MySQL 8.3.0
Source Code Documentation
rpl_log_encryption.h
Go to the documentation of this file.
1/* Copyright (c) 2018, 2023, Oracle and/or its affiliates.
2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License, version 2.0,
5 as published by the Free Software Foundation.
6
7 This program is also distributed with certain software (including
8 but not limited to OpenSSL) that is licensed under separate terms,
9 as designated in a particular file or component or in included license
10 documentation. The authors of MySQL hereby grant you an additional
11 permission to link the program and your derivative works with the
12 separately licensed software that they have included with MySQL.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License, version 2.0, for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
22
23#ifndef RPL_LOG_ENCRYPTION_INCLUDED
24#define RPL_LOG_ENCRYPTION_INCLUDED
25
26#include <openssl/evp.h>
27#include <sql/stream_cipher.h>
28#include <stdint.h>
29#include <map>
30#include <string>
31#include "my_inttypes.h"
32
33class Basic_istream;
34class Basic_ostream;
35class THD;
36
37/**
38 @file rpl_log_encryption.h
39
40 @brief This file includes the major components for encrypting/decrypting
41 binary log files.
42
43 * Replication logs
44
45 Here, replication logs includes both the binary and relay log files.
46
47 * File Level Encryption
48
49 - All standard binary log file data (including BINLOG_MAGIC) in replication
50 logs are encrypted.
51
52 - A replication log file is either encrypted or not (standard binary log
53 file). It is not possible that part of a log file is encrypted and part
54 of it is non-encrypted.
55
56 - There is an encryption header in the begin of each encrypted replication
57 log file.
58
59 <pre>
60 +--------------------+
61 | Encryption Header |
62 +--------------------+
63 | Encrypted Data |
64 +--------------------+
65 </pre>
66
67 The encrypted replication file header includes necessary information to
68 decrypt the encrypted data of the file (the standard binary log file
69 data). For detail, check Rpl_encryption_header class.
70
71 * Two Tier Keys
72
73 Replication logs are encrypted with two tier keys. A 'File Password' for
74 encrypting the standard binary log file data and a 'Replication Encryption
75 Key' for encrypting the 'File Password'.
76
77 - File password
78
79 Each replication log file has a password. A file key used to encrypt the
80 file is generated from the file password. The encrypted 'File Password'
81 is stored into encryption header of the file. For details, check
82 Rpl_encryption_header class.
83
84 - Replication encryption key
85
86 A replication encryption key is used to encrypt/decrypt the file
87 password stored in an encrypted replication file header. It is generated
88 by keyring and stored in/retrieved from keyring.
89*/
90#ifdef MYSQL_SERVER
91
92/**
93 The Rpl_encryption class is the container for the binlog encryption feature
94 generic and server instance functions.
95*/
97 public:
99 std::string m_id;
101 };
102
103 Rpl_encryption() = default;
108
109 enum class Keyring_status {
110 SUCCESS = 0,
112 KEY_NOT_FOUND = 2,
119 };
120 /**
121 A wrapper function to throw a binlog encryption keyring error.
122 The wrapper will decide if the error will be reported to the client session
123 or to the server error log according to current_thd.
124
125 @param error The Keyring_status to be reported.
126 */
128 /**
129 A wrapper function to throw a replication logs encryption keyring error,
130 reporting also the key ID.
131 The wrapper will decide if the error will be reported to the client session
132 or to the server error log according to current_thd.
133
134 @param error The Keyring_status to be reported.
135 @param key_id The key ID to appear in the error message.
136 */
137 static void report_keyring_error(Keyring_status error, const char *key_id);
138
139 /**
140 Replication encryption master key rotation process is recoverable. The
141 steps defined in the enum class below are the steps from which the rotation
142 process may continue after an unexpected interruption.
143 */
144 enum class Key_rotation_step {
145 START,
153 };
154
155 /**
156 Initialize the rpl_encryption instance. This initialization shall be called
157 after generating/loading the server UUID and before opening new binary and
158 relay log files for writing.
159
160 When the replication_logs_encrypt option is on at server startup, the
161 initialization process will try to recover master key and may generate
162 a new replication master key if needed.
163
164 @retval false Success.
165 @retval true Error.
166 */
167 bool initialize();
168 /**
169 Remove remaining old/new master key index in order to cleanup any previous
170 master key rotation.
171
172 @retval false Success.
173 @retval true Error.
174 */
176 /**
177 Recover the replication encryption master key from keyring.
178
179 The recovery of the master key process starts by trying to read the
180 replication master key information from keyring (the master key sequence
181 number, and the master key itself).
