MySQL  8.0.17
Source Code Documentation
rpl_log_encryption.h
Go to the documentation of this file.
1 /* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
2 
3  This program is free software; you can redistribute it and/or modify
4  it under the terms of the GNU General Public License, version 2.0,
5  as published by the Free Software Foundation.
6 
7  This program is also distributed with certain software (including
8  but not limited to OpenSSL) that is licensed under separate terms,
9  as designated in a particular file or component or in included license
10  documentation. The authors of MySQL hereby grant you an additional
11  permission to link the program and your derivative works with the
12  separately licensed software that they have included with MySQL.
13 
14  This program is distributed in the hope that it will be useful,
15  but WITHOUT ANY WARRANTY; without even the implied warranty of
16  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  GNU General Public License, version 2.0, for more details.
18 
19  You should have received a copy of the GNU General Public License
20  along with this program; if not, write to the Free Software
21  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
22 
23 #ifndef RPL_LOG_ENCRYPTION_INCLUDED
24 #define RPL_LOG_ENCRYPTION_INCLUDED
25 
26 #include <openssl/evp.h>
27 #include <sql/basic_istream.h>
28 #include <sql/basic_ostream.h>
29 #include <sql/sql_class.h>
30 #include <sql/stream_cipher.h>
31 #include <map>
32 #include <string>
33 
34 /**
35  @file rpl_log_encryption.h
36 
37  @brief This file includes the major components for encrypting/decrypting
38  binary log files.
39 
40  * Replication logs
41 
42  Here, replication logs includes both the binary and relay log files.
43 
44  * File Level Encryption
45 
46  - All standard binary log file data (including BINLOG_MAGIC) in replication
47  logs are encrypted.
48 
49  - A replication log file is either encrypted or not (standard binary log
50  file). It is not possible that part of a log file is encrypted and part
51  of it is non-encrypted.
52 
53  - There is an encryption header in the begin of each encrypted replication
54  log file.
55 
56  <pre>
57  +--------------------+
58  | Encryption Header |
59  +--------------------+
60  | Encrypted Data |
61  +--------------------+
62  </pre>
63 
64  The encrypted replication file header includes necessary information to
65  decrypt the encrypted data of the file (the standard binary log file
66  data). For detail, check Rpl_encryption_header class.
67 
68  * Two Tier Keys
69 
70  Replication logs are encrypted with two tier keys. A 'File Password' for
71  encrypting the standard binary log file data and a 'Replication Encryption
72  Key' for encrypting the 'File Password'.
73 
74  - File password
75 
76  Each replication log file has a password. A file key used to encrypt the
77  file is generated from the file password. The encrypted 'File Password'
78  is stored into encryption header of the file. For details, check
79  Rpl_encryption_header class.
80 
81  - Replication encryption key
82 
83  A replication encryption key is used to encrypt/decrypt the file
84  password stored in an encrypted replication file header. It is generated
85  by keyring and stored in/retrieved from keyring.
86 */
87 #ifdef MYSQL_SERVER
88 
89 /**
90  The Rpl_encryption class is the container for the binlog encryption feature
91  generic and server instance functions.
92 */
94  public:
96  std::string m_id;
98  };
99 
100  Rpl_encryption() = default;
101  Rpl_encryption(const Rpl_encryption &) = delete;
102  Rpl_encryption(Rpl_encryption &&) = delete;
103  Rpl_encryption &operator=(const Rpl_encryption &) = delete;
105 
106  enum class Keyring_status {
107  SUCCESS = 0,
109  KEY_NOT_FOUND = 2,
116  };
117  /**
118  A wrapper function to throw a binlog encryption keyring error.
119  The wrapper will decide if the error will be reported to the client session
120  or to the server error log according to current_thd.
121 
122  @param error The Keyring_status to be reported.
123  */
125  /**
126  A wrapper function to throw a replication logs encryption keyring error,
127  reporting also the key ID.
128  The wrapper will decide if the error will be reported to the client session
129  or to the server error log according to current_thd.
130 
131  @param error The Keyring_status to be reported.
132  @param key_id The key ID to appear in the error message.
133  */
134  static void report_keyring_error(Keyring_status error, const char *key_id);
135 
136  /**
137  Replication encryption master key rotation process is recoverable. The
138  steps defined in the enum class below are the steps from which the rotation
139  process may continue after an unexpected interruption.
140  */
141  enum class Key_rotation_step {
142  START,
147  ROTATE_LOGS,
150  };
151 
152  /**
153  Initialize the rpl_encryption instance. This initialization shall be called
154  after generating/loading the server UUID and before opening new binary and
155  relay log files for writing.
