From 180c44e0f600dc9e220887e213679f0d60f29a68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Lindstr=C3=B6m?= Date: Wed, 23 Sep 2015 10:15:38 +0300 Subject: [PATCH] MDEV-8817: Failing assertion: new_state->key_version != ENCRYPTION_KEY_VERSION_INVALID Folloup: Made encryption rules too strict (and incorrect). Allow creating table with ENCRYPTED=OFF with all values of ENCRYPTION_KEY_ID but create warning that nondefault values are ignored. Allow creating table with ENCRYPTED=DEFAULT if used key_id is found from key file (there was bug on this) and give error if key_id is not found. --- .../r/innodb-encryption-alter.result | 46 +++++++++++++++++-- .../encryption/t/innodb-encryption-alter.test | 23 ++++++++-- storage/innobase/handler/ha_innodb.cc | 30 +++++++++--- storage/xtradb/handler/ha_innodb.cc | 30 +++++++++--- 4 files changed, 107 insertions(+), 22 deletions(-) diff --git a/mysql-test/suite/encryption/r/innodb-encryption-alter.result b/mysql-test/suite/encryption/r/innodb-encryption-alter.result index 62880015e29..5869c5d7000 100644 --- a/mysql-test/suite/encryption/r/innodb-encryption-alter.result +++ b/mysql-test/suite/encryption/r/innodb-encryption-alter.result @@ -3,11 +3,51 @@ SET GLOBAL innodb_file_per_table = ON; SET GLOBAL innodb_encrypt_tables = ON; SET GLOBAL innodb_encryption_threads = 4; CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=NO ENCRYPTION_KEY_ID=4; +Warnings: +Warning 140 InnoDB: Ignored ENCRYPTION_KEY_ID 4 when encryption is disabled +DROP TABLE t1; +set innodb_default_encryption_key_id = 99; +CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB; ERROR HY000: Can't create table `test`.`t1` (errno: 140 "Wrong create options") +SHOW WARNINGS; +Level Code Message +Warning 140 InnoDB: ENCRYPTION_KEY_ID 99 not available +Error 1005 Can't create table `test`.`t1` (errno: 140 "Wrong create options") +Warning 1030 Got error 140 "Wrong create options" from storage engine InnoDB +CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=YES; +ERROR HY000: Can't create table `test`.`t1` (errno: 140 "Wrong create options") +SHOW WARNINGS; +Level Code Message +Warning 140 InnoDB: ENCRYPTION_KEY_ID 99 not available +Error 1005 Can't create table `test`.`t1` (errno: 140 "Wrong create options") +Warning 1030 Got error 140 "Wrong create options" from storage engine InnoDB +set innodb_default_encryption_key_id = 4; +CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=YES; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `pk` int(11) NOT NULL AUTO_INCREMENT, + `c` varchar(256) DEFAULT NULL, + PRIMARY KEY (`pk`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1 `ENCRYPTED`=YES `ENCRYPTION_KEY_ID`=4 +DROP TABLE t1; +CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `pk` int(11) NOT NULL AUTO_INCREMENT, + `c` varchar(256) DEFAULT NULL, + PRIMARY KEY (`pk`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1 `ENCRYPTION_KEY_ID`=4 CREATE TABLE t2 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=NO ENCRYPTION_KEY_ID=1; -CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=YES ENCRYPTION_KEY_ID=4; -ALTER TABLE t2 ENCRYPTION_KEY_ID=4; -ERROR HY000: Can't create table `test`.`#sql-temporary` (errno: 140 "Wrong create options") +Warnings: +Warning 140 InnoDB: Ignored ENCRYPTION_KEY_ID 1 when encryption is disabled ALTER TABLE t1 ENCRYPTION_KEY_ID=99; ERROR HY000: Can't create table `test`.`#sql-temporary` (errno: 140 "Wrong create options") +SHOW WARNINGS; +Level Code Message +Warning 140 InnoDB: ENCRYPTION_KEY_ID 99 not available +Error 1005 Can't create table `test`.`#sql-temporary` (errno: 140 "Wrong create options") +Warning 1030 Got error 140 "Wrong create options" from storage engine InnoDB +set innodb_default_encryption_key_id = 1; drop table t1,t2; diff --git a/mysql-test/suite/encryption/t/innodb-encryption-alter.test b/mysql-test/suite/encryption/t/innodb-encryption-alter.test index 0eea28f22dd..316ece1c16b 100644 --- a/mysql-test/suite/encryption/t/innodb-encryption-alter.test +++ b/mysql-test/suite/encryption/t/innodb-encryption-alter.test @@ -17,16 +17,29 @@ SET GLOBAL innodb_file_per_table = ON; SET GLOBAL innodb_encrypt_tables = ON; SET GLOBAL innodb_encryption_threads = 4; ---error 1005 CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=NO ENCRYPTION_KEY_ID=4; -CREATE TABLE t2 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=NO ENCRYPTION_KEY_ID=1; -CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=YES ENCRYPTION_KEY_ID=4; ---replace_regex /#sql-[0-9a-f_]*/#sql-temporary/ +DROP TABLE t1; +set innodb_default_encryption_key_id = 99; --error 1005 -ALTER TABLE t2 