802
803 @param[in] suffix The suffix used to build key id.
804 */
805 static std::string key_id_with_suffix(const char *suffix);
806
807 private:
808 /* The prefix for key IDs */
809 static const char *KEY_ID_PREFIX;
810 /* Expected field types */
815 };
816 /* This header implementation version */
817 char m_version = 1;
818 /* The key ID of the keyring key that encrypted the password */
819 std::string m_key_id;
820 /* The encrypted file password */
822 /* The IV used to encrypt/decrypt the file password */
824};
825#endif // RPL_LOG_ENCRYPTION_INCLUDED
The abstract class for basic byte input streams which provides read operations.
Definition: basic_istream.h:35
The abstract class for basic output streams which provides write operation.
Definition: basic_ostream.h:37
Definition: rpl_log_encryption.h:766
static std::string seqno_to_key_id(uint32_t seqno)
Build a key id using the given sequence number.
Definition: rpl_log_encryption.cc:1260
~Rpl_encryption_header_v1() override
Definition: rpl_log_encryption.cc:1036
@ KEY_ID
Definition: rpl_log_encryption.h:812
@ IV_FOR_FILE_PASSWORD
Definition: rpl_log_encryption.h:814
@ ENCRYPTED_FILE_PASSWORD
Definition: rpl_log_encryption.h:813
Key_string decrypt_file_password() override
Decrypt the file password.
Definition: rpl_log_encryption.cc:1165
static std::string key_id_with_suffix(const char *suffix)
Build a key id using the given suffix.
Definition: rpl_log_encryption.cc:1269
static const int PASSWORD_FIELD_SIZE
Definition: rpl_log_encryption.h:772
static const int HEADER_SIZE
Definition: rpl_log_encryption.h:770
Key_string m_encrypted_password
Definition: rpl_log_encryption.h:821
bool serialize(Basic_ostream *ostream) override
Serialize the header into an output stream.
Definition: rpl_log_encryption.cc:1038
bool encrypt_file_password(Key_string password_str) override
Encrypt a file password using current replication encryption master key.
Definition: rpl_log_encryption.cc:1200
Rpl_encryption_header_v1()=default
char m_version
Definition: rpl_log_encryption.h:817
static const char * KEY_TYPE
Definition: rpl_log_encryption.h:768
Key_string m_iv
Definition: rpl_log_encryption.h:823
std::string m_key_id
Definition: rpl_log_encryption.h:819
std::unique_ptr< Stream_cipher > get_encryptor() override
Factory to generate ciphers to encrypt streams based on current header.
Definition: rpl_log_encryption.cc:1191
static const int KEY_LENGTH
Definition: rpl_log_encryption.h:769
static const int IV_FIELD_SIZE
Definition: rpl_log_encryption.h:771
std::unique_ptr< Stream_cipher > get_decryptor() override
Factory to generate ciphers to decrypt streams based on current header.
Definition: rpl_log_encryption.cc:1195
static std::string key_id_prefix()
Build a key id prefix.
Definition: rpl_log_encryption.cc:1252
Key_string generate_new_file_password() override
Setup the header with current master key and generates a new random file password.
Definition: rpl_log_encryption.cc:1231
int get_header_size() override
Return the header size to be taken into account when serializing an deserializing encrypted file head...
Definition: rpl_log_encryption.cc:1161
bool deserialize(Basic_istream *istream) override
Deserialize encryption header from a stream.
Definition: rpl_log_encryption.cc:1066
static const char * KEY_ID_PREFIX
Definition: rpl_log_encryption.h:809
char get_version() const override
Get the header version.
Definition: rpl_log_encryption.cc:1159
This is the base class to serialize and deserialize a replication log file encryption header.
Definition: rpl_log_encryption.h:565
virtual std::unique_ptr< Stream_cipher > get_decryptor()=0
Factory to generate ciphers to decrypt streams based on current header.
static const char * get_key_type()
Return the default header version encryption key type.
Definition: rpl_log_encryption.cc:1029
static const int VERSION_SIZE
Definition: rpl_log_encryption.h:694
static const int VERSION_OFFSET
Definition: rpl_log_encryption.h:692
virtual ~Rpl_encryption_header()
Definition: rpl_log_encryption.cc:960
static std::unique_ptr< Rpl_encryption_header > get_header(Basic_istream *istream)
Deserialize the replication encrypted log file header from the given stream.
Definition: rpl_log_encryption.cc:973
static std::string seqno_to_key_id(uint32_t seqno)
Build a key id using the given sequence number using default header version.