156 
157  When the replication_logs_encrypt option is on at server startup, the
158  initialization process will try to recover master key and may generate
159  a new replication master key if needed.
160 
161  @retval false Success.
162  @retval true Error.
163  */
164  bool initialize();
165  /**
166  Remove remaining old/new master key index in order to cleanup any previous
167  master key rotation.
168 
169  @retval false Success.
170  @retval true Error.
171  */
173  /**
174  Recover the replication encryption master key from keyring.
175 
176  The recovery of the master key process starts by trying to read the
177  replication master key information from keyring (the master key sequence
178  number, and the master key itself).
179 
180  Then, if detected that a key rotation did not completed properly, tries to
181  continue the master key rotation.
182 
183  When recovery is successful, the m_master_key_recovered flag is set true.
184 
185  @retval false Success.
186  @retval true Error.
187  */
188  bool recover_master_key();
189  /**
190  Return the current replication encryption master key.
191 
192  @return The current replication encryption master key.
193  */
194  const Rpl_encryption_key get_master_key();
195 
196  /**
197  Get the key with given key ID. The key to be returned will be retrieved
198  from the keyring or from a cached copy in memory.
199 
200  @param[in] key_id ID of the key to be returned.
201  @param[in] key_type Expected type of the key to be returned.
202 
203  @return A pair containing the status of the operation (Keyring_status) and
204  a Key_string. Errors shall be checked by consulting the status.
205  */
206  static std::pair<Keyring_status, Key_string> get_key(
207  const std::string &key_id, const std::string &key_type);
208 
209  /**
210  Get the key with given key ID. The key to be returned will be retrieved
211  from the keyring or from a cached copy in memory.
212 
213  @param[in] key_id ID of the key to be returned.
214  @param[in] key_type Expected type of the key to be returned.
215  @param[in] key_size Expected size of the key to be returned.
216 
217  @return A pair containing the status of the operation (Keyring_status) and
218  a Key_string. Errors shall be checked by consulting the status.
219  */
220  static std::pair<Keyring_status, Key_string> get_key(
221  const std::string &key_id, const std::string &key_type, size_t key_size);
222 
223  /**
224  Enable binlog encryption option. It will generate a new global key if
225  there is no master key yet. Then rotate replication logs to make encryption
226  effective immediately.
227 
228  Replication logs rotation errors don't fail, but they will throw a warning.
229 
230  @param[in] thd the thd object of the session.
231 
232  @retval false Success.
233  @retval true Error. If error happens when generating new key, it will fail.
234  */
235  bool enable(THD *thd);
236  /**
237  Disable binlog encryption option. It rotates replication logs to make
238  encryption ineffective immediately.
239 
240  Replication logs rotation errors don't fail, but they will throw a warning.
241 
242  @param[in] thd the thd object of the session.
243  */
244  void disable(THD *thd);
245  /**
246  Return is the replication logs encryption feature is enabled.
247 
248  @retval false The feature is disabled.
249  @retval true The feature is enabled.
250  */
251  bool is_enabled();
252  const bool &get_enabled_var();
254  /**
255  Purge unused master keys from Keyring.
256 
257  @retval false Success.
258  @retval true Error.
259  */
260  bool purge_unused_keys();
261  /**
262  Rotate the master key.
263 
264  @param step Step to start the process (it might be recovering).
265  @param new_master_key_seqno When recovering, this is the new master key
266  sequence number detected by recovery process.
267  @retval false Success.
268  @retval true Error.
269  */
271  uint32_t new_master_key_seqno = 0);
272 
273  private:
274  /* Define the keyring key type for keys storing sequence numbers */
275  static const char *SEQNO_KEY_TYPE;
276  /* Define the keyring key length for keys storing sequence numbers */
277  static const int SEQNO_KEY_LENGTH = 16;
278  /*
279  Sys_binlog_encryption uses m_enabled as the storage of global var
280  binlog_encryption.
281  */
282  bool m_enabled = false;
283  /*
284  Sys_binlog_rotate_encryption_master_key_at_startup uses
285  m_rotate_at_startup as the storage of global var
286  binlog_rotate_encryption_master_key_at_startup.
287  */
288  bool m_rotate_at_startup = false;
289 #ifndef DBUG_OFF
290  /*
291  This variable is only used to assert that enable(), disable() and
292  get_master_key() functions are called only after initialize() was called.
293  */
294  bool m_initialized = false;
295 #endif
296  /*
297  The replication logs encryption only needs to recover the current
298  replication master key if the binlog_encryption option is enabled.
299 
300  This flag will be set true after a successful replication master key
301  recovery.
302  */
304  /* The sequence number of the replication master key. */
305  uint32_t m_master_key_seqno = 0;
306  /* The current replication master key */
308  /*
309  Flag to avoid double logs rotation when enabling the option and
310  recovering from master key rotation.
