MySQL  8.0.27
Source Code Documentation
rpl_log_encryption.h
Go to the documentation of this file.
1 /* Copyright (c) 2018, 2021, Oracle and/or its affiliates.
2 
3  This program is free software; you can redistribute it and/or modify
4  it under the terms of the GNU General Public License, version 2.0,
5  as published by the Free Software Foundation.
6 
7  This program is also distributed with certain software (including
8  but not limited to OpenSSL) that is licensed under separate terms,
9  as designated in a particular file or component or in included license
10  documentation. The authors of MySQL hereby grant you an additional
11  permission to link the program and your derivative works with the
12  separately licensed software that they have included with MySQL.
13 
14  This program is distributed in the hope that it will be useful,
15  but WITHOUT ANY WARRANTY; without even the implied warranty of
16  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  GNU General Public License, version 2.0, for more details.
18 
19  You should have received a copy of the GNU General Public License
20  along with this program; if not, write to the Free Software
21  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
22 
23 #ifndef RPL_LOG_ENCRYPTION_INCLUDED
24 #define RPL_LOG_ENCRYPTION_INCLUDED
25 
26 #include <openssl/evp.h>
27 #include <sql/stream_cipher.h>
28 #include <stdint.h>
29 #include <map>
30 #include <string>
31 #include "my_inttypes.h"
32 
33 class Basic_istream;
34 class Basic_ostream;
35 class THD;
36 
37 /**
38  @file rpl_log_encryption.h
39 
40  @brief This file includes the major components for encrypting/decrypting
41  binary log files.
42 
43  * Replication logs
44 
45  Here, replication logs includes both the binary and relay log files.
46 
47  * File Level Encryption
48 
49  - All standard binary log file data (including BINLOG_MAGIC) in replication
50  logs are encrypted.
51 
52  - A replication log file is either encrypted or not (standard binary log
53  file). It is not possible that part of a log file is encrypted and part
54  of it is non-encrypted.
55 
56  - There is an encryption header in the begin of each encrypted replication
57  log file.
58 
59  <pre>
60  +--------------------+
61  | Encryption Header |
62  +--------------------+
63  | Encrypted Data |
64  +--------------------+
65  </pre>
66 
67  The encrypted replication file header includes necessary information to
68  decrypt the encrypted data of the file (the standard binary log file
69  data). For detail, check Rpl_encryption_header class.
70 
71  * Two Tier Keys
72 
73  Replication logs are encrypted with two tier keys. A 'File Password' for
74  encrypting the standard binary log file data and a 'Replication Encryption
75  Key' for encrypting the 'File Password'.
76 
77  - File password
78 
79  Each replication log file has a password. A file key used to encrypt the
80  file is generated from the file password. The encrypted 'File Password'
81  is stored into encryption header of the file. For details, check
82  Rpl_encryption_header class.
83 
84  - Replication encryption key
85 
86  A replication encryption key is used to encrypt/decrypt the file
87  password stored in an encrypted replication file header. It is generated
88  by keyring and stored in/retrieved from keyring.
89 */
90 #ifdef MYSQL_SERVER
91 
92 /**
93  The Rpl_encryption class is the container for the binlog encryption feature
94  generic and server instance functions.
95 */
97  public:
99  std::string m_id;
101  };
102 
103  Rpl_encryption() = default;
104  Rpl_encryption(const Rpl_encryption &) = delete;
108 
109  enum class Keyring_status {
110  SUCCESS = 0,
112  KEY_NOT_FOUND = 2,
119  };
120  /**
121  A wrapper function to throw a binlog encryption keyring error.
122  The wrapper will decide if the error will be reported to the client session
123  or to the server error log according to current_thd.
124 
125  @param error The Keyring_status to be reported.
126  */
128  /**
129  A wrapper function to throw a replication logs encryption keyring error,
130  reporting also the key ID.
131  The wrapper will decide if the error will be reported to the client session
132  or to the server error log according to current_thd.
133 
134  @param error The Keyring_status to be reported.
135  @param key_id The key ID to appear in the error message.
136  */
137  static void report_keyring_error(Keyring_status error, const char *key_id);
138 
139  /**
140  Replication encryption master key rotation process is recoverable. The
141  steps defined in the enum class below are the steps from which the rotation
142  process may continue after an unexpected interruption.
143  */
144  enum class Key_rotation_step {
145  START,
150  ROTATE_LOGS,
153  };
154 
155  /**
156  Initialize the rpl_encryption instance. This initialization shall be called
157  after generating/loading the server UUID and before opening new binary and
158  relay log files for writing.
159 
160  When the replication_logs_encrypt option is on at server startup, the
161  initialization process will try to recover master key and may generate
162  a new replication master key if needed.