182
183 Then, if detected that a key rotation did not completed properly, tries to
184 continue the master key rotation.
185
186 When recovery is successful, the m_master_key_recovered flag is set true.
187
188 @retval false Success.
189 @retval true Error.
190 */
191 bool recover_master_key();
192 /**
193 Return the current replication encryption master key.
194
195 @return The current replication encryption master key.
196 */
197 const Rpl_encryption_key get_master_key();
198
199 /**
200 Get the key with given key ID. The key to be returned will be retrieved
201 from the keyring or from a cached copy in memory.
202
203 @param[in] key_id ID of the key to be returned.
204 @param[in] key_type Expected type of the key to be returned.
205
206 @return A pair containing the status of the operation (Keyring_status) and
207 a Key_string. Errors shall be checked by consulting the status.
208 */
209 static std::pair<Keyring_status, Key_string> get_key(
210 const std::string &key_id, const std::string &key_type);
211
212 /**
213 Get the key with given key ID. The key to be returned will be retrieved
214 from the keyring or from a cached copy in memory.
215
216 @param[in] key_id ID of the key to be returned.
217 @param[in] key_type Expected type of the key to be returned.
218 @param[in] key_size Expected size of the key to be returned.
219
220 @return A pair containing the status of the operation (Keyring_status) and
221 a Key_string. Errors shall be checked by consulting the status.
222 */
223 static std::pair<Keyring_status, Key_string> get_key(
224 const std::string &key_id, const std::string &key_type, size_t key_size);
225
226 /**
227 Enable binlog encryption option. It will generate a new global key if
228 there is no master key yet. Then rotate replication logs to make encryption
229 effective immediately.
230
231 Replication logs rotation errors don't fail, but they will throw a warning.
232
233 @param[in] thd the thd object of the session.
234
235 @retval false Success.
236 @retval true Error. If error happens when generating new key, it will fail.
237 */
238 bool enable(THD *thd);
239 /**
240 Disable binlog encryption option. It rotates replication logs to make
241 encryption ineffective immediately.
242
243 Replication logs rotation errors don't fail, but they will throw a warning.
244
245 @param[in] thd the thd object of the session.
246 */
247 void disable(THD *thd);
248 /**
249 Return is the replication logs encryption feature is enabled.
250
251 @retval false The feature is disabled.
252 @retval true The feature is enabled.
253 */
254 bool is_enabled();
255 const bool &get_enabled_var();
257 /**
258 Purge unused master keys from Keyring.
259
260 @retval false Success.
261 @retval true Error.
262 */
263 bool purge_unused_keys();
264 /**
265 Rotate the master key.
266
267 @param step Step to start the process (it might be recovering).
268 @param new_master_key_seqno When recovering, this is the new master key
269 sequence number detected by recovery process.
270 @retval false Success.
271 @retval true Error.
272 */
274 uint32_t new_master_key_seqno = 0);
275
276 private:
277 /* Define the keyring key type for keys storing sequence numbers */
278 static const char *SEQNO_KEY_TYPE;
279 /* Define the keyring key length for keys storing sequence numbers */
280 static const int SEQNO_KEY_LENGTH = 16;
281 /*
282 Sys_binlog_encryption uses m_enabled as the storage of global var
283 binlog_encryption.
284 */
285 bool m_enabled = false;
286 /*
287 Sys_binlog_rotate_encryption_master_key_at_startup uses
288 m_rotate_at_startup as the storage of global var
289 binlog_rotate_encryption_master_key_at_startup.
290 */
292#ifndef NDEBUG
293 /*
294 This variable is only used to assert that enable(), disable() and
295 get_master_key() functions are called only after initialize() was called.
296 */
297 bool m_initialized = false;
298#endif
299 /*
300 The replication logs encryption only needs to recover the current
301 replication master key if the binlog_encryption option is enabled.
302
303 This flag will be set true after a successful replication master key
304 recovery.
305 */
307 /* The sequence number of the replication master key. */
308 uint32_t m_master_key_seqno = 0;
309 /* The current replication master key */
311 /*
312 Flag to avoid double logs rotation when enabling the option and
313 recovering from master key rotation.
314 */
316
317 /**
318 Fetch a key from keyring. When error happens, it either reports an error to
319 user or write an error to log accordingly.
320
321 @param[in] key_id ID of the key to be returned.
322 @param[in] key_type Expected type of the key to be returned.
323
324 @return A tuple containing the status of the operation (Keyring_status), a
325 pointer to the fetched key (nullptr if the key was not fetched) and
326 the returned key size. Errors shall be checked by consulting the
327 status.