311  */
312  bool m_skip_logs_rotation = false;
313 
314  /**
315  Fetch a key from keyring. When error happens, it either reports an error to
316  user or write an error to log accordingly.
317 
318  @param[in] key_id ID of the key to be returned.
319  @param[in] key_type Expected type of the key to be returned.
320 
321  @return A tuple containing the status of the operation (Keyring_status), a
322  pointer to the fetched key (nullptr if the key was not fetched) and
323  the returned key size. Errors shall be checked by consulting the
324  status.
325  */
326  static std::tuple<Keyring_status, void *, size_t> fetch_key_from_keyring(
327  const std::string &key_id, const std::string &key_type);
328 
329  /**
330  Rotate replication logs excluding relay logs of group replication channels.
331  If error happens, it will either report a warning to session user.
332 
333  @param[in] thd The thd object of current session.
334  */
335  void rotate_logs(THD *thd);
336 
337  /**
338  Get a sequence number from the keyring. The sequence number to be returned
339  will be extracted from the key retrieved from the keyring. No caching shall
340  be used for this function.
341 
342  @param[in] key_id ID of the key to extract the sequence number from.
343 
344  @return A pair containing the status of the operation (Keyring_status) and
345  a sequence number. Errors shall be checked by consulting the status.
346  */
347  std::pair<Rpl_encryption::Keyring_status, uint32_t> get_seqno_from_keyring(
348  std::string key_id);
349  /**
350  Set a sequence number into a key and store it into keyring.
351 
352  @param[in] key_id ID of the key to set the sequence number.
353  @param[in] seqno The sequence number to be set.
354 
355  @retval false Success.
356  @retval true Error.
357  */
358  bool set_seqno_on_keyring(std::string key_id, uint32_t seqno);
359  /**
360  Remove a key from the keyring.
361 
362  @param[in] key_id ID of the key to be removed from keyring.
363 
364  @retval false Success.
365  @retval true Error.
366  */
367  bool remove_key_from_keyring(std::string key_id);
368  /**
369  Returns the key ID of the keyring key that stores the master key sequence
370  number.
371 
372  @return The key ID.
373  */
374  std::string get_master_key_seqno_key_id();
375  /**
376  Get the master key sequence number from keyring.
377 
378  @return A pair containing the status of the operation (Keyring_status) and
379  a sequence number. Errors shall be checked by consulting the status.
380  */
381  std::pair<Rpl_encryption::Keyring_status, uint32_t>
383  /**
384  Set the master key sequence number into a key and store it into keyring.
385 
386  @retval false Success.
387  @retval true Error.
388  */
390  /**
391  Remove the master key sequence number key from the keyring.
392 
393  @retval false Success.
394  @retval true Error.
395  */
397  /**
398  Returns the key ID of the keyring key that stores the "new" master key
399  sequence number.
400 
401  @return The key ID.
402  */
403  std::string get_new_master_key_seqno_key_id();
404  /**
405  Returns the key ID of the keyring key that stores the "last_purged"
406  master key sequence number.
407 
408  @return The key ID.
409  */
411  /**
412  Returns the key ID of the keyring key that stores the "old" master key
413  sequence number.
414 
415  @return The key ID.
416  */
417  std::string get_old_master_key_seqno_key_id();
418  /**
419  Get the "new" master key sequence number from keyring.
420 
421  @return A pair containing the status of the operation (Keyring_status) and
422  a sequence number. Errors shall be checked by consulting the status.
423  */
424  std::pair<Rpl_encryption::Keyring_status, uint32_t>
426  /**
427  Get the "old" master key sequence number from keyring.
428 
429  @return A pair containing the status of the operation (Keyring_status) and
430  a sequence number. Errors shall be checked by consulting the status.
431  */
432  std::pair<Rpl_encryption::Keyring_status, uint32_t>
434  /**
435  Get the "last_purged" master key sequence number from keyring.
436 
437  @return A pair containing the status of the operation (Keyring_status) and
438  a sequence number. Errors shall be checked by consulting the status.
439  */
440  std::pair<Rpl_encryption::Keyring_status, uint32_t>
442  /**
443  Set the "new" master key sequence number into a key and store it into
444  keyring.
445 
446  @retval false Success.
447  @retval true Error.
448  */
450  /**
451  Set the "last_purged" master key sequence number into a key and store it
452  into keyring.
453 
454  @retval false Success.
455  @retval true Error.
456  */
458  /**
459  Set the "old" master key sequence number into a key and store it into
460  keyring.
461 
462  @retval false Success.
463  @retval true Error.