163 
164  @retval false Success.
165  @retval true Error.
166  */
167  bool initialize();
168  /**
169  Remove remaining old/new master key index in order to cleanup any previous
170  master key rotation.
171 
172  @retval false Success.
173  @retval true Error.
174  */
176  /**
177  Recover the replication encryption master key from keyring.
178 
179  The recovery of the master key process starts by trying to read the
180  replication master key information from keyring (the master key sequence
181  number, and the master key itself).
182 
183  Then, if detected that a key rotation did not completed properly, tries to
184  continue the master key rotation.
185 
186  When recovery is successful, the m_master_key_recovered flag is set true.
187 
188  @retval false Success.
189  @retval true Error.
190  */
191  bool recover_master_key();
192  /**
193  Return the current replication encryption master key.
194 
195  @return The current replication encryption master key.
196  */
197  const Rpl_encryption_key get_master_key();
198 
199  /**
200  Get the key with given key ID. The key to be returned will be retrieved
201  from the keyring or from a cached copy in memory.
202 
203  @param[in] key_id ID of the key to be returned.
204  @param[in] key_type Expected type of the key to be returned.
205 
206  @return A pair containing the status of the operation (Keyring_status) and
207  a Key_string. Errors shall be checked by consulting the status.
208  */
209  static std::pair<Keyring_status, Key_string> get_key(
210  const std::string &key_id, const std::string &key_type);
211 
212  /**
213  Get the key with given key ID. The key to be returned will be retrieved
214  from the keyring or from a cached copy in memory.
215 
216  @param[in] key_id ID of the key to be returned.
217  @param[in] key_type Expected type of the key to be returned.
218  @param[in] key_size Expected size of the key to be returned.
219 
220  @return A pair containing the status of the operation (Keyring_status) and
221  a Key_string. Errors shall be checked by consulting the status.
222  */
223  static std::pair<Keyring_status, Key_string> get_key(
224  const std::string &key_id, const std::string &key_type, size_t key_size);
225 
226  /**
227  Enable binlog encryption option. It will generate a new global key if
228  there is no master key yet. Then rotate replication logs to make encryption
229  effective immediately.
230 
231  Replication logs rotation errors don't fail, but they will throw a warning.
232 
233  @param[in] thd the thd object of the session.
234 
235  @retval false Success.
236  @retval true Error. If error happens when generating new key, it will fail.
237  */
238  bool enable(THD *thd);
239  /**
240  Disable binlog encryption option. It rotates replication logs to make
241  encryption ineffective immediately.
242 
243  Replication logs rotation errors don't fail, but they will throw a warning.
244 
245  @param[in] thd the thd object of the session.
246  */
247  void disable(THD *thd);
248  /**
249  Return is the replication logs encryption feature is enabled.
250 
251  @retval false The feature is disabled.
252  @retval true The feature is enabled.
253  */
254  bool is_enabled();
255  const bool &get_enabled_var();
257  /**
258  Purge unused master keys from Keyring.
259 
260  @retval false Success.
261  @retval true Error.
262  */
263  bool purge_unused_keys();
264  /**
265  Rotate the master key.
266 
267  @param step Step to start the process (it might be recovering).
268  @param new_master_key_seqno When recovering, this is the new master key
269  sequence number detected by recovery process.
270  @retval false Success.
271  @retval true Error.
272  */
274  uint32_t new_master_key_seqno = 0);
275 
276  private:
277  /* Define the keyring key type for keys storing sequence numbers */
278  static const char *SEQNO_KEY_TYPE;
279  /* Define the keyring key length for keys storing sequence numbers */
280  static const int SEQNO_KEY_LENGTH = 16;
281  /*
282  Sys_binlog_encryption uses m_enabled as the storage of global var
283  binlog_encryption.
284  */
285  bool m_enabled = false;
286  /*
287  Sys_binlog_rotate_encryption_master_key_at_startup uses
288  m_rotate_at_startup as the storage of global var
289  binlog_rotate_encryption_master_key_at_startup.
290  */
291  bool m_rotate_at_startup = false;
292 #ifndef NDEBUG
293  /*
294  This variable is only used to assert that enable(), disable() and
295  get_master_key() functions are called only after initialize() was called.
296  */
297  bool m_initialized = false;
298 #endif
299  /*
300  The replication logs encryption only needs to recover the current
301  replication master key if the binlog_encryption option is enabled.
302 
303  This flag will be set true after a successful replication master key
304  recovery.
305  */
307  /* The sequence number of the replication master key. */
308  uint32_t m_master_key_seqno = 0;
309  /* The current replication master key */
311  /*
312  Flag to avoid double logs rotation when enabling the option and
313  recovering from master key rotation.
314  */
315  bool m_skip_logs_rotation = false;
316 
317  /**
318  Fetch a key from keyring. When error happens, it either reports an error to
319  user or write an error to log accordingly.
320 
321  @param[in] key_id ID of the key to be returned.
322  @param[in] key_type Expected type of the key to be returned.
323 
324  @return A tuple containing the status of the operation (Keyring_status), a
325  pointer to the fetched key (nullptr if the key was not fetched) and
326  the returned key size. Errors shall be checked by consulting the
327  status.
328  */
329  static std::tuple<Keyring_status, void *, size_t> fetch_key_from_keyring(
330  const std::string &key_id, const std::string &key_type);
331 
332  /**
333  Rotate replication logs excluding relay logs of group replication channels.
334  If error happens, it will either report a warning to session user.
335 
336  @param[in] thd The thd object of current session.
337  */
338  void rotate_logs(THD *thd);
339 
340  /**
341  Get a sequence number from the keyring. The sequence number to be returned
342  will be extracted from the key retrieved from the keyring. No caching shall
343  be used for this function.
344 
345  @param[in] key_id ID of the key to extract the sequence number from.
346 
347  @return A pair containing the status of the operation (Keyring_status) and
348  a sequence number. Errors shall be checked by consulting the status.
349  */
350  std::pair<Rpl_encryption::Keyring_status, uint32_t> get_seqno_from_keyring(
351  std::string key_id);
352  /**
353  Set a sequence number into a key and store it into keyring.
354 
355  @param[in] key_id ID of the key to set the sequence number.
356  @param[in] seqno The sequence number to be set.
357 
358  @retval false Success.
359  @retval true Error.
360  */
361  bool set_seqno_on_keyring(std::string key_id, uint32_t seqno);
362  /**
363  Remove a key from the keyring.
364 
365  @param[in] key_id ID of the key to be removed from keyring.
366 
367  @retval false Success.
368  @retval true Error.
369  */
370  bool remove_key_from_keyring(std::string key_id);
371  /**
372  Returns the key ID of the keyring key that stores the master key sequence
373  number.
374 
375  @return The key ID.
376  */
377  std::string get_master_key_seqno_key_id();
378  /**
379  Get the master key sequence number from keyring.
380 
381  @return A pair containing the status of the operation (Keyring_status) and
382  a sequence number. Errors shall be checked by consulting the status.
383  */
384  std::pair<Rpl_encryption::Keyring_status, uint32_t>
386  /**
387  Set the master key sequence number into a key and store it into keyring.
388 
389  @retval false Success.
390  @retval true Error.
391  */
393  /**
394  Remove the master key sequence number key from the keyring.
395 
396  @retval false Success.
397  @retval true Error.
398  */
400  /**
401  Returns the key ID of the keyring key that stores the "new" master key
402  sequence number.
403 
404  @return The key ID.
405  */
406  std::string get_new_master_key_seqno_key_id();
407  /**
408  Returns the key ID of the keyring key that stores the "last_purged"
409  master key sequence number.
410 
411  @return The key ID.
412  */
414  /**
415  Returns the key ID of the keyring key that stores the "old" master key
416  sequence number.
417 
418  @return The key ID.
419  */
420  std::string get_old_master_key_seqno_key_id();
421  /**
422  Get the "new" master key sequence number from keyring.
423 
424  @return A pair containing the status of the operation (Keyring_status) and
425  a sequence number. Errors shall be checked by consulting the status.
426  */
427  std::pair<Rpl_encryption::Keyring_status, uint32_t>
429  /**
430  Get the "old" master key sequence number from keyring.
431 
432  @return A pair containing the status of the operation (Keyring_status) and
433  a sequence number. Errors shall be checked by consulting the status.
434  */
435  std::pair<Rpl_encryption::Keyring_status, uint32_t>
437  /**
438  Get the "last_purged" master key sequence number from keyring.
439 
440  @return A pair containing the status of the operation (Keyring_status) and
441  a sequence number. Errors shall be checked by consulting the status.
442  */
443  std::pair<Rpl_encryption::Keyring_status, uint32_t>
445  /**
446  Set the "new" master key sequence number into a key and store it into
447  keyring.
448 
449  @retval false Success.
450  @retval true Error.
451  */
453  /**
454  Set the "last_purged" master key sequence number into a key and store it
455  into keyring.
456 
457  @retval false Success.
458  @retval true Error.
459  */
461  /**
462  Set the "old" master key sequence number into a key and store it into
463  keyring.
464 
465  @retval false Success.
466  @retval true Error.
467  */
469  /**
470  Remove the "new" master key sequence number key from the keyring.
471 
472  @retval false Success.
473  @retval true Error.
474  */
476  /**
477  Remove the "last_purged" master key sequence number key from the keyring.
478 
479  @retval false Success.
480  @retval true Error.
481  */
483  /**
484  Remove the "old" master key sequence number key from the keyring.
485 
486  @retval false Success.
487  @retval true Error.
488  */
490  /**
491  Generate a new replication master key on keyring and retrieve it.
492 
493  @param[in] seqno The sequence number of the master key.
494 
495  @retval false Success.
496  @retval true Error.
497  */
499 };
500 
502 #endif // MYSQL_SERVER
503 
504 /**
505  @class Rpl_encryption_header
506 
507  This is the base class to serialize and deserialize a replication log file
508  encryption header.
509 
510  The new encrypted binary log file format is composed of two parts:
511 
512  <pre>
513  +---------------------+
514  | Encryption Header |
515  +---------------------+
516  | Encrypted Data |
517  +---------------------+
518  </pre>
519 
520  The encryption header exists only in the begin of encrypted replication log
521  files.
522 
523  <pre>
524  +------------------------+----------------------------------------------+
525  | MAGIC HEADER (4 bytes) | Replication logs encryption version (1 byte) |
526  +------------------------+----------------------------------------------+
527  | Version specific encryption header data |
528  +-----------------------------------------------------------------------+
529  Encryption Header Format
530  </pre>
531 
532  <table>
533  <caption>Encryption Header Format</caption>
534  <tr>
535  <th>Name</th>
536  <th>Format</th>
537  <th>Description</th>
538  </tr>
539  <tr>
540  <td>Magic Header</td>
541  <td>4 Bytes</td>
542  <td>
543  The content is always 0xFD62696E. It is similar to Binlog Magic Header.
544  Binlog magic header is: 0xFE62696e.
545  </td>
546  <tr>
547  <td>Replication logs encryption version</td>
548  <td>1 Byte</td>
549  <td>
550  The replication logs encryption version defines how the header shall be
551  deserialized and how the Encrypted Data shall be decrypted.
552  </td>
553  </tr>
554  <tr>
555  <td>Version specific encryption data header</td>
556  <td>Depends on the version field</td>
557  <td>
558  Data required to fetch a replication key from keyring and deserialize
559  the Encrypted Data.
560  </td>
561  </tr>
562  </table>
563 */
565  public:
566  /* Same as BINLOG_MAGIC_SIZE */
567  static const int ENCRYPTION_MAGIC_SIZE = 4;
568  /* The magic for an encrypted replication log file */
569  static const char *ENCRYPTION_MAGIC;
570 
571  virtual ~Rpl_encryption_header();
572 
573  /**
574  Deserialize the replication encrypted log file header from the given stream.
575  This function shall be called right after reading the magic from the stream.
576  It will read the version of the encrypted log file header, instantiate a
577  proper Rpl_encryption_header based on version and delegate the rest of the
578  header deserialization to the new instance.
579 
580  @param istream The stream containing the header to deserialize.
581 
582  @return A Rpl_encryption_header on success or nullptr on failure.
583  */
584  static std::unique_ptr<Rpl_encryption_header> get_header(
585  Basic_istream *istream);
586  /**
587  Generate a new replication encryption header based on the default
588  replication encrypted log file header version.
589 
590  @return A Rpl_encryption_header of default version.
591  */
592  static std::unique_ptr<Rpl_encryption_header> get_new_default_header();
593  /**
594  Serialize the header into an output stream.
595 
596  @param ostream The output stream to serialize the header.
597 
598  @retval false Success.
599  @retval true Error.
600  */
601  virtual bool serialize(Basic_ostream *ostream) = 0;
602  /**
603  Deserialize encryption header from a stream.
604 
605  @param[in] istream The input stream for deserializing the encryption
606  header.
607 
608  @retval false Success.
609  @retval true Error.
610  */
611  virtual bool deserialize(Basic_istream *istream) = 0;
612  /**
613  Get the header version.
614 
615  @return The header version.
616  */
617  virtual char get_version() const = 0;
618  /**
619  Return the header size to be taken into account when serializing an
620  deserializing encrypted file headers from replication log files.
621 
622  @return The size of the header for the header version.
623  */
624  virtual int get_header_size() = 0;
625  /**
626  Decrypt the file password.
627  */
629  /**
630  Factory to generate ciphers to encrypt streams based on current header.
631 
632  @return A Stream_cipher for this header version or nullptr on failure.
633  */
634  virtual std::unique_ptr<Stream_cipher> get_encryptor() = 0;
635  /**
636  Factory to generate ciphers to decrypt streams based on current header.
637 
638  @return A Stream_cipher for this header version or nullptr on failure.
639  */
640  virtual std::unique_ptr<Stream_cipher> get_decryptor() = 0;
641  /**
642  Setup the header with current master key and generates a new random file
643  password. This function shall be called when creating new replication
644  log files.
645 
646  @return The new file password, or an empty password if error happens.
647  */
649 #ifdef MYSQL_SERVER
650  /**
651  Encrypt a file password using current replication encryption master key.
652 
653  @param[in] password_str The plain file password.
654 
655  @retval false Success.
656  @retval true Error.
657  */
658  virtual bool encrypt_file_password(Key_string password_str) = 0;
659 #endif
660  /**
661  Build a key id prefix using default header version.
662 
663  @return A key ID prefix.
664  */
665  static std::string key_id_prefix();
666  /**
667  Build a key id using the given sequence number using default header version.
668 
669  @param[in] seqno The sequence number used to build key id.
670 
671  @return A key ID with a sequence number.
672  */
673  static std::string seqno_to_key_id(uint32_t seqno);
674  /**
675  Build a key id using the given suffix using default header version.
676 
677  @param[in] suffix The suffix used to build key id.
678 
679  @return A key ID with a suffix.
680  */
681  static std::string key_id_with_suffix(const char *suffix);
682  /**
683  Return the default header version encryption key type.
684 
685  @return The encrypted key type.
686  */
687  static const char *get_key_type();
688 
689  protected:
690  /* Offset of the version field in the header */
692  /* Size of the version field in the header */
693  static const int VERSION_SIZE = 1;
694  /* Offset of the optional header fields in the header */
696 
697  private:
698  /* The default header version for new headers */
699  static const char m_default_version = 1;
700 };
701 
702 /**
703  @class Rpl_encryption_header_v1
704 
705  <pre>
706  +------------------------+----------------------------------------------+
707  | MAGIC HEADER (4 bytes) | Replication logs encryption version (1 byte) |
708  +------------------------+----------------------------------------------+
709  | Replication Encryption Key ID (60 to 69 bytes) |
710  +-----------------------------------------------------------------------+
711  | Encrypted File Password (33 bytes) |
712  +-----------------------------------------------------------------------+
713  | IV For Encrypting File Password (17 bytes) |
714  +-----------------------------------------------------------------------+
715  | Padding (388 to 397 bytes) |
716  +-----------------------------------------------------------------------+
717  Encrypted binary log file header format version 1
718  </pre>
719 
720  <table>
721  <caption>Encrypted binary log file header format version 1</caption>
722  <tr>
723  <th>Name</th>
724  <th>Format</th>
725  <th>Description</th>
726  </tr>
727  <tr>
728  <td>Replication Encryption Key ID</td>
729  <td>
730  Variable length field that uses Type, Length, Value (TLV) format. Type
731  takes 1 byte. Length takes 1 byte. Values takes Length bytes.
732  </td>
733  <td>
734  ID of the key that shall be retrieved from keyring to be used to decrypt
735  the file password field.
736  </td>
737  </tr>
738  <tr>
739  <td>Encrypted File Password</td>
740  <td>
741  Fixed length field that uses Type, Value format. Type takes 1 byte.
742  Value takes 32 bytes.</td>
743  <td>It is the encrypted file password.</td>
744  </tr>
745  <tr>
746  <td>IV for Encrypting File Password</td>
747  <td>
748  Fixed length field that uses Type, Value format. Type takes 1 byte.
749  Value takes 16 bytes.</td>
750  <td>
751  The iv, together with the key, is used to encrypt/decrypt the
752  file password.
753  </td>
754  </tr>
755  <tr>
756  <td>Padding</td>
757  <td>Variable length, all bytes are 0.</td>
758  <td>
759  Encryption header has 512 bytes. Above fields don't take all bytes. All
760  unused bytes are filled with 0 as padding.
761  </td>
762  </tr>
763  </table>
764 */
766  public:
767  static const char *KEY_TYPE;
768  static const int KEY_LENGTH = 32;
769  static const int HEADER_SIZE = 512;
770  static const int IV_FIELD_SIZE = 16;
771  static const int PASSWORD_FIELD_SIZE = 32;
772 
774 
775  ~Rpl_encryption_header_v1() override;
776 
777  bool serialize(Basic_ostream *ostream) override;
778  bool deserialize(Basic_istream *istream) override;
779  char get_version() const override;
780  int get_header_size() override;
782  std::unique_ptr<Stream_cipher> get_encryptor() override;
783  std::unique_ptr<Stream_cipher> get_decryptor() override;
785 #ifdef MYSQL_SERVER
786  bool encrypt_file_password(Key_string password_str) override;
787 #endif
788 
789  /**
790  Build a key id prefix.
791  */
792  static std::string key_id_prefix();
793  /**
794  Build a key id using the given sequence number.
795 
796  @param[in] seqno The sequence number used to build key id.
