1 /* Copyright (C) 2015 MariaDB
2 
3    This program is free software; you can redistribute it and/or modify
4    it under the terms of the GNU General Public License as published by
5    the Free Software Foundation; version 2 of the License.
6 
7    This program is distributed in the hope that it will be useful,
8    but WITHOUT ANY WARRANTY; without even the implied warranty of
9    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
10    GNU General Public License for more details.
11 
12    You should have received a copy of the GNU General Public License
13    along with this program; if not, write to the Free Software
14    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1335  USA */
15 
16 #include "mariadb.h"
17 #include <mysql/plugin_encryption.h>
18 #include "log.h"
19 #include "sql_plugin.h"
20 #include <my_crypt.h>
21 
22 /* there can be only one encryption plugin enabled */
23 static plugin_ref encryption_manager= 0;
24 struct encryption_service_st encryption_handler;
25 
26 extern "C" {
27 
no_get_key(uint,uint,uchar *,uint *)28 uint no_get_key(uint, uint, uchar*, uint*)
29 {
30   return ENCRYPTION_KEY_VERSION_INVALID;
31 }
no_key(uint)32 uint no_key(uint)
33 {
34   return ENCRYPTION_KEY_VERSION_INVALID;
35 }
zero_size(uint,uint)36 uint zero_size(uint,uint)
37 {
38   return 0;
39 }
40 
ctx_init(void * ctx,const unsigned char * key,unsigned int klen,const unsigned char * iv,unsigned int ivlen,int flags,unsigned int key_id,unsigned int key_version)41 static int ctx_init(void *ctx, const unsigned char* key, unsigned int klen,
42                     const unsigned char* iv, unsigned int ivlen, int flags,
43                     unsigned int key_id, unsigned int key_version)
44 {
45   return my_aes_crypt_init(ctx, MY_AES_CBC, flags, key, klen, iv, ivlen);
46 }
47 
get_length(unsigned int slen,unsigned int key_id,unsigned int key_version)48 static unsigned int get_length(unsigned int slen, unsigned int key_id,
49                                unsigned int key_version)
50 {
51   return my_aes_get_size(MY_AES_CBC, slen);
52 }
53 
ctx_size(unsigned int,unsigned int)54 uint ctx_size(unsigned int, unsigned int)
55 {
56   return MY_AES_CTX_SIZE;
57 }
58 
59 } /* extern "C" */
60 
initialize_encryption_plugin(st_plugin_int * plugin)61 int initialize_encryption_plugin(st_plugin_int *plugin)
62 {
63   if (encryption_manager)
64     return 1;
65 
66   if (plugin->plugin->init && plugin->plugin->init(plugin))
67   {
68     sql_print_error("Plugin '%s' init function returned error.",
69                     plugin->name.str);
70     return 1;
71   }
72 
73   encryption_manager= plugin_lock(NULL, plugin_int_to_ref(plugin));
74   st_mariadb_encryption *handle=
75     (struct st_mariadb_encryption*) plugin->plugin->info;
76 
77   /*
78     Compiler on Spark doesn't like the '?' operator here as it
79     believes the (uint (*)...) implies the C++ call model.
80   */
81   if (handle->crypt_ctx_size)
82     encryption_handler.encryption_ctx_size_func= handle->crypt_ctx_size;
83   else
84     encryption_handler.encryption_ctx_size_func= ctx_size;
85 
86   encryption_handler.encryption_ctx_init_func=
87     handle->crypt_ctx_init ? handle->crypt_ctx_init : ctx_init;
88 
89   encryption_handler.encryption_ctx_update_func=
90     handle->crypt_ctx_update ? handle->crypt_ctx_update : my_aes_crypt_update;
91 
92   encryption_handler.encryption_ctx_finish_func=
93     handle->crypt_ctx_finish ? handle->crypt_ctx_finish : my_aes_crypt_finish;
94 
95   encryption_handler.encryption_encrypted_length_func=
96     handle->encrypted_length ? handle->encrypted_length : get_length;
97 
98   encryption_handler.encryption_key_get_func=
99     handle->get_key;
100 
101   encryption_handler.encryption_key_get_latest_version_func=
102     handle->get_latest_key_version; // must be the last
103 
104   return 0;
105 }
106 
finalize_encryption_plugin(st_plugin_int * plugin)107 int finalize_encryption_plugin(st_plugin_int *plugin)
108 {
109   bool used= plugin_ref_to_int(encryption_manager) == plugin;
110 
111   if (used)
112   {
113     encryption_handler.encryption_key_get_func= no_get_key;
114     encryption_handler.encryption_key_get_latest_version_func= no_key;
115     encryption_handler.encryption_ctx_size_func= zero_size;
116   }
117 
118   if (plugin && plugin->plugin->deinit && plugin->plugin->deinit(NULL))
119   {
120     DBUG_PRINT("warning", ("Plugin '%s' deinit function returned error.",
121                            plugin->name.str));
122   }
123 
124   if (used)
125   {
126     plugin_unlock(NULL, encryption_manager);
127     encryption_manager= 0;
128   }
129   return 0;
130 }
131 
132 /******************************************************************
133   Encryption Scheme service
134 ******************************************************************/
scheme_get_key(st_encryption_scheme * scheme,st_encryption_scheme_key * key)135 static uint scheme_get_key(st_encryption_scheme *scheme,
136                            st_encryption_scheme_key *key)
137 {
138   if (scheme->locker)
139     scheme->locker(scheme, 0);
140 
141   // Check if we already have key
142   for (uint i = 0; i < array_elements(scheme->key); i++)
143   {
144     if (scheme->key[i].version == 0) // no more keys
145       break;
146 
147     if (scheme->key[i].version == key->version)
148     {
149       *key= scheme->key[i];
150       if (scheme->locker)
151         scheme->locker(scheme, 1);
152       return 0;
153     }
154   }
155 
156   // Not found!
157   scheme->keyserver_requests++;
158 
159   uchar global_key[MY_AES_MAX_KEY_LENGTH];
160   uint  global_key_len= sizeof(global_key), key_len;
161 
162   uint rc = encryption_key_get(scheme->key_id, key->version,
163                               global_key, & global_key_len);
164   if (rc)
165     goto ret;
166 
167   /* Now generate the local key by encrypting IV using the global key */
168   rc = my_aes_crypt(MY_AES_ECB, ENCRYPTION_FLAG_ENCRYPT | ENCRYPTION_FLAG_NOPAD,
169                     scheme->iv, sizeof(scheme->iv), key->key, &key_len,
170                     global_key, global_key_len, NULL, 0);
171 
172   DBUG_ASSERT(key_len == sizeof(key->key));
173 
174   if (rc)
175     goto ret;
176 
177   // Rotate keys to make room for a new
178   for (uint i = array_elements(scheme->key) - 1; i; i--)
179     scheme->key[i] = scheme->key[i - 1];
180 
181   scheme->key[0]= *key;
182 
183 ret:
184   if (scheme->locker)
185     scheme->locker(scheme, 1);
186   return rc;
187 }
188 
do_crypt(const unsigned char * src,unsigned int slen,unsigned char * dst,unsigned int * dlen,struct st_encryption_scheme * scheme,unsigned int key_version,unsigned int i32_1,unsigned int i32_2,unsigned long long i64,int flag)189 int do_crypt(const unsigned char* src, unsigned int slen,
190              unsigned char* dst, unsigned int* dlen,
191              struct st_encryption_scheme *scheme,
192              unsigned int key_version, unsigned int i32_1,
193              unsigned int i32_2, unsigned long long i64,
194              int flag)
195 {
196   compile_time_assert(ENCRYPTION_SCHEME_KEY_INVALID ==
197                       (int)ENCRYPTION_KEY_VERSION_INVALID);
198 
199   // Maybe temporal solution for MDEV-8173
200   // Rationale: scheme->type is currently global/object
201   // and when used here might not represent actual state
202   // of smaller granularity objects e.g. InnoDB page state
203   // as type is stored to tablespace (FIL) and could represent
204   // state where key rotation is trying to reach
205   //DBUG_ASSERT(scheme->type == 1);
206 
207   if (key_version == ENCRYPTION_KEY_VERSION_INVALID ||
208       key_version == ENCRYPTION_KEY_NOT_ENCRYPTED)
209     return ENCRYPTION_SCHEME_KEY_INVALID;
210 
211   st_encryption_scheme_key key;
212   key.version= key_version;
213   uint rc= scheme_get_key(scheme, &key);
214   if (rc)
215     return (int)rc;
216 
217   unsigned char iv[4 + 4 + 8];
218   int4store(iv + 0, i32_1);
219   int4store(iv + 4, i32_2);
220   int8store(iv + 8, i64);
221 
222   return encryption_crypt(src, slen, dst, dlen, key.key, sizeof(key.key),
223                           iv, sizeof(iv), flag, scheme->key_id, key_version);
224 }
225 
encryption_scheme_encrypt(const unsigned char * src,unsigned int slen,unsigned char * dst,unsigned int * dlen,struct st_encryption_scheme * scheme,unsigned int key_version,unsigned int i32_1,unsigned int i32_2,unsigned long long i64)226 int encryption_scheme_encrypt(const unsigned char* src, unsigned int slen,
227                               unsigned char* dst, unsigned int* dlen,
228                               struct st_encryption_scheme *scheme,
229                               unsigned int key_version, unsigned int i32_1,
230                               unsigned int i32_2, unsigned long long i64)
231 {
232   return do_crypt(src, slen, dst, dlen, scheme, key_version, i32_1,
233                   i32_2, i64, ENCRYPTION_FLAG_NOPAD | ENCRYPTION_FLAG_ENCRYPT);
234 }
235 
236 
encryption_scheme_decrypt(const unsigned char * src,unsigned int slen,unsigned char * dst,unsigned int * dlen,struct st_encryption_scheme * scheme,unsigned int key_version,unsigned int i32_1,unsigned int i32_2,unsigned long long i64)237 int encryption_scheme_decrypt(const unsigned char* src, unsigned int slen,
238                               unsigned char* dst, unsigned int* dlen,
239                               struct st_encryption_scheme *scheme,
240                               unsigned int key_version, unsigned int i32_1,
241                               unsigned int i32_2, unsigned long long i64)
242 {
243   return do_crypt(src, slen, dst, dlen, scheme, key_version, i32_1,
244                   i32_2, i64, ENCRYPTION_FLAG_NOPAD | ENCRYPTION_FLAG_DECRYPT);
245 }
246