328 */
329 static std::tuple<Keyring_status, void *, size_t> fetch_key_from_keyring(
330 const std::string &key_id, const std::string &key_type);
331
332 /**
333 Rotate replication logs excluding relay logs of group replication channels.
334 If error happens, it will either report a warning to session user.
335
336 @param[in] thd The thd object of current session.
337 */
338 void rotate_logs(THD *thd);
339
340 /**
341 Get a sequence number from the keyring. The sequence number to be returned
342 will be extracted from the key retrieved from the keyring. No caching shall
343 be used for this function.
344
345 @param[in] key_id ID of the key to extract the sequence number from.
346
347 @return A pair containing the status of the operation (Keyring_status) and
348 a sequence number. Errors shall be checked by consulting the status.
349 */
350 std::pair<Rpl_encryption::Keyring_status, uint32_t> get_seqno_from_keyring(
351 std::string key_id);
352 /**
353 Set a sequence number into a key and store it into keyring.
354
355 @param[in] key_id ID of the key to set the sequence number.
356 @param[in] seqno The sequence number to be set.
357
358 @retval false Success.
359 @retval true Error.
360 */
361 bool set_seqno_on_keyring(std::string key_id, uint32_t seqno);
362 /**
363 Remove a key from the keyring.
364
365 @param[in] key_id ID of the key to be removed from keyring.
366
367 @retval false Success.
368 @retval true Error.
369 */
370 bool remove_key_from_keyring(std::string key_id);
371 /**
372 Returns the key ID of the keyring key that stores the master key sequence
373 number.
374
375 @return The key ID.
376 */
377 std::string get_master_key_seqno_key_id();
378 /**
379 Get the master key sequence number from keyring.
380
381 @return A pair containing the status of the operation (Keyring_status) and
382 a sequence number. Errors shall be checked by consulting the status.
383 */
384 std::pair<Rpl_encryption::Keyring_status, uint32_t>
386 /**
387 Set the master key sequence number into a key and store it into keyring.
388
389 @retval false Success.
390 @retval true Error.
391 */
393 /**
394 Remove the master key sequence number key from the keyring.
395
396 @retval false Success.
397 @retval true Error.
398 */
400 /**
401 Returns the key ID of the keyring key that stores the "new" master key
402 sequence number.
403
404 @return The key ID.
405 */
407 /**
408 Returns the key ID of the keyring key that stores the "last_purged"
409 master key sequence number.
410
411 @return The key ID.
412 */
414 /**
415 Returns the key ID of the keyring key that stores the "old" master key
416 sequence number.
417
418 @return The key ID.
419 */
421 /**
422 Get the "new" master key sequence number from keyring.
423
424 @return A pair containing the status of the operation (Keyring_status) and
425 a sequence number. Errors shall be checked by consulting the status.
426 */
427 std::pair<Rpl_encryption::Keyring_status, uint32_t>
429 /**
430 Get the "old" master key sequence number from keyring.
431
432 @return A pair containing the status of the operation (Keyring_status) and
433 a sequence number. Errors shall be checked by consulting the status.
434 */
435 std::pair<Rpl_encryption::Keyring_status, uint32_t>
437 /**
438 Get the "last_purged" master key sequence number from keyring.
439
440 @return A pair containing the status of the operation (Keyring_status) and
441 a sequence number. Errors shall be checked by consulting the status.
442 */
443 std::pair<Rpl_encryption::Keyring_status, uint32_t>
445 /**
446 Set the "new" master key sequence number into a key and store it into
447 keyring.
448
449 @retval false Success.
450 @retval true Error.
451 */
453 /**
454 Set the "last_purged" master key sequence number into a key and store it
455 into keyring.
456
457 @retval false Success.
458 @retval true Error.
459 */
461 /**
462 Set the "old" master key sequence number into a key and store it into
463 keyring.
464
465 @retval false Success.
466 @retval true Error.
467 */
469 /**
470 Remove the "new" master key sequence number key from the keyring.
471
472 @retval false Success.
473 @retval true Error.
474 */
476 /**
477 Remove the "last_purged" master key sequence number key from the keyring.
478
479 @retval false Success.
480 @retval true Error.
481 */
483 /**
484 Remove the "old" master key sequence number key from the keyring.
485
486 @retval false Success.
487 @retval true Error.
488 */
490 /**
491 Generate a new replication master key on keyring and retrieve it.
492
493 @param[in] seqno The sequence number of the master key.
494
495 @retval false Success.
496 @retval true Error.
497 */
499};
500
502#endif // MYSQL_SERVER
503
504/**
505 @class Rpl_encryption_header
506
507 This is the base class to serialize and deserialize a replication log file
508 encryption header.
509
510 The new encrypted binary log file format is composed of two parts:
511
512 <pre>
513 +---------------------+
514 | Encryption Header |
515 +---------------------+
516 | Encrypted Data |
517 +---------------------+
518 </pre>
519
520 The encryption header exists only in the begin of encrypted replication log
521 files.
522
523 <pre>
524 +------------------------+----------------------------------------------+
525 | MAGIC HEADER (4 bytes) | Replication logs encryption version (1 byte) |
526 +------------------------+----------------------------------------------+
527 | Version specific encryption header data |
528 +-----------------------------------------------------------------------+
529 Encryption Header Format
530 </pre>
531
532 <table>
533 <caption>Encryption Header Format</caption>
534 <tr>
535 <th>Name</th>
536 <th>Format</th>
537 <th>Description</th>
538 </tr>
539 <tr>
540 <td>Magic Header</td>
541 <td>4 Bytes</td>
542 <td>
543 The content is always 0xFD62696E. It is similar to Binlog Magic Header.
544 Binlog magic header is: 0xFE62696e.
545 </td>
546 <tr>
547 <td>Replication logs encryption version</td>
548 <td>1 Byte</td>
549 <td>
550 The replication logs encryption version defines how the header shall be
551 deserialized and how the Encrypted Data shall be decrypted.
552 </td>
553 </tr>
554 <tr>
555 <td>Version specific encryption data header</td>
556 <td>Depends on the version field</td>
557 <td>
558 Data required to fetch a replication key from keyring and deserialize
559 the Encrypted Data.
560 </td>
561 </tr>
562 </table>
563*/
565 public:
566 /* Same as BINLOG_MAGIC_SIZE */
567 static const int ENCRYPTION_MAGIC_SIZE = 4;
568 /* The magic for an encrypted replication log file */
569 static const char *ENCRYPTION_MAGIC;
570
571 virtual ~Rpl_encryption_header();
572
573 /**
574 Deserialize the replication encrypted log file header from the given stream.
575 This function shall be called right after reading the magic from the stream.
576 It will read the version of the encrypted log file header, instantiate a
577 proper Rpl_encryption_header based on version and delegate the rest of the
578 header deserialization to the new instance.
579
580 @param istream The stream containing the header to deserialize.
581
582 @return A Rpl_encryption_header on success or nullptr on failure.
583 */
584 static std::unique_ptr<Rpl_encryption_header> get_header(
585 Basic_istream *istream);
586 /**
587 Generate a new replication encryption header based on the default
588 replication encrypted log file header version.
589
590 @return A Rpl_encryption_header of default version.
591 */
592 static std::unique_ptr<Rpl_encryption_header> get_new_default_header();
593 /**
594 Serialize the header into an output stream.
595
596 @param ostream The output stream to serialize the header.
597
598 @retval false Success.
599 @retval true Error.
600 */
601 virtual bool serialize(Basic_ostream *ostream) = 0;
602 /**
603 Deserialize encryption header from a stream.
604
605 @param[in] istream The input stream for deserializing the encryption
606 header.
607
608 @retval false Success.
609 @retval true Error.
610 */
611 virtual bool deserialize(Basic_istream *istream) = 0;
612 /**
613 Get the header version.
614
615 @return The header version.
616 */
617 virtual char get_version() const = 0;
618 /**
619 Return the header size to be taken into account when serializing an
620 deserializing encrypted file headers from replication log files.
621
622 @return The size of the header for the header version.
623 */
624 virtual int get_header_size() = 0;
625 /**
626 Decrypt the file password.
627 */
629 /**
630 Factory to generate ciphers to encrypt streams based on current header.
631
632 @return A Stream_cipher for this header version or nullptr on failure.
633 */
634 virtual std::unique_ptr<Stream_cipher> get_encryptor() = 0;
635 /**
636 Factory to generate ciphers to decrypt streams based on current header.
637
638 @return A Stream_cipher for this header version or nullptr on failure.
639 */
640 virtual std::unique_ptr<Stream_cipher> get_decryptor() = 0;
641 /**
642 Setup the header with current master key and generates a new random file
643 password. This function shall be called when creating new replication
644 log files.
645
646 @return The new file password, or an empty password if error happens.
647 */
649#ifdef MYSQL_SERVER
650 /**
651 Encrypt a file password using current replication encryption master key.
652
653 @param[in] password_str The plain file password.