797  */
798  static std::string seqno_to_key_id(uint32_t seqno);
799  /**
800  Build a key id using the given suffix.
801 
802  @param[in] suffix The suffix used to build key id.
803  */
804  static std::string key_id_with_suffix(const char *suffix);
805 
806  private:
807  /* The prefix for key IDs */
808  static const char *KEY_ID_PREFIX;
809  /* Expected field types */
810  enum Field_type {
811  KEY_ID = 1,
814  };
815  /* This header implementation version */
816  char m_version = 1;
817  /* The key ID of the keyring key that encrypted the password */
818  std::string m_key_id;
819  /* The encrypted file password */
821  /* The IV used to encrypt/decrypt the file password */
823 };
824 #endif // RPL_LOG_ENCRYPTION_INCLUDED
The abstract class for basic byte input streams which provides read operations.
Definition: basic_istream.h:32
The abstract class for basic output streams which provides write operation.
Definition: basic_ostream.h:34
Definition: rpl_log_encryption.h:765
static std::string seqno_to_key_id(uint32_t seqno)
Build a key id using the given sequence number.
Definition: rpl_log_encryption.cc:1259
~Rpl_encryption_header_v1() override
Definition: rpl_log_encryption.cc:1035
@ KEY_ID
Definition: rpl_log_encryption.h:811
@ IV_FOR_FILE_PASSWORD
Definition: rpl_log_encryption.h:813
@ ENCRYPTED_FILE_PASSWORD
Definition: rpl_log_encryption.h:812
Key_string decrypt_file_password() override
Decrypt the file password.
Definition: rpl_log_encryption.cc:1164
static std::string key_id_with_suffix(const char *suffix)
Build a key id using the given suffix.
Definition: rpl_log_encryption.cc:1268
static const int PASSWORD_FIELD_SIZE
Definition: rpl_log_encryption.h:771
static const int HEADER_SIZE
Definition: rpl_log_encryption.h:769
Key_string m_encrypted_password
Definition: rpl_log_encryption.h:820
bool serialize(Basic_ostream *ostream) override
Serialize the header into an output stream.
Definition: rpl_log_encryption.cc:1037
bool encrypt_file_password(Key_string password_str) override
Encrypt a file password using current replication encryption master key.
Definition: rpl_log_encryption.cc:1199
Rpl_encryption_header_v1()=default
char m_version
Definition: rpl_log_encryption.h:816
static const char * KEY_TYPE
Definition: rpl_log_encryption.h:767
Key_string m_iv
Definition: rpl_log_encryption.h:822
std::string m_key_id
Definition: rpl_log_encryption.h:818
std::unique_ptr< Stream_cipher > get_encryptor() override
Factory to generate ciphers to encrypt streams based on current header.
Definition: rpl_log_encryption.cc:1190
static const int KEY_LENGTH
Definition: rpl_log_encryption.h:768
static const int IV_FIELD_SIZE
Definition: rpl_log_encryption.h:770
std::unique_ptr< Stream_cipher > get_decryptor() override
Factory to generate ciphers to decrypt streams based on current header.
Definition: rpl_log_encryption.cc:1194
static std::string key_id_prefix()
Build a key id prefix.
Definition: rpl_log_encryption.cc:1251
Key_string generate_new_file_password() override
Setup the header with current master key and generates a new random file password.
Definition: rpl_log_encryption.cc:1230
int get_header_size() override
Return the header size to be taken into account when serializing an deserializing encrypted file head...
Definition: rpl_log_encryption.cc:1160
bool deserialize(Basic_istream *istream) override
Deserialize encryption header from a stream.
Definition: rpl_log_encryption.cc:1065
static const char * KEY_ID_PREFIX
Definition: rpl_log_encryption.h:808
char get_version() const override
Get the header version.
Definition: rpl_log_encryption.cc:1158
This is the base class to serialize and deserialize a replication log file encryption header.
Definition: rpl_log_encryption.h:564
static const char * get_key_type()
Return the default header version encryption key type.
Definition: rpl_log_encryption.cc:1028
virtual std::unique_ptr< Stream_cipher > get_encryptor()=0
Factory to generate ciphers to encrypt streams based on current header.
static const int VERSION_SIZE
Definition: rpl_log_encryption.h:693
static const int VERSION_OFFSET
Definition: rpl_log_encryption.h:691
virtual ~Rpl_encryption_header()
Definition: rpl_log_encryption.cc:959
static std::unique_ptr< Rpl_encryption_header > get_header(Basic_istream *istream)
Deserialize the replication encrypted log file header from the given stream.