Definition: rpl_log_encryption.cc:1021
static std::unique_ptr< Rpl_encryption_header > get_new_default_header()
Generate a new replication encryption header based on the default replication encrypted log file head...
Definition: rpl_log_encryption.cc:1011
virtual Key_string generate_new_file_password()=0
Setup the header with current master key and generates a new random file password.
virtual bool serialize(Basic_ostream *ostream)=0
Serialize the header into an output stream.
virtual int get_header_size()=0
Return the header size to be taken into account when serializing an deserializing encrypted file head...
static std::string key_id_with_suffix(const char *suffix)
Build a key id using the given suffix using default header version.
Definition: rpl_log_encryption.cc:1025
static const char * ENCRYPTION_MAGIC
Definition: rpl_log_encryption.h:570
static const int ENCRYPTION_MAGIC_SIZE
Definition: rpl_log_encryption.h:568
static const int OPTIONAL_FIELD_OFFSET
Definition: rpl_log_encryption.h:696
virtual std::unique_ptr< Stream_cipher > get_encryptor()=0
Factory to generate ciphers to encrypt streams based on current header.
static const char m_default_version
Definition: rpl_log_encryption.h:700
virtual bool deserialize(Basic_istream *istream)=0
Deserialize encryption header from a stream.
virtual Key_string decrypt_file_password()=0
Decrypt the file password.
virtual char get_version() const =0
Get the header version.
static std::string key_id_prefix()
Build a key id prefix using default header version.
Definition: rpl_log_encryption.cc:1017
virtual bool encrypt_file_password(Key_string password_str)=0
Encrypt a file password using current replication encryption master key.
The Rpl_encryption class is the container for the binlog encryption feature generic and server instan...
Definition: rpl_log_encryption.h:97
Rpl_encryption_key m_master_key
Definition: rpl_log_encryption.h:311
static const char * SEQNO_KEY_TYPE
Definition: rpl_log_encryption.h:279
Rpl_encryption & operator=(const Rpl_encryption &)=delete
static std::tuple< Keyring_status, void *, size_t > fetch_key_from_keyring(const std::string &key_id, const std::string &key_type)
Fetch a key from keyring.
Definition: rpl_log_encryption.cc:468
bool remove_old_master_key_seqno_from_keyring()
Remove the "old" master key sequence number key from the keyring.
Definition: rpl_log_encryption.cc:905
uint32_t m_master_key_seqno
Definition: rpl_log_encryption.h:309
Rpl_encryption(Rpl_encryption &&)=delete
bool enable(THD *thd)
Enable binlog encryption option.
Definition: rpl_log_encryption.cc:405
std::string get_master_key_seqno_key_id()
Returns the key ID of the keyring key that stores the master key sequence number.
Definition: rpl_log_encryption.cc:816
bool remove_new_master_key_seqno_from_keyring()
Remove the "new" master key sequence number key from the keyring.
Definition: rpl_log_encryption.cc:893
void disable(THD *thd)
Disable binlog encryption option.
Definition: rpl_log_encryption.cc:437
bool purge_unused_keys()
Purge unused master keys from Keyring.
Definition: rpl_log_encryption.cc:506
bool m_initialized
Definition: rpl_log_encryption.h:298
std::pair< Rpl_encryption::Keyring_status, uint32_t > get_last_purged_master_key_seqno_from_keyring()
Get the "last_purged" master key sequence number from keyring.
Definition: rpl_log_encryption.cc:869
static void report_keyring_error(Keyring_status error)
A wrapper function to throw a binlog encryption keyring error.
Definition: rpl_log_encryption.cc:49
bool recover_master_key()
Recover the replication encryption master key from keyring.
Definition: rpl_log_encryption.cc:193
std::string get_new_master_key_seqno_key_id()
Returns the key ID of the keyring key that stores the "new" master key sequence number.
Definition: rpl_log_encryption.cc:839
Rpl_encryption & operator=(Rpl_encryption &&)=delete
std::pair< Rpl_encryption::Keyring_status, uint32_t > get_master_key_seqno_from_keyring()
Get the master key sequence number from keyring.
Definition: rpl_log_encryption.cc:821
Keyring_status
Definition: rpl_log_encryption.h:110
std::pair< Rpl_encryption::Keyring_status, uint32_t > get_seqno_from_keyring(std::string key_id)
Get a sequence number from the keyring.
Definition: rpl_log_encryption.cc:741
bool set_last_purged_master_key_seqno_on_keyring(uint32 seqno)
Set the "last_purged" master key sequence number into a key and store it into keyring.
Definition: rpl_log_encryption.cc:881
Key_rotation_step
Replication encryption master key rotation process is recoverable.