654
655 @retval false Success.
656 @retval true Error.
657 */
658 virtual bool encrypt_file_password(Key_string password_str) = 0;
659#endif
660 /**
661 Build a key id prefix using default header version.
662
663 @return A key ID prefix.
664 */
665 static std::string key_id_prefix();
666 /**
667 Build a key id using the given sequence number using default header version.
668
669 @param[in] seqno The sequence number used to build key id.
670
671 @return A key ID with a sequence number.
672 */
673 static std::string seqno_to_key_id(uint32_t seqno);
674 /**
675 Build a key id using the given suffix using default header version.
676
677 @param[in] suffix The suffix used to build key id.
678
679 @return A key ID with a suffix.
680 */
681 static std::string key_id_with_suffix(const char *suffix);
682 /**
683 Return the default header version encryption key type.
684
685 @return The encrypted key type.
686 */
687 static const char *get_key_type();
688
689 protected:
690 /* Offset of the version field in the header */
692 /* Size of the version field in the header */
693 static const int VERSION_SIZE = 1;
694 /* Offset of the optional header fields in the header */
696
697 private:
698 /* The default header version for new headers */
699 static const char m_default_version = 1;
700};
701
702/**
703 @class Rpl_encryption_header_v1
704
705 <pre>
706 +------------------------+----------------------------------------------+
707 | MAGIC HEADER (4 bytes) | Replication logs encryption version (1 byte) |
708 +------------------------+----------------------------------------------+
709 | Replication Encryption Key ID (60 to 69 bytes) |
710 +-----------------------------------------------------------------------+
711 | Encrypted File Password (33 bytes) |
712 +-----------------------------------------------------------------------+
713 | IV For Encrypting File Password (17 bytes) |
714 +-----------------------------------------------------------------------+
715 | Padding (388 to 397 bytes) |
716 +-----------------------------------------------------------------------+
717 Encrypted binary log file header format version 1
718 </pre>
719
720 <table>
721 <caption>Encrypted binary log file header format version 1</caption>
722 <tr>
723 <th>Name</th>
724 <th>Format</th>
725 <th>Description</th>
726 </tr>
727 <tr>
728 <td>Replication Encryption Key ID</td>
729 <td>
730 Variable length field that uses Type, Length, Value (TLV) format. Type
731 takes 1 byte. Length takes 1 byte. Values takes Length bytes.
732 </td>
733 <td>
734 ID of the key that shall be retrieved from keyring to be used to decrypt
735 the file password field.
736 </td>
737 </tr>
738 <tr>
739 <td>Encrypted File Password</td>
740 <td>
741 Fixed length field that uses Type, Value format. Type takes 1 byte.
742 Value takes 32 bytes.</td>
743 <td>It is the encrypted file password.</td>
744 </tr>
745 <tr>
746 <td>IV for Encrypting File Password</td>
747 <td>
748 Fixed length field that uses Type, Value format. Type takes 1 byte.
749 Value takes 16 bytes.</td>
750 <td>
751 The iv, together with the key, is used to encrypt/decrypt the
752 file password.
753 </td>
754 </tr>
755 <tr>
756 <td>Padding</td>
757 <td>Variable length, all bytes are 0.</td>
758 <td>
759 Encryption header has 512 bytes. Above fields don't take all bytes. All
760 unused bytes are filled with 0 as padding.
761 </td>
762 </tr>
763 </table>
764*/
766 public:
767 static const char *KEY_TYPE;
768 static const int KEY_LENGTH = 32;
769 static const int HEADER_SIZE = 512;
770 static const int IV_FIELD_SIZE = 16;
771 static const int PASSWORD_FIELD_SIZE = 32;
772
774
775 ~Rpl_encryption_header_v1() override;
776
777 bool serialize(Basic_ostream *ostream) override;
778 bool deserialize(Basic_istream *istream) override;
779 char get_version() const override;
780 int get_header_size() override;
782 std::unique_ptr<Stream_cipher> get_encryptor() override;
783 std::unique_ptr<Stream_cipher> get_decryptor() override;
785#ifdef MYSQL_SERVER
786 bool encrypt_file_password(Key_string password_str) override;
787#endif
788
789 /**
790 Build a key id prefix.
791 */
792 static std::string key_id_prefix();
793 /**
794 Build a key id using the given sequence number.
795
796 @param[in] seqno The sequence number used to build key id.
797 */
798 static std::string seqno_to_key_id(uint32_t seqno);
799 /**
800 Build a key id using the given suffix.
801
802 @param[in] suffix The suffix used to build key id.