Definition: rpl_log_encryption.cc:972
static std::string seqno_to_key_id(uint32_t seqno)
Build a key id using the given sequence number using default header version.
Definition: rpl_log_encryption.cc:1020
static std::unique_ptr< Rpl_encryption_header > get_new_default_header()
Generate a new replication encryption header based on the default replication encrypted log file head...
Definition: rpl_log_encryption.cc:1010
virtual Key_string generate_new_file_password()=0
Setup the header with current master key and generates a new random file password.
virtual bool serialize(Basic_ostream *ostream)=0
Serialize the header into an output stream.
virtual int get_header_size()=0
Return the header size to be taken into account when serializing an deserializing encrypted file head...
virtual std::unique_ptr< Stream_cipher > get_decryptor()=0
Factory to generate ciphers to decrypt streams based on current header.
static std::string key_id_with_suffix(const char *suffix)
Build a key id using the given suffix using default header version.
Definition: rpl_log_encryption.cc:1024
static const char * ENCRYPTION_MAGIC
Definition: rpl_log_encryption.h:569
static const int ENCRYPTION_MAGIC_SIZE
Definition: rpl_log_encryption.h:567
static const int OPTIONAL_FIELD_OFFSET
Definition: rpl_log_encryption.h:695
static const char m_default_version
Definition: rpl_log_encryption.h:699
virtual bool deserialize(Basic_istream *istream)=0
Deserialize encryption header from a stream.
virtual Key_string decrypt_file_password()=0
Decrypt the file password.
virtual char get_version() const =0
Get the header version.
static std::string key_id_prefix()
Build a key id prefix using default header version.
Definition: rpl_log_encryption.cc:1016
virtual bool encrypt_file_password(Key_string password_str)=0
Encrypt a file password using current replication encryption master key.
The Rpl_encryption class is the container for the binlog encryption feature generic and server instan...
Definition: rpl_log_encryption.h:96
Rpl_encryption_key m_master_key
Definition: rpl_log_encryption.h:310
static const char * SEQNO_KEY_TYPE
Definition: rpl_log_encryption.h:278
static std::tuple< Keyring_status, void *, size_t > fetch_key_from_keyring(const std::string &key_id, const std::string &key_type)
Fetch a key from keyring.
Definition: rpl_log_encryption.cc:467
bool remove_old_master_key_seqno_from_keyring()
Remove the "old" master key sequence number key from the keyring.
Definition: rpl_log_encryption.cc:904
uint32_t m_master_key_seqno
Definition: rpl_log_encryption.h:308
Rpl_encryption(Rpl_encryption &&)=delete
bool enable(THD *thd)
Enable binlog encryption option.
Definition: rpl_log_encryption.cc:404
std::string get_master_key_seqno_key_id()
Returns the key ID of the keyring key that stores the master key sequence number.
Definition: rpl_log_encryption.cc:815
bool remove_new_master_key_seqno_from_keyring()
Remove the "new" master key sequence number key from the keyring.
Definition: rpl_log_encryption.cc:892
void disable(THD *thd)
Disable binlog encryption option.
Definition: rpl_log_encryption.cc:436
bool purge_unused_keys()
Purge unused master keys from Keyring.
Definition: rpl_log_encryption.cc:505
bool m_initialized
Definition: rpl_log_encryption.h:297
std::pair< Rpl_encryption::Keyring_status, uint32_t > get_last_purged_master_key_seqno_from_keyring()
Get the "last_purged" master key sequence number from keyring.
Definition: rpl_log_encryption.cc:868
static void report_keyring_error(Keyring_status error)
A wrapper function to throw a binlog encryption keyring error.
Definition: rpl_log_encryption.cc:48
bool recover_master_key()
Recover the replication encryption master key from keyring.
Definition: rpl_log_encryption.cc:192
std::string get_new_master_key_seqno_key_id()
Returns the key ID of the keyring key that stores the "new" master key sequence number.
Definition: rpl_log_encryption.cc:838
std::pair< Rpl_encryption::Keyring_status, uint32_t > get_master_key_seqno_from_keyring()
Get the master key sequence number from keyring.
Definition: rpl_log_encryption.cc:820
Rpl_encryption & operator=(Rpl_encryption &&)=delete
Keyring_status
Definition: rpl_log_encryption.h:109
std::pair< Rpl_encryption::Keyring_status, uint32_t > get_seqno_from_keyring(std::string key_id)
Get a sequence number from the keyring.
Definition: rpl_log_encryption.cc:740
bool set_last_purged_master_key_seqno_on_keyring(uint32 seqno)
Set the "last_purged" master key sequence number into a key and store it into keyring.
Definition: rpl_log_encryption.cc:880
Key_rotation_step
Replication encryption master key rotation process is recoverable.
Definition: rpl_log_encryption.h:144
Rpl_encryption()=default
bool remove_key_from_keyring(std::string key_id)
Remove a key from the keyring.
Definition: rpl_log_encryption.cc:786
bool m_master_key_recovered
Definition: rpl_log_encryption.h:306
bool set_master_key_seqno_on_keyring(uint32 seqno)
Set the master key sequence number into a key and store it into keyring.
Definition: rpl_log_encryption.cc:826
bool m_rotate_at_startup
Definition: rpl_log_encryption.h:291
bool generate_master_key_on_keyring(uint32 seqno)
Generate a new replication master key on keyring and retrieve it.
Definition: rpl_log_encryption.cc:910
std::pair< Rpl_encryption::Keyring_status, uint32_t > get_new_master_key_seqno_from_keyring()
Get the "new" master key sequence number from keyring.
Definition: rpl_log_encryption.cc:854
bool remove_last_purged_master_key_seqno_from_keyring()
Remove the "last_purged" master key sequence number key from the keyring.
Definition: rpl_log_encryption.cc:898
bool rotate_master_key(Key_rotation_step step=Key_rotation_step::START, uint32_t new_master_key_seqno=0)
Rotate the master key.
Definition: rpl_log_encryption.cc:568
bool set_new_master_key_seqno_on_keyring(uint32 seqno)
Set the "new" master key sequence number into a key and store it into keyring.
Definition: rpl_log_encryption.cc:874
void rotate_logs(THD *thd)
Rotate replication logs excluding relay logs of group replication channels.
Definition: rpl_log_encryption.cc:731
static std::pair< Keyring_status, Key_string > get_key(const std::string &key_id, const std::string &key_type)
Get the key with given key ID.
Definition: rpl_log_encryption.cc:370
Rpl_encryption & operator=(const Rpl_encryption &)=delete
Rpl_encryption(const Rpl_encryption &)=delete
std::string get_last_purged_master_key_seqno_key_id()
Returns the key ID of the keyring key that stores the "last_purged" master key sequence number.
Definition: rpl_log_encryption.cc:843
bool is_enabled()
Return is the replication logs encryption feature is enabled.
Definition: rpl_log_encryption.cc:449
bool set_old_master_key_seqno_on_keyring(uint32 seqno)
Set the "old" master key sequence number into a key and store it into keyring.
Definition: rpl_log_encryption.cc:886
const bool & get_enabled_var()
Definition: rpl_log_encryption.cc:458
const bool & get_master_key_rotation_at_startup_var()
Definition: rpl_log_encryption.cc:460
bool initialize()
Initialize the rpl_encryption instance.
Definition: rpl_log_encryption.cc:105
bool remove_master_key_seqno_from_keyring()
Remove the master key sequence number key from the keyring.
Definition: rpl_log_encryption.cc:832
static const int SEQNO_KEY_LENGTH
Definition: rpl_log_encryption.h:280
bool remove_remaining_seqnos_from_keyring()
Remove remaining old/new master key index in order to cleanup any previous master key rotation.
Definition: rpl_log_encryption.cc:130
const Rpl_encryption_key get_master_key()
Return the current replication encryption master key.
Definition: rpl_log_encryption.cc:361
bool set_seqno_on_keyring(std::string key_id, uint32_t seqno)
Set a sequence number into a key and store it into keyring.
Definition: rpl_log_encryption.cc:752
bool m_enabled
Definition: rpl_log_encryption.h:285
std::pair< Rpl_encryption::Keyring_status, uint32_t > get_old_master_key_seqno_from_keyring()
Get the "old" master key sequence number from keyring.
Definition: rpl_log_encryption.cc:861
std::string get_old_master_key_seqno_key_id()
Returns the key ID of the keyring key that stores the "old" master key sequence number.
Definition: rpl_log_encryption.cc:848
bool m_skip_logs_rotation
Definition: rpl_log_encryption.h:315
For each client connection we create a separate thread with THD serving as a thread/connection descri...
Definition: sql_class.h:821
static int key_type
Definition: mi_test1.cc:38
Some integer typedefs for easier portability.
uint32_t uint32
Definition: my_inttypes.h:66
Rpl_encryption rpl_encryption
Definition: rpl_log_encryption.cc:46
This file includes core components for encrypting/decrypting binary log files.
std::basic_string< unsigned char > Key_string
Definition: stream_cipher.h:37
Definition: sql_resultset.h:33
Definition: rpl_log_encryption.h:98
Key_string m_value
Definition: rpl_log_encryption.h:100
std::string m_id
Definition: rpl_log_encryption.h:99