ENCRYPTION_KEY_ID=4; +CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB; +SHOW WARNINGS; +--error 1005 +CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=YES; +SHOW WARNINGS; +set innodb_default_encryption_key_id = 4; +CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=YES; +SHOW CREATE TABLE t1; +DROP TABLE t1; +CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB; +SHOW CREATE TABLE t1; +CREATE TABLE t2 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=NO ENCRYPTION_KEY_ID=1; --replace_regex /#sql-[0-9a-f_]*/#sql-temporary/ --error 1005 ALTER TABLE t1 ENCRYPTION_KEY_ID=99; +--replace_regex /#sql-[0-9a-f_]*/#sql-temporary/ +SHOW WARNINGS; +set innodb_default_encryption_key_id = 1; + --disable_warnings --disable_query_log diff --git a/storage/innobase/handler/ha_innodb.cc b/storage/innobase/handler/ha_innodb.cc index dbc1dd2a463..5c9a3a18248 100644 --- a/storage/innobase/handler/ha_innodb.cc +++ b/storage/innobase/handler/ha_innodb.cc @@ -11491,6 +11491,7 @@ ha_innobase::check_table_options( } } + /* If encryption is set up make sure that used key_id is found */ if (encrypt == FIL_SPACE_ENCRYPTION_ON || (encrypt == FIL_SPACE_ENCRYPTION_DEFAULT && srv_encrypt_tables)) { if (!encryption_key_id_exists((unsigned int)options->encryption_key_id)) { @@ -11504,18 +11505,33 @@ ha_innobase::check_table_options( } } - /* Do not allow creating unencrypted table with nondefault - encryption key */ - if ((encrypt == FIL_SPACE_ENCRYPTION_OFF || - (encrypt == FIL_SPACE_ENCRYPTION_DEFAULT && !srv_encrypt_tables)) && - options->encryption_key_id != FIL_DEFAULT_ENCRYPTION_KEY) { + /* Ignore nondefault key_id if encryption is set off */ + if (encrypt == FIL_SPACE_ENCRYPTION_OFF && + options->encryption_key_id != THDVAR(thd, default_encryption_key_id)) { push_warning_printf( thd, Sql_condition::WARN_LEVEL_WARN, HA_WRONG_CREATE_OPTION, - "InnoDB: Incorrect ENCRYPTION_KEY_ID %u when encryption is disabled", + "InnoDB: Ignored ENCRYPTION_KEY_ID %u when encryption is disabled", (uint)options->encryption_key_id ); - return "ENCRYPTION_KEY_ID"; + options->encryption_key_id = FIL_DEFAULT_ENCRYPTION_KEY; + } + + /* If default encryption is used make sure that used kay is found + from key file. */ + if (encrypt == FIL_SPACE_ENCRYPTION_DEFAULT && + !srv_encrypt_tables && + options->encryption_key_id != FIL_DEFAULT_ENCRYPTION_KEY) { + if (!encryption_key_id_exists((unsigned int)options->encryption_key_id)) { + push_warning_printf( + thd, Sql_condition::WARN_LEVEL_WARN, + HA_WRONG_CREATE_OPTION, + "InnoDB: ENCRYPTION_KEY_ID %u not available", + (uint)options->encryption_key_id + ); + return "ENCRYPTION_KEY_ID"; + + } } /* Check atomic writes requirements */ diff --git a/storage/xtradb/handler/ha_innodb.cc b/storage/xtradb/handler/ha_innodb.cc index 6cdfcbf927a..f1c57ad746f 100644 --- a/storage/xtradb/handler/ha_innodb.cc +++ b/storage/xtradb/handler/ha_innodb.cc @@ -11973,6 +11973,7 @@ ha_innobase::check_table_options( } } + /* If encryption is set up make sure that used key_id is found */ if (encrypt == FIL_SPACE_ENCRYPTION_ON || (encrypt == FIL_SPACE_ENCRYPTION_DEFAULT && srv_encrypt_tables)) { if (!encryption_key_id_exists((unsigned int)options->encryption_key_id)) { @@ -11987,18 +11988,33 @@ ha_innobase::check_table_options( } } - /* Do not allow creating unencrypted table with nondefault - encryption key */ - if ((encrypt == FIL_SPACE_ENCRYPTION_OFF || - (encrypt == FIL_SPACE_ENCRYPTION_DEFAULT && !srv_encrypt_tables)) && - options->encryption_key_id != FIL_DEFAULT_ENCRYPTION_KEY) { + /* Ignore nondefault key_id if encryption is set off */ + if (encrypt == FIL_SPACE_ENCRYPTION_OFF && + options->encryption_key_id != THDVAR(thd, default_encryption_key_id)) { push_warning_printf( thd, Sql_condition::WARN_LEVEL_WARN, HA_WRONG_CREATE_OPTION, - "InnoDB: Incorrect ENCRYPTION_KEY_ID %u when encryption is disabled", + "InnoDB: Ignored ENCRYPTION_KEY_ID %u when encryption is disabled", (uint)options->encryption_key_id ); - return "ENCRYPTION_KEY_ID"; + options->encryption_key_id = FIL_DEFAULT_ENCRYPTION_KEY; + } + + /* If default encryption is used make sure that used kay is found + from key file. */ + if (encrypt == FIL_SPACE_ENCRYPTION_DEFAULT && + !srv_encrypt_tables && + options->encryption_key_id != FIL_DEFAULT_ENCRYPTION_KEY) { + if (!encryption_key_id_exists((unsigned int)options->encryption_key_id)) { + push_warning_printf( + thd, Sql_condition::WARN_LEVEL_WARN, + HA_WRONG_CREATE_OPTION, + "InnoDB: ENCRYPTION_KEY_ID %u not available", + (uint)options->encryption_key_id + ); + return "ENCRYPTION_KEY_ID"; + + } } /* Check atomic writes requirements */