803 */
804 static std::string key_id_with_suffix(const char *suffix);
805
806 private:
807 /* The prefix for key IDs */
808 static const char *KEY_ID_PREFIX;
809 /* Expected field types */
814 };
815 /* This header implementation version */
816 char m_version = 1;
817 /* The key ID of the keyring key that encrypted the password */
818 std::string m_key_id;
819 /* The encrypted file password */
821 /* The IV used to encrypt/decrypt the file password */
823};
824#endif // RPL_LOG_ENCRYPTION_INCLUDED
The abstract class for basic byte input streams which provides read operations.
Definition: basic_istream.h:34
The abstract class for basic output streams which provides write operation.
Definition: basic_ostream.h:36
Definition: rpl_log_encryption.h:765
static std::string seqno_to_key_id(uint32_t seqno)
Build a key id using the given sequence number.
Definition: rpl_log_encryption.cc:1259
~Rpl_encryption_header_v1() override
Definition: rpl_log_encryption.cc:1035
@ KEY_ID
Definition: rpl_log_encryption.h:811
@ IV_FOR_FILE_PASSWORD
Definition: rpl_log_encryption.h:813
@ ENCRYPTED_FILE_PASSWORD
Definition: rpl_log_encryption.h:812
Key_string decrypt_file_password() override
Decrypt the file password.
Definition: rpl_log_encryption.cc:1164
static std::string key_id_with_suffix(const char *suffix)
Build a key id using the given suffix.
Definition: rpl_log_encryption.cc:1268
static const int PASSWORD_FIELD_SIZE
Definition: rpl_log_encryption.h:771
static const int HEADER_SIZE
Definition: rpl_log_encryption.h:769
Key_string m_encrypted_password
Definition: rpl_log_encryption.h:820
bool serialize(Basic_ostream *ostream) override
Serialize the header into an output stream.
Definition: rpl_log_encryption.cc:1037
bool encrypt_file_password(Key_string password_str) override
Encrypt a file password using current replication encryption master key.
Definition: rpl_log_encryption.cc:1199
Rpl_encryption_header_v1()=default
char m_version
Definition: rpl_log_encryption.h:816
static const char * KEY_TYPE
Definition: rpl_log_encryption.h:767
Key_string m_iv
Definition: rpl_log_encryption.h:822
std::string m_key_id
Definition: rpl_log_encryption.h:818
std::unique_ptr< Stream_cipher > get_encryptor() override
Factory to generate ciphers to encrypt streams based on current header.
Definition: rpl_log_encryption.cc:1190
static const int KEY_LENGTH
Definition: rpl_log_encryption.h:768
static const int IV_FIELD_SIZE
Definition: rpl_log_encryption.h:770
std::unique_ptr< Stream_cipher > get_decryptor() override
Factory to generate ciphers to decrypt streams based on current header.
Definition: rpl_log_encryption.cc:1194
static std::string key_id_prefix()
Build a key id prefix.
Definition: rpl_log_encryption.cc:1251
Key_string generate_new_file_password() override
Setup the header with current master key and generates a new random file password.
Definition: rpl_log_encryption.cc:1230
int get_header_size() override
Return the header size to be taken into account when serializing an deserializing encrypted file head...
Definition: rpl_log_encryption.cc:1160
bool deserialize(Basic_istream *istream) override
Deserialize encryption header from a stream.
Definition: rpl_log_encryption.cc:1065
static const char * KEY_ID_PREFIX
Definition: rpl_log_encryption.h:808
char get_version() const override
Get the header version.
Definition: rpl_log_encryption.cc:1158
This is the base class to serialize and deserialize a replication log file encryption header.
Definition: rpl_log_encryption.h:564
virtual std::unique_ptr< Stream_cipher > get_decryptor()=0
Factory to generate ciphers to decrypt streams based on current header.
static const char * get_key_type()
Return the default header version encryption key type.
Definition: rpl_log_encryption.cc:1028
static const int VERSION_SIZE
Definition: rpl_log_encryption.h:693
static const int VERSION_OFFSET
Definition: rpl_log_encryption.h:691
virtual ~Rpl_encryption_header()
Definition: rpl_log_encryption.cc:959
static std::unique_ptr< Rpl_encryption_header > get_header(Basic_istream *istream)
Deserialize the replication encrypted log file header from the given stream.
Definition: rpl_log_encryption.cc:972
static std::string seqno_to_key_id(uint32_t seqno)
Build a key id using the given sequence number using default header version.
Definition: rpl_log_encryption.cc:1020
static std::unique_ptr< Rpl_encryption_header > get_new_default_header()
Generate a new replication encryption header based on the default replication encrypted log file head...
Definition: rpl_log_encryption.cc:1010
virtual Key_string generate_new_file_password()=0
Setup the header with current master key and generates a new random file password.
virtual bool serialize(Basic_ostream *ostream)=0
Serialize the header into an output stream.
virtual int get_header_size()=0
Return the header size to be taken into account when serializing an deserializing encrypted file head...
static std::string key_id_with_suffix(const char *suffix)
Build a key id using the given suffix using default header version.
Definition: rpl_log_encryption.cc:1024
static const char * ENCRYPTION_MAGIC
Definition: rpl_log_encryption.h:569
static const int ENCRYPTION_MAGIC_SIZE
Definition: rpl_log_encryption.h:567
static const int OPTIONAL_FIELD_OFFSET
Definition: rpl_log_encryption.h:695
virtual std::unique_ptr< Stream_cipher > get_encryptor()=0
Factory to generate ciphers to encrypt streams based on current header.
static const char m_default_version
Definition: rpl_log_encryption.h:699
virtual bool deserialize(Basic_istream *istream)=0
Deserialize encryption header from a stream.
virtual Key_string decrypt_file_password()=0
Decrypt the file password.
virtual char get_version() const =0
Get the header version.
static std::string key_id_prefix()
Build a key id prefix using default header version.
Definition: rpl_log_encryption.cc:1016
virtual bool encrypt_file_password(Key_string password_str)=0
Encrypt a file password using current replication encryption master key.
The Rpl_encryption class is the container for the binlog encryption feature generic and server instan...
Definition: rpl_log_encryption.h:96
Rpl_encryption_key m_master_key
Definition: rpl_log_encryption.h:310
static const char * SEQNO_KEY_TYPE
Definition: rpl_log_encryption.h:278
Rpl_encryption & operator=(const Rpl_encryption &)=delete
static std::tuple< Keyring_status, void *, size_t > fetch_key_from_keyring(const std::string &key_id, const std::string &key_type)
Fetch a key from keyring.
Definition: rpl_log_encryption.cc:467
bool remove_old_master_key_seqno_from_keyring()
Remove the "old" master key sequence number key from the keyring.
Definition: rpl_log_encryption.cc:904
uint32_t m_master_key_seqno
Definition: rpl_log_encryption.h:308
Rpl_encryption(Rpl_encryption &&)=delete
bool enable(THD *thd)
Enable binlog encryption option.
Definition: rpl_log_encryption.cc:404
std::string get_master_key_seqno_key_id()
Returns the key ID of the keyring key that stores the master key sequence number.
Definition: rpl_log_encryption.cc:815
bool remove_new_master_key_seqno_from_keyring()
Remove the "new" master key sequence number key from the keyring.
Definition: rpl_log_encryption.cc:892
void disable(THD *thd)
Disable binlog encryption option.
Definition: rpl_log_encryption.cc:436
bool purge_unused_keys()
Purge unused master keys from Keyring.
Definition: rpl_log_encryption.cc:505
bool m_initialized
Definition: rpl_log_encryption.h:297
std::pair< Rpl_encryption::Keyring_status, uint32_t > get_last_purged_master_key_seqno_from_keyring()
Get the "last_purged" master key sequence number from keyring.
Definition: rpl_log_encryption.cc:868
static void report_keyring_error(Keyring_status error)
A wrapper function to throw a binlog encryption keyring error.
Definition: rpl_log_encryption.cc:48
bool recover_master_key()
Recover the replication encryption master key from keyring.
Definition: rpl_log_encryption.cc:192
std::string get_new_master_key_seqno_key_id()
Returns the key ID of the keyring key that stores the "new" master key sequence number.
Definition: rpl_log_encryption.cc:838
Rpl_encryption & operator=(Rpl_encryption &&)=delete
std::pair< Rpl_encryption::Keyring_status, uint32_t > get_master_key_seqno_from_keyring()
Get the master key sequence number from keyring.
Definition: rpl_log_encryption.cc:820
Keyring_status
Definition: rpl_log_encryption.h:109
std::pair< Rpl_encryption::Keyring_status, uint32_t > get_seqno_from_keyring(std::string key_id)
Get a sequence number from the keyring.
Definition: rpl_log_encryption.cc:740
bool set_last_purged_master_key_seqno_on_keyring(uint32 seqno)
Set the "last_purged" master key sequence number into a key and store it into keyring.
Definition: rpl_log_encryption.cc:880
Key_rotation_step
Replication encryption master key rotation process is recoverable.