464  */
466  /**
467  Remove the "new" master key sequence number key from the keyring.
468 
469  @retval false Success.
470  @retval true Error.
471  */
473  /**
474  Remove the "last_purged" master key sequence number key from the keyring.
475 
476  @retval false Success.
477  @retval true Error.
478  */
480  /**
481  Remove the "old" master key sequence number key from the keyring.
482 
483  @retval false Success.
484  @retval true Error.
485  */
487  /**
488  Generate a new replication master key on keyring and retrieve it.
489 
490  @param[in] seqno The sequence number of the master key.
491 
492  @retval false Success.
493  @retval true Error.
494  */
496 };
497 
499 #endif // MYSQL_SERVER
500 
501 /**
502  @class Rpl_encryption_header
503 
504  This is the base class to serialize and deserialize a replication log file
505  encryption header.
506 
507  The new encrypted binary log file format is composed of two parts:
508 
509  <pre>
510  +---------------------+
511  | Encryption Header |
512  +---------------------+
513  | Encrypted Data |
514  +---------------------+
515  </pre>
516 
517  The encryption header exists only in the begin of encrypted replication log
518  files.
519 
520  <pre>
521  +------------------------+----------------------------------------------+
522  | MAGIC HEADER (4 bytes) | Replication logs encryption version (1 byte) |
523  +------------------------+----------------------------------------------+
524  | Version specific encryption header data |
525  +-----------------------------------------------------------------------+
526  Encryption Header Format
527  </pre>
528 
529  <table>
530  <caption>Encryption Header Format</caption>
531  <tr>
532  <th>Name</th>
533  <th>Format</th>
534  <th>Description</th>
535  </tr>
536  <tr>
537  <td>Magic Header</td>
538  <td>4 Bytes</td>
539  <td>
540  The content is always 0xFD62696E. It is similar to Binlog Magic Header.
541  Binlog magic header is: 0xFE62696e.
542  </td>
543  <tr>
544  <td>Replication logs encryption version</td>
545  <td>1 Byte</td>
546  <td>
547  The replication logs encryption version defines how the header shall be
548  deserialized and how the Encrypted Data shall be decrypted.
549  </td>
550  </tr>
551  <tr>
552  <td>Version specific encryption data header</td>
553  <td>Depends on the version field</td>
554  <td>
555  Data required to fetch a replication key from keyring and deserialize
556  the Encrypted Data.
557  </td>
558  </tr>
559  </table>
560 */
562  public:
563  /* Same as BINLOG_MAGIC_SIZE */
564  static const int ENCRYPTION_MAGIC_SIZE = 4;
565  /* The magic for an encrypted replication log file */
566  static const char *ENCRYPTION_MAGIC;
567 
568  virtual ~Rpl_encryption_header();
569 
570  /**
571  Deserialize the replication encrypted log file header from the given stream.
572  This function shall be called right after reading the magic from the stream.
573  It will read the version of the encrypted log file header, instantiate a
574  proper Rpl_encryption_header based on version and delegate the rest of the
575  header deserialization to the new instance.
576 
577  @param istream The stream containing the header to deserialize.
578 
579  @return A Rpl_encryption_header on success or nullptr on failure.
580  */
581  static std::unique_ptr<Rpl_encryption_header> get_header(
582  Basic_istream *istream);
583  /**
584  Generate a new replication encryption header based on the default
585  replication encrypted log file header version.
586 
587  @return A Rpl_encryption_header of default version.
588  */
589  static std::unique_ptr<Rpl_encryption_header> get_new_default_header();
590  /**
591  Serialize the header into an output stream.
592 
593  @param ostream The output stream to serialize the header.
594 
595  @retval false Success.
596  @retval true Error.
597  */
598  virtual bool serialize(Basic_ostream *ostream) = 0;
599  /**
600  Deserialize encryption header from a stream.
601 
602  @param[in] istream The input stream for deserializing the encryption
603  header.
604 
605  @retval false Success.
606  @retval true Error.
607  */
608  virtual bool deserialize(Basic_istream *istream) = 0;
609  /**
610  Get the header version.
611 
612  @return The header version.
613  */
614  virtual char get_version() const = 0;
615  /**
616  Return the header size to be taken into account when serializing an
617  deserializing encrypted file headers from replication log files.
618 
619  @return The size of the header for the header version.
620  */
621  virtual int get_header_size() = 0;
622  /**
623  Decrypt the file password.
624  */
625  virtual Key_string decrypt_file_password() = 0;
626  /**
627  Factory to generate ciphers to encrypt streams based on current header.
628 
629  @return A Stream_cipher for this header version or nullptr on failure.
630  */
631  virtual std::unique_ptr<Stream_cipher> get_encryptor() = 0;
632  /**
633  Factory to generate ciphers to decrypt streams based on current header.
634 
635  @return A Stream_cipher for this header version or nullptr on failure.
636  */
637  virtual std::unique_ptr<Stream_cipher> get_decryptor() = 0;
638  /**
639  Setup the header with current master key and generates a new random file
640  password. This function shall be called when creating new replication
641  log files.
642 
643  @return The new file password, or an empty password if error happens.
644  */
646 #ifdef MYSQL_SERVER
647  /**
648  Encrypt a file password using current replication encryption master key.
649 
650  @param[in] password_str The plain file password.
651 
652  @retval false Success.
653  @retval true Error.
654  */
655  virtual bool encrypt_file_password(Key_string password_str) = 0;
656 #endif
657  /**
658  Build a key id prefix using default header version.
659 
660  @return A key ID prefix.
661  */
662  static std::string key_id_prefix();
663  /**
664  Build a key id using the given sequence number using default header version.
665 
666  @param[in] seqno The sequence number used to build key id.
667 
668  @return A key ID with a sequence number.
669  */
670  static std::string seqno_to_key_id(uint32_t seqno);
671  /**
672  Build a key id using the given suffix using default header version.
673 
674  @param[in] suffix The suffix used to build key id.
675 
676  @return A key ID with a suffix.
677  */
678  static std::string key_id_with_suffix(const char *suffix);
679  /**
680  Return the default header version encryption key type.
681 
682  @return The encrypted key type.
683  */
684  static const char *get_key_type();
685 
686  protected:
687  /* Offset of the version field in the header */
689  /* Size of the version field in the header */
690  static const int VERSION_SIZE = 1;
691  /* Offset of the optional header fields in the header */
693 
694  private:
695  /* The default header version for new headers */
696  static const char m_default_version = 1;
697 };
698 
699 /**
700  @class Rpl_encryption_header_v1
701 
702  <pre>
703  +------------------------+----------------------------------------------+
704  | MAGIC HEADER (4 bytes) | Replication logs encryption version (1 byte) |
705  +------------------------+----------------------------------------------+
706  | Replication Encryption Key ID (60 to 69 bytes) |
707  +-----------------------------------------------------------------------+
708  | Encrypted File Password (33 bytes) |
709  +-----------------------------------------------------------------------+
710  | IV For Encrypting File Password (17 bytes) |
711  +-----------------------------------------------------------------------+
712  | Padding (388 to 397 bytes) |
713  +-----------------------------------------------------------------------+
714  Encrypted binary log file header format version 1
715  </pre>
716 
717  <table>
718  <caption>Encrypted binary log file header format version 1</caption>
719  <tr>
720  <th>Name</th>
721  <th>Format</th>
722  <th>Description</th>
723  </tr>
724  <tr>
725  <td>Replication Encryption Key ID</td>
726  <td>
727  Variable length field that uses Type, Length, Value (TLV) format. Type
728  takes 1 byte. Length takes 1 byte. Values takes Length bytes.
729  </td>
730  <td>
731  ID of the key that shall be retrieved from keyring to be used to decrypt
732  the file password field.
733  </td>
734  </tr>
735  <tr>
736  <td>Encrypted File Password</td>
737  <td>
738  Fixed length field that uses Type, Value format. Type takes 1 byte.
739  Value takes 32 bytes.</td>
740  <td>It is the encrypted file password.</td>
741  </tr>
742  <tr>
743  <td>IV for Encrypting File Password</td>
744  <td>
745  Fixed length field that uses Type, Value format. Type takes 1 byte.
746  Value takes 16 bytes.</td>
747  <td>
748  The iv, together with the key, is used to encrypt/decrypt the
749  file password.
750  </td>
751  </tr>
752  <tr>
753  <td>Padding</td>
754  <td>Variable length, all bytes are 0.</td>
755  <td>
756  Encryption header has 512 bytes. Above fields don't take all bytes. All
757  unused bytes are filled with 0 as padding.
758  </td>
759  </tr>
760  </table>
761 */
763  public:
764  static const char *KEY_TYPE;
765  static const int KEY_LENGTH = 32;
766  static const int HEADER_SIZE = 512;
767  static const int IV_FIELD_SIZE = 16;
768  static const int PASSWORD_FIELD_SIZE = 32;
769 
770  Rpl_encryption_header_v1() = default;
771 
772  ~Rpl_encryption_header_v1() override;
773 
774  bool serialize(Basic_ostream *ostream) override;
775  bool deserialize(Basic_istream *istream) override;
776  char get_version() const override;
777  int get_header_size() override;
779  std::unique_ptr<Stream_cipher> get_encryptor() override;
780  std::unique_ptr<Stream_cipher> get_decryptor() override;
782 #ifdef MYSQL_SERVER
783  bool encrypt_file_password(Key_string password_str) override;
784 #endif
785 
786  /**
787  Build a key id prefix.
788  */
789  static std::string key_id_prefix();
790  /**
791  Build a key id using the given sequence number.
792 
793  @param[in] seqno The sequence number used to build key id.