Definition: rpl_log_encryption.h:145
Rpl_encryption()=default
bool remove_key_from_keyring(std::string key_id)
Remove a key from the keyring.
Definition: rpl_log_encryption.cc:787
bool m_master_key_recovered
Definition: rpl_log_encryption.h:307
bool set_master_key_seqno_on_keyring(uint32 seqno)
Set the master key sequence number into a key and store it into keyring.
Definition: rpl_log_encryption.cc:827
bool m_rotate_at_startup
Definition: rpl_log_encryption.h:292
bool generate_master_key_on_keyring(uint32 seqno)
Generate a new replication master key on keyring and retrieve it.
Definition: rpl_log_encryption.cc:911
std::pair< Rpl_encryption::Keyring_status, uint32_t > get_new_master_key_seqno_from_keyring()
Get the "new" master key sequence number from keyring.
Definition: rpl_log_encryption.cc:855
bool remove_last_purged_master_key_seqno_from_keyring()
Remove the "last_purged" master key sequence number key from the keyring.
Definition: rpl_log_encryption.cc:899
bool rotate_master_key(Key_rotation_step step=Key_rotation_step::START, uint32_t new_master_key_seqno=0)
Rotate the master key.
Definition: rpl_log_encryption.cc:569
bool set_new_master_key_seqno_on_keyring(uint32 seqno)
Set the "new" master key sequence number into a key and store it into keyring.
Definition: rpl_log_encryption.cc:875
void rotate_logs(THD *thd)
Rotate replication logs excluding relay logs of group replication channels.
Definition: rpl_log_encryption.cc:732
static std::pair< Keyring_status, Key_string > get_key(const std::string &key_id, const std::string &key_type)
Get the key with given key ID.
Definition: rpl_log_encryption.cc:371
Rpl_encryption(const Rpl_encryption &)=delete
std::string get_last_purged_master_key_seqno_key_id()
Returns the key ID of the keyring key that stores the "last_purged" master key sequence number.
Definition: rpl_log_encryption.cc:844
bool is_enabled()
Return is the replication logs encryption feature is enabled.
Definition: rpl_log_encryption.cc:450
bool set_old_master_key_seqno_on_keyring(uint32 seqno)
Set the "old" master key sequence number into a key and store it into keyring.
Definition: rpl_log_encryption.cc:887
const bool & get_enabled_var()
Definition: rpl_log_encryption.cc:459
const bool & get_master_key_rotation_at_startup_var()
Definition: rpl_log_encryption.cc:461
bool initialize()
Initialize the rpl_encryption instance.
Definition: rpl_log_encryption.cc:106
bool remove_master_key_seqno_from_keyring()
Remove the master key sequence number key from the keyring.
Definition: rpl_log_encryption.cc:833
static const int SEQNO_KEY_LENGTH
Definition: rpl_log_encryption.h:281
bool remove_remaining_seqnos_from_keyring()
Remove remaining old/new master key index in order to cleanup any previous master key rotation.
Definition: rpl_log_encryption.cc:131
const Rpl_encryption_key get_master_key()
Return the current replication encryption master key.
Definition: rpl_log_encryption.cc:362
bool set_seqno_on_keyring(std::string key_id, uint32_t seqno)
Set a sequence number into a key and store it into keyring.
Definition: rpl_log_encryption.cc:753
bool m_enabled
Definition: rpl_log_encryption.h:286
std::pair< Rpl_encryption::Keyring_status, uint32_t > get_old_master_key_seqno_from_keyring()
Get the "old" master key sequence number from keyring.
Definition: rpl_log_encryption.cc:862
std::string get_old_master_key_seqno_key_id()
Returns the key ID of the keyring key that stores the "old" master key sequence number.
Definition: rpl_log_encryption.cc:849
bool m_skip_logs_rotation
Definition: rpl_log_encryption.h:316
For each client connection we create a separate thread with THD serving as a thread/connection descri...
Definition: sql_lexer_thd.h:36
Some integer typedefs for easier portability.
uint32_t uint32
Definition: my_inttypes.h:67
int key_type
Definition: method.h:38
Rpl_encryption rpl_encryption
Definition: rpl_log_encryption.cc:47
This file includes core components for encrypting/decrypting binary log files.
std::basic_string< unsigned char > Key_string
Definition: stream_cipher.h:38
Definition: sql_resultset.h:36
Definition: rpl_log_encryption.h:99
Key_string m_value
Definition: rpl_log_encryption.h:101
std::string m_id
Definition: rpl_log_encryption.h:100