Definition: rpl_log_encryption.h:144
Rpl_encryption()=default
bool remove_key_from_keyring(std::string key_id)
Remove a key from the keyring.
Definition: rpl_log_encryption.cc:786
bool m_master_key_recovered
Definition: rpl_log_encryption.h:306
bool set_master_key_seqno_on_keyring(uint32 seqno)
Set the master key sequence number into a key and store it into keyring.
Definition: rpl_log_encryption.cc:826
bool m_rotate_at_startup
Definition: rpl_log_encryption.h:291
bool generate_master_key_on_keyring(uint32 seqno)
Generate a new replication master key on keyring and retrieve it.
Definition: rpl_log_encryption.cc:910
std::pair< Rpl_encryption::Keyring_status, uint32_t > get_new_master_key_seqno_from_keyring()
Get the "new" master key sequence number from keyring.
Definition: rpl_log_encryption.cc:854
bool remove_last_purged_master_key_seqno_from_keyring()
Remove the "last_purged" master key sequence number key from the keyring.
Definition: rpl_log_encryption.cc:898
bool rotate_master_key(Key_rotation_step step=Key_rotation_step::START, uint32_t new_master_key_seqno=0)
Rotate the master key.
Definition: rpl_log_encryption.cc:568
bool set_new_master_key_seqno_on_keyring(uint32 seqno)
Set the "new" master key sequence number into a key and store it into keyring.
Definition: rpl_log_encryption.cc:874
void rotate_logs(THD *thd)
Rotate replication logs excluding relay logs of group replication channels.
Definition: rpl_log_encryption.cc:731
static std::pair< Keyring_status, Key_string > get_key(const std::string &key_id, const std::string &key_type)
Get the key with given key ID.
Definition: rpl_log_encryption.cc:370
Rpl_encryption(const Rpl_encryption &)=delete
std::string get_last_purged_master_key_seqno_key_id()
Returns the key ID of the keyring key that stores the "last_purged" master key sequence number.
Definition: rpl_log_encryption.cc:843
bool is_enabled()
Return is the replication logs encryption feature is enabled.
Definition: rpl_log_encryption.cc:449
bool set_old_master_key_seqno_on_keyring(uint32 seqno)
Set the "old" master key sequence number into a key and store it into keyring.
Definition: rpl_log_encryption.cc:886
const bool & get_enabled_var()
Definition: rpl_log_encryption.cc:458
const bool & get_master_key_rotation_at_startup_var()
Definition: rpl_log_encryption.cc:460
bool initialize()
Initialize the rpl_encryption instance.
Definition: rpl_log_encryption.cc:105
bool remove_master_key_seqno_from_keyring()
Remove the master key sequence number key from the keyring.
Definition: rpl_log_encryption.cc:832
static const int SEQNO_KEY_LENGTH
Definition: rpl_log_encryption.h:280
bool remove_remaining_seqnos_from_keyring()
Remove remaining old/new master key index in order to cleanup any previous master key rotation.
Definition: rpl_log_encryption.cc:130
const Rpl_encryption_key get_master_key()
Return the current replication encryption master key.
Definition: rpl_log_encryption.cc:361
bool set_seqno_on_keyring(std::string key_id, uint32_t seqno)
Set a sequence number into a key and store it into keyring.
Definition: rpl_log_encryption.cc:752
bool m_enabled
Definition: rpl_log_encryption.h:285
std::pair< Rpl_encryption::Keyring_status, uint32_t > get_old_master_key_seqno_from_keyring()
Get the "old" master key sequence number from keyring.
Definition: rpl_log_encryption.cc:861
std::string get_old_master_key_seqno_key_id()
Returns the key ID of the keyring key that stores the "old" master key sequence number.
Definition: rpl_log_encryption.cc:848
bool m_skip_logs_rotation
Definition: rpl_log_encryption.h:315
For each client connection we create a separate thread with THD serving as a thread/connection descri...
Definition: sql_lexer_thd.h:35
Some integer typedefs for easier portability.
uint32_t uint32
Definition: my_inttypes.h:66
int key_type
Definition: http_request.h:49
Rpl_encryption rpl_encryption
Definition: rpl_log_encryption.cc:46
This file includes core components for encrypting/decrypting binary log files.
std::basic_string< unsigned char > Key_string
Definition: stream_cipher.h:37
Definition: sql_resultset.h:35
Definition: rpl_log_encryption.h:98
Key_string m_value
Definition: rpl_log_encryption.h:100
std::string m_id
Definition: rpl_log_encryption.h:99