794  */
795  static std::string seqno_to_key_id(uint32_t seqno);
796  /**
797  Build a key id using the given suffix.
798 
799  @param[in] suffix The suffix used to build key id.
800  */
801  static std::string key_id_with_suffix(const char *suffix);
802 
803  private:
804  /* The prefix for key IDs */
805  static const char *KEY_ID_PREFIX;
806  /* Expected field types */
807  enum Field_type {
808  KEY_ID = 1,
811  };
812  /* This header implementation version */
813  char m_version = 1;
814  /* The key ID of the keyring key that encrypted the password */
815  std::string m_key_id;
816  /* The encrypted file password */
818  /* The IV used to encrypt/decrypt the file password */
820 };
821 #endif // RPL_LOG_ENCRYPTION_INCLUDED
static const char * get_key_type()
Return the default header version encryption key type.
Definition: rpl_log_encryption.cc:1023
static const char m_default_version
Definition: rpl_log_encryption.h:696
Rpl_encryption_header_v1()=default
The Rpl_encryption class is the container for the binlog encryption feature generic and server instan...
Definition: rpl_log_encryption.h:93
static std::string key_id_with_suffix(const char *suffix)
Build a key id using the given suffix.
Definition: rpl_log_encryption.cc:1266
std::string get_master_key_seqno_key_id()
Returns the key ID of the keyring key that stores the master key sequence number. ...
Definition: rpl_log_encryption.cc:807
std::unique_ptr< Stream_cipher > get_encryptor() override
Factory to generate ciphers to encrypt streams based on current header.
Definition: rpl_log_encryption.cc:1188
std::unique_ptr< Stream_cipher > get_decryptor() override
Factory to generate ciphers to decrypt streams based on current header.
Definition: rpl_log_encryption.cc:1192
void rotate_logs(THD *thd)
Rotate replication logs excluding relay logs of group replication channels.
Definition: rpl_log_encryption.cc:722
static const int VERSION_OFFSET
Definition: rpl_log_encryption.h:688
bool m_enabled
Definition: rpl_log_encryption.h:282
virtual Key_string generate_new_file_password()=0
Setup the header with current master key and generates a new random file password.
bool initialize()
Initialize the rpl_encryption instance.
Definition: rpl_log_encryption.cc:100
std::string get_old_master_key_seqno_key_id()
Returns the key ID of the keyring key that stores the "old" master key sequence number.
Definition: rpl_log_encryption.cc:840
bool remove_key_from_keyring(std::string key_id)
Remove a key from the keyring.
Definition: rpl_log_encryption.cc:778
static std::string seqno_to_key_id(uint32_t seqno)
Build a key id using the given sequence number.
Definition: rpl_log_encryption.cc:1257
bool set_master_key_seqno_on_keyring(uint32 seqno)
Set the master key sequence number into a key and store it into keyring.
Definition: rpl_log_encryption.cc:818
Rpl_encryption & operator=(const Rpl_encryption &)=delete
static int key_type
Definition: mi_test1.cc:38
const bool & get_enabled_var()
Definition: rpl_log_encryption.cc:454
static std::string key_id_prefix()
Build a key id prefix.
Definition: rpl_log_encryption.cc:1249
virtual std::unique_ptr< Stream_cipher > get_decryptor()=0
Factory to generate ciphers to decrypt streams based on current header.
Definition: rpl_log_encryption.h:762
static std::pair< Keyring_status, Key_string > get_key(const std::string &key_id, const std::string &key_type)
Get the key with given key ID.
Definition: rpl_log_encryption.cc:365
static const int SEQNO_KEY_LENGTH
Definition: rpl_log_encryption.h:277
Definition: rpl_log_encryption.h:95
bool m_initialized
Definition: rpl_log_encryption.h:294
bool deserialize(Basic_istream *istream) override
Deserialize encryption header from a stream.
Definition: rpl_log_encryption.cc:1063
bool m_rotate_at_startup
Definition: rpl_log_encryption.h:288
std::pair< Rpl_encryption::Keyring_status, uint32_t > get_master_key_seqno_from_keyring()
Get the master key sequence number from keyring.
Definition: rpl_log_encryption.cc:812
const bool & get_master_key_rotation_at_startup_var()
Definition: rpl_log_encryption.cc:456
bool m_master_key_recovered
Definition: rpl_log_encryption.h:303
Rpl_encryption rpl_encryption
Definition: rpl_log_encryption.cc:41
Definition: rpl_log_encryption.h:809
Definition: rpl_log_encryption.h:810
int get_header_size() override
Return the header size to be taken into account when serializing an deserializing encrypted file head...
Definition: rpl_log_encryption.cc:1158
Key_string m_value
Definition: rpl_log_encryption.h:97
static const int OPTIONAL_FIELD_OFFSET
Definition: rpl_log_encryption.h:692
Key_string decrypt_file_password() override
Decrypt the file password.
Definition: rpl_log_encryption.cc:1162
std::string get_new_master_key_seqno_key_id()
Returns the key ID of the keyring key that stores the "new" master key sequence number.
Definition: rpl_log_encryption.cc:830
char get_version() const override
Get the header version.
Definition: rpl_log_encryption.cc:1156
bool serialize(Basic_ostream *ostream) override
Serialize the header into an output stream.
Definition: rpl_log_encryption.cc:1035
std::string m_key_id
Definition: rpl_log_encryption.h:815
bool is_enabled()
Return is the replication logs encryption feature is enabled.
Definition: rpl_log_encryption.cc:445
virtual std::unique_ptr< Stream_cipher > get_encryptor()=0
Factory to generate ciphers to encrypt streams based on current header.
static void report_keyring_error(Keyring_status error)
A wrapper function to throw a binlog encryption keyring error.
Definition: rpl_log_encryption.cc:43
uint32_t m_master_key_seqno
Definition: rpl_log_encryption.h:305
std::pair< Rpl_encryption::Keyring_status, uint32_t > get_old_master_key_seqno_from_keyring()
Get the "old" master key sequence number from keyring.
Definition: rpl_log_encryption.cc:853
const Rpl_encryption_key get_master_key()
Return the current replication encryption master key.
Definition: rpl_log_encryption.cc:356
virtual bool serialize(Basic_ostream *ostream)=0
Serialize the header into an output stream.
static const char * KEY_TYPE
Definition: rpl_log_encryption.h:764
static std::string key_id_with_suffix(const char *suffix)
Build a key id using the given suffix using default header version.
Definition: rpl_log_encryption.cc:1019
static std::unique_ptr< Rpl_encryption_header > get_new_default_header()
Generate a new replication encryption header based on the default replication encrypted log file head...
Definition: rpl_log_encryption.cc:1005
bool rotate_master_key(Key_rotation_step step=Key_rotation_step::START, uint32_t new_master_key_seqno=0)
Rotate the master key.
Definition: rpl_log_encryption.cc:559
bool remove_remaining_seqnos_from_keyring()
Remove remaining old/new master key index in order to cleanup any previous master key rotation...
Definition: rpl_log_encryption.cc:125
static const char * KEY_ID_PREFIX
Definition: rpl_log_encryption.h:805
virtual bool deserialize(Basic_istream *istream)=0
Deserialize encryption header from a stream.
bool purge_unused_keys()
Purge unused master keys from Keyring.
Definition: rpl_log_encryption.cc:496
This is the base class to serialize and deserialize a replication log file encryption header...
Definition: rpl_log_encryption.h:561
bool encrypt_file_password(Key_string password_str) override
Encrypt a file password using current replication encryption master key.
Definition: rpl_log_encryption.cc:1197
virtual bool encrypt_file_password(Key_string password_str)=0
Encrypt a file password using current replication encryption master key.
Rpl_encryption_key m_master_key
Definition: rpl_log_encryption.h:307
static std::string key_id_prefix()
Build a key id prefix using default header version.
Definition: rpl_log_encryption.cc:1011
The abstract class for basic output streams which provides write operation.
Definition: basic_ostream.h:32
virtual char get_version() const =0
Get the header version.
uint32_t uint32
Definition: my_inttypes.h:62
Rpl_encryption()=default
static std::string seqno_to_key_id(uint32_t seqno)
Build a key id using the given sequence number using default header version.
Definition: rpl_log_encryption.cc:1015
static const char * ENCRYPTION_MAGIC
Definition: rpl_log_encryption.h:566
std::pair< Rpl_encryption::Keyring_status, uint32_t > get_new_master_key_seqno_from_keyring()
Get the "new" master key sequence number from keyring.
Definition: rpl_log_encryption.cc:846
std::string get_last_purged_master_key_seqno_key_id()
Returns the key ID of the keyring key that stores the "last_purged" master key sequence number...
Definition: rpl_log_encryption.cc:835
bool set_last_purged_master_key_seqno_on_keyring(uint32 seqno)
Set the "last_purged" master key sequence number into a key and store it into keyring.
Definition: rpl_log_encryption.cc:872
bool remove_old_master_key_seqno_from_keyring()
Remove the "old" master key sequence number key from the keyring.
Definition: rpl_log_encryption.cc:897
Key_string generate_new_file_password() override
Setup the header with current master key and generates a new random file password.
Definition: rpl_log_encryption.cc:1228
bool set_seqno_on_keyring(std::string key_id, uint32_t seqno)
Set a sequence number into a key and store it into keyring.
Definition: rpl_log_encryption.cc:744
Key_rotation_step
Replication encryption master key rotation process is recoverable.
Definition: rpl_log_encryption.h:141
std::string m_id
Definition: rpl_log_encryption.h:96
bool remove_new_master_key_seqno_from_keyring()
Remove the "new" master key sequence number key from the keyring.
Definition: rpl_log_encryption.cc:884
static const int VERSION_SIZE
Definition: rpl_log_encryption.h:690
bool set_new_master_key_seqno_on_keyring(uint32 seqno)
Set the "new" master key sequence number into a key and store it into keyring.
Definition: rpl_log_encryption.cc:866
virtual ~Rpl_encryption_header()
Definition: rpl_log_encryption.cc:951
Key_string m_encrypted_password
Definition: rpl_log_encryption.h:817
bool enable(THD *thd)
Enable binlog encryption option.
Definition: rpl_log_encryption.cc:399
char m_version
Definition: rpl_log_encryption.h:813
static const int IV_FIELD_SIZE
Definition: rpl_log_encryption.h:767
bool set_old_master_key_seqno_on_keyring(uint32 seqno)
Set the "old" master key sequence number into a key and store it into keyring.
Definition: rpl_log_encryption.cc:878
static const int ENCRYPTION_MAGIC_SIZE
Definition: rpl_log_encryption.h:564
static std::unique_ptr< Rpl_encryption_header > get_header(Basic_istream *istream)
Deserialize the replication encrypted log file header from the given stream.
Definition: rpl_log_encryption.cc:967
Field_type
Definition: rpl_log_encryption.h:807
Definition: rpl_log_encryption.h:808
bool remove_last_purged_master_key_seqno_from_keyring()
Remove the "last_purged" master key sequence number key from the keyring.
Definition: rpl_log_encryption.cc:890
static const int PASSWORD_FIELD_SIZE
Definition: rpl_log_encryption.h:768
Key_string m_iv
Definition: rpl_log_encryption.h:819
static const int HEADER_SIZE
Definition: rpl_log_encryption.h:766
static const char * SEQNO_KEY_TYPE
Definition: rpl_log_encryption.h:275
bool remove_master_key_seqno_from_keyring()
Remove the master key sequence number key from the keyring.
Definition: rpl_log_encryption.cc:824
~Rpl_encryption_header_v1() override
Definition: rpl_log_encryption.cc:1030
The abstract class for basic byte input streams which provides read operations.
Definition: basic_istream.h:32
virtual int get_header_size()=0
Return the header size to be taken into account when serializing an deserializing encrypted file head...
bool m_skip_logs_rotation
Definition: rpl_log_encryption.h:312
static std::tuple< Keyring_status, void *, size_t > fetch_key_from_keyring(const std::string &key_id, const std::string &key_type)
Fetch a key from keyring.
Definition: rpl_log_encryption.cc:463
static const int KEY_LENGTH
Definition: rpl_log_encryption.h:765
std::pair< Rpl_encryption::Keyring_status, uint32_t > get_last_purged_master_key_seqno_from_keyring()
Get the "last_purged" master key sequence number from keyring.
Definition: rpl_log_encryption.cc:860
bool recover_master_key()
Recover the replication encryption master key from keyring.
Definition: rpl_log_encryption.cc:187
std::pair< Rpl_encryption::Keyring_status, uint32_t > get_seqno_from_keyring(std::string key_id)
Get a sequence number from the keyring.
Definition: rpl_log_encryption.cc:732
Keyring_status
Definition: rpl_log_encryption.h:106
bool generate_master_key_on_keyring(uint32 seqno)
Generate a new replication master key on keyring and retrieve it.
Definition: rpl_log_encryption.cc:903
This file includes core components for encrypting/decrypting binary log files.
std::basic_string< unsigned char > Key_string
Definition: stream_cipher.h:37
For each client connection we create a separate thread with THD serving as a thread/connection descri...
Definition: sql_class.h:777
void disable(THD *thd)
Disable binlog encryption option.
Definition: rpl_log_encryption.cc:431
virtual Key_string decrypt_file_password()=0
Decrypt the file password.
Log error(cerr, "ERROR")