database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-08-05 13:16:09 +03:00
Code Activity

MDEV-8772: Assertion failure in file ha_innodb.cc line 20027 when importing page compressed and encrypted tablespace using incorrect keys

Browse Source 
Add error handling to decryp function when decrypt fails during
import.
This commit is contained in:
Jan Lindström
2015-09-14 14:11:23 +03:00
parent ddaddf1019
commit 4d3f680c95
10 changed files with 215 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
mysql-test/suite/encryption/r/innodb-bad-key-change3.result Normal file
View File

@@ -0,0 +1,44 @@
call mtr.add_suppression("InnoDB: Table .* tablespace is set as discarded");
SET GLOBAL innodb_file_format = `Barracuda`;
SET GLOBAL innodb_file_per_table = ON;
set global innodb_compression_algorithm = 1;
CREATE TABLE t1 (pk INT PRIMARY KEY, f VARCHAR(255)) ENGINE=InnoDB PAGE_COMPRESSED=1 ENCRYPTED=YES ENCRYPTION_KEY_ID=4;
SHOW WARNINGS;
Level Code Message
SHOW CREATE TABLE t1;
Table Create Table
t1 CREATE TABLE `t1` (
`pk` int(11) NOT NULL,
`f` varchar(255) DEFAULT NULL,
PRIMARY KEY (`pk`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 `PAGE_COMPRESSED`=1 `ENCRYPTED`=YES `ENCRYPTION_KEY_ID`=4
INSERT INTO t1 VALUES (1,'foobar'),(2,'barfoo');
FLUSH TABLE t1 FOR EXPORT;
# List before copying files
t1.cfg
t1.frm
t1.ibd
UNLOCK TABLES;
# Tablespaces should be still encrypted
# t1 yes on expecting NOT FOUND
NOT FOUND /foobar/ in t1.ibd
ALTER TABLE t1 DISCARD TABLESPACE;
SET GLOBAL innodb_file_format = `Barracuda`;
SET GLOBAL innodb_file_per_table = ON;
# List after t1 DISCARD
t1.frm
ALTER TABLE t1 IMPORT TABLESPACE;
ERROR HY000: Got error 192 'Table encrypted but decryption failed. This could be because correct encryption management plugin is not loaded, used encryption key is not available or encryption method does not match.' from InnoDB
SHOW CREATE TABLE t1;
Table Create Table
t1 CREATE TABLE `t1` (
`pk` int(11) NOT NULL,
`f` varchar(255) DEFAULT NULL,
PRIMARY KEY (`pk`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 `PAGE_COMPRESSED`=1 `ENCRYPTED`=YES `ENCRYPTION_KEY_ID`=4
SELECT * FROM t1;
ERROR HY000: Tablespace has been discarded for table 't1'
# Tablespaces should be still encrypted
# t1 yes on expecting NOT FOUND
NOT FOUND /foobar/ in t1.ibd
DROP TABLE t1;

101
mysql-test/suite/encryption/t/innodb-bad-key-change3.test Normal file
View File

@@ -0,0 +1,101 @@
--source include/have_innodb.inc
# embedded does not support restart
-- source include/not_embedded.inc
-- source include/not_valgrind.inc
# Avoid CrashReporter popup on Mac
-- source include/not_crashrep.inc
#
# MDEV-8772: Assertion failure in file ha_innodb.cc line 20027 when importing page compressed and encrypted tablespace using incorrect keys
#
call mtr.add_suppression("InnoDB: Table .* tablespace is set as discarded");
--disable_query_log
let $innodb_file_format_orig = `SELECT @@innodb_file_format`;
let $innodb_file_per_table_orig = `SELECT @@innodb_file_per_table`;
--enable_query_log
--let $MYSQLD_TMPDIR = `SELECT @@tmpdir`
--let $MYSQLD_DATADIR = `SELECT @@datadir`
--let SEARCH_RANGE = 10000000
--let t1_IBD = $MYSQLD_DATADIR/test/t1.ibd
--exec echo "wait" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
--shutdown_server
--source include/wait_until_disconnected.inc
--write_file $MYSQLTEST_VARDIR/keys1.txt
1;770A8A65DA156D24EE2A093277530142
4;770A8A65DA156D24EE2A093277530143
EOF
--exec echo "restart:--innodb-encrypt-tables --innodb-stats-persistent --plugin-load-add=file_key_management.so --file-key-management --file-key-management-filename=$MYSQLTEST_VARDIR/keys1.txt" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
--enable_reconnect
--source include/wait_until_connected_again.inc
SET GLOBAL innodb_file_format = `Barracuda`;
SET GLOBAL innodb_file_per_table = ON;
set global innodb_compression_algorithm = 1;
CREATE TABLE t1 (pk INT PRIMARY KEY, f VARCHAR(255)) ENGINE=InnoDB PAGE_COMPRESSED=1 ENCRYPTED=YES ENCRYPTION_KEY_ID=4;
SHOW WARNINGS;
SHOW CREATE TABLE t1;
INSERT INTO t1 VALUES (1,'foobar'),(2,'barfoo');
FLUSH TABLE t1 FOR EXPORT;
--echo # List before copying files
--list_files $MYSQLD_DATADIR/test
--copy_file $MYSQLD_DATADIR/test/t1.cfg $MYSQLD_TMPDIR/t1.cfg
--copy_file $MYSQLD_DATADIR/test/t1.ibd $MYSQLD_TMPDIR/t1.ibd
UNLOCK TABLES;
--sleep 5
--echo # Tablespaces should be still encrypted
--let SEARCH_PATTERN=foobar
--echo # t1 yes on expecting NOT FOUND
-- let SEARCH_FILE=$t1_IBD
-- source include/search_pattern_in_file.inc
ALTER TABLE t1 DISCARD TABLESPACE;
--exec echo "wait" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
--shutdown_server
--source include/wait_until_disconnected.inc
--write_file $MYSQLTEST_VARDIR/keys2.txt
1;770A8A65DA156D24EE2A093277530142
4;770A8A65DA156D24EE2A093277530144
EOF
--exec echo "restart:--innodb-encrypt-tables --innodb-stats-persistent --plugin-load-add=file_key_management.so --file-key-management --file-key-management-filename=$MYSQLTEST_VARDIR/keys2.txt" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
--enable_reconnect
--source include/wait_until_connected_again.inc
--source include/restart_mysqld.inc
SET GLOBAL innodb_file_format = `Barracuda`;
SET GLOBAL innodb_file_per_table = ON;
--echo # List after t1 DISCARD
--list_files $MYSQLD_DATADIR/test
--copy_file $MYSQLD_TMPDIR/t1.cfg $MYSQLD_DATADIR/test/t1.cfg
--copy_file $MYSQLD_TMPDIR/t1.ibd $MYSQLD_DATADIR/test/t1.ibd
--error ER_GET_ERRMSG
ALTER TABLE t1 IMPORT TABLESPACE;
SHOW CREATE TABLE t1;
--error ER_TABLESPACE_DISCARDED
SELECT * FROM t1;
--sleep 5
--echo # Tablespaces should be still encrypted
-- let SEARCH_FILE=$t1_IBD
--let SEARCH_PATTERN=foobar
--echo # t1 yes on expecting NOT FOUND
-- let SEARCH_FILE=$t1_IBD
-- source include/search_pattern_in_file.inc
DROP TABLE t1;
# reset system
--disable_query_log
EVAL SET GLOBAL innodb_file_per_table = $innodb_file_per_table_orig;
EVAL SET GLOBAL innodb_file_format = $innodb_file_format_orig;
--enable_query_log
--remove_file $MYSQLTEST_VARDIR/keys1.txt
--remove_file $MYSQLTEST_VARDIR/keys2.txt

17
storage/innobase/fil/fil0crypt.cc
View File

@@ -714,12 +714,16 @@ fil_space_decrypt(
fil_space_crypt_t* crypt_data, /*!< in: crypt data */ fil_space_crypt_t* crypt_data, /*!< in: crypt data */
byte* tmp_frame, /*!< in: temporary buffer */ byte* tmp_frame, /*!< in: temporary buffer */
ulint page_size, /*!< in: page size */ ulint page_size, /*!< in: page size */
byte* src_frame) /*!< in:out: page buffer */ byte* src_frame, /*!< in: out: page buffer */
dberr_t* err) /*!< in: out: DB_SUCCESS or
error code */
{ {
ulint page_type = mach_read_from_2(src_frame+FIL_PAGE_TYPE); ulint page_type = mach_read_from_2(src_frame+FIL_PAGE_TYPE);
uint key_version = mach_read_from_4(src_frame + FIL_PAGE_FILE_FLUSH_LSN_OR_KEY_VERSION); uint key_version = mach_read_from_4(src_frame + FIL_PAGE_FILE_FLUSH_LSN_OR_KEY_VERSION);
bool page_compressed = (page_type == FIL_PAGE_PAGE_COMPRESSED_ENCRYPTED); bool page_compressed = (page_type == FIL_PAGE_PAGE_COMPRESSED_ENCRYPTED);
*err = DB_SUCCESS;
if (key_version == ENCRYPTION_KEY_NOT_ENCRYPTED) { if (key_version == ENCRYPTION_KEY_NOT_ENCRYPTED) {
return false; return false;
} }
@@ -756,6 +760,12 @@ fil_space_decrypt(
space, offset, lsn); space, offset, lsn);
if (! ((rc == MY_AES_OK) && ((ulint) dstlen == srclen))) { if (! ((rc == MY_AES_OK) && ((ulint) dstlen == srclen))) {
if (rc == -1) {
*err = DB_DECRYPTION_FAILED;
return false;
}
ib_logf(IB_LOG_LEVEL_FATAL, ib_logf(IB_LOG_LEVEL_FATAL,
"Unable to decrypt data-block " "Unable to decrypt data-block "
" src: %p srclen: %ld buf: %p buflen: %d." " src: %p srclen: %ld buf: %p buflen: %d."
@@ -797,11 +807,14 @@ fil_space_decrypt(
ulint page_size, /*!< in: page size */ ulint page_size, /*!< in: page size */
byte* src_frame) /*!< in/out: page buffer */ byte* src_frame) /*!< in/out: page buffer */
{ {
dberr_t err = DB_SUCCESS;
bool encrypted = fil_space_decrypt( bool encrypted = fil_space_decrypt(
fil_space_get_crypt_data(space), fil_space_get_crypt_data(space),
tmp_frame, tmp_frame,
page_size, page_size,
src_frame); src_frame,
&err);
if (encrypted) { if (encrypted) {
/* Copy the decrypted page back to page buffer, not /* Copy the decrypted page back to page buffer, not

11
storage/innobase/fil/fil0fil.cc
View File

@@ -6425,6 +6425,7 @@ fil_iterate(
if ((iter.crypt_data != NULL && iter.crypt_data->encryption == FIL_SPACE_ENCRYPTION_ON) || if ((iter.crypt_data != NULL && iter.crypt_data->encryption == FIL_SPACE_ENCRYPTION_ON) ||
(srv_encrypt_tables && (srv_encrypt_tables &&
iter.crypt_data && iter.crypt_data->encryption == FIL_SPACE_ENCRYPTION_DEFAULT)) { iter.crypt_data && iter.crypt_data->encryption == FIL_SPACE_ENCRYPTION_DEFAULT)) {
encrypted = true; encrypted = true;
readptr = iter.crypt_io_buffer; readptr = iter.crypt_io_buffer;
writeptr = iter.crypt_io_buffer; writeptr = iter.crypt_io_buffer;
@@ -6444,6 +6445,7 @@ fil_iterate(
for (ulint i = 0; i < n_pages_read; ++i) { for (ulint i = 0; i < n_pages_read; ++i) {
ulint size = iter.page_size; ulint size = iter.page_size;
dberr_t err = DB_SUCCESS;
/* If tablespace is encrypted, we need to decrypt /* If tablespace is encrypted, we need to decrypt
the page. */ the page. */
@@ -6452,10 +6454,14 @@ fil_iterate(
iter.crypt_data, iter.crypt_data,
io_buffer + i * size, //dst io_buffer + i * size, //dst
iter.page_size, iter.page_size,
readptr + i * size); // src readptr + i * size, // src
&err); // src
if (err != DB_SUCCESS) {
return(err);
}
if (decrypted) { if (decrypted) {
/* write back unencrypted page */
updated = true; updated = true;
} else { } else {
/* TODO: remove unnecessary memcpy's */ /* TODO: remove unnecessary memcpy's */
@@ -6465,7 +6471,6 @@ fil_iterate(
buf_block_set_file_page(block, space_id, page_no++); buf_block_set_file_page(block, space_id, page_no++);
dberr_t err;
if ((err = callback(page_off, block)) != DB_SUCCESS) { if ((err = callback(page_off, block)) != DB_SUCCESS) {

5
storage/innobase/include/fil0crypt.h
View File

@@ -211,7 +211,10 @@ fil_space_decrypt(
fil_space_crypt_t* crypt_data, /*!< in: crypt data */ fil_space_crypt_t* crypt_data, /*!< in: crypt data */
byte* tmp_frame, /*!< in: temporary buffer */ byte* tmp_frame, /*!< in: temporary buffer */
ulint page_size, /*!< in: page size */ ulint page_size, /*!< in: page size */
byte* src_frame); /*!< in:out: page buffer */ byte* src_frame, /*!< in:out: page buffer */
dberr_t* err); /*!< in: out: DB_SUCCESS or
error code */
/********************************************************************* /*********************************************************************
Encrypt buffer page Encrypt buffer page

12
storage/innobase/row/row0import.cc
View File

@@ -1,6 +1,7 @@
/***************************************************************************** /*****************************************************************************
Copyright (c) 2012, 2015, Oracle and/or its affiliates. All Rights Reserved. Copyright (c) 2012, 2015, Oracle and/or its affiliates. All Rights Reserved.
Copyright (c) 2015, MariaDB Corporation.
This program is free software; you can redistribute it and/or modify it under This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software the terms of the GNU General Public License as published by the Free Software
@@ -3597,10 +3598,13 @@ row_import_for_mysql(
innobase_format_name( innobase_format_name(
table_name, sizeof(table_name), table->name, FALSE); table_name, sizeof(table_name), table->name, FALSE);
ib_errf(trx->mysql_thd, IB_LOG_LEVEL_ERROR, if (err != DB_DECRYPTION_FAILED) {
ER_INTERNAL_ERROR,
"Cannot reset LSNs in table '%s' : %s", ib_errf(trx->mysql_thd, IB_LOG_LEVEL_ERROR,
table_name, ut_strerr(err)); ER_INTERNAL_ERROR,
"Cannot reset LSNs in table '%s' : %s",
table_name, ut_strerr(err));
}
return(row_import_cleanup(prebuilt, trx, err)); return(row_import_cleanup(prebuilt, trx, err));
} }

17
storage/xtradb/fil/fil0crypt.cc
View File

@@ -714,12 +714,16 @@ fil_space_decrypt(
fil_space_crypt_t* crypt_data, /*!< in: crypt data */ fil_space_crypt_t* crypt_data, /*!< in: crypt data */
byte* tmp_frame, /*!< in: temporary buffer */ byte* tmp_frame, /*!< in: temporary buffer */
ulint page_size, /*!< in: page size */ ulint page_size, /*!< in: page size */
byte* src_frame) /*!< in:out: page buffer */ byte* src_frame, /*!< in: out: page buffer */
dberr_t* err) /*!< in: out: DB_SUCCESS or
error code */
{ {
ulint page_type = mach_read_from_2(src_frame+FIL_PAGE_TYPE); ulint page_type = mach_read_from_2(src_frame+FIL_PAGE_TYPE);
uint key_version = mach_read_from_4(src_frame + FIL_PAGE_FILE_FLUSH_LSN_OR_KEY_VERSION); uint key_version = mach_read_from_4(src_frame + FIL_PAGE_FILE_FLUSH_LSN_OR_KEY_VERSION);
bool page_compressed = (page_type == FIL_PAGE_PAGE_COMPRESSED_ENCRYPTED); bool page_compressed = (page_type == FIL_PAGE_PAGE_COMPRESSED_ENCRYPTED);
*err = DB_SUCCESS;
if (key_version == ENCRYPTION_KEY_NOT_ENCRYPTED) { if (key_version == ENCRYPTION_KEY_NOT_ENCRYPTED) {
return false; return false;
} }
@@ -756,6 +760,12 @@ fil_space_decrypt(
space, offset, lsn); space, offset, lsn);
if (! ((rc == MY_AES_OK) && ((ulint) dstlen == srclen))) { if (! ((rc == MY_AES_OK) && ((ulint) dstlen == srclen))) {
if (rc == -1) {
*err = DB_DECRYPTION_FAILED;
return false;
}
ib_logf(IB_LOG_LEVEL_FATAL, ib_logf(IB_LOG_LEVEL_FATAL,
"Unable to decrypt data-block " "Unable to decrypt data-block "
" src: %p srclen: %ld buf: %p buflen: %d." " src: %p srclen: %ld buf: %p buflen: %d."
@@ -797,11 +807,14 @@ fil_space_decrypt(
ulint page_size, /*!< in: page size */ ulint page_size, /*!< in: page size */
byte* src_frame) /*!< in/out: page buffer */ byte* src_frame) /*!< in/out: page buffer */
{ {
dberr_t err = DB_SUCCESS;
bool encrypted = fil_space_decrypt( bool encrypted = fil_space_decrypt(
fil_space_get_crypt_data(space), fil_space_get_crypt_data(space),
tmp_frame, tmp_frame,
page_size, page_size,
src_frame); src_frame,
&err);
if (encrypted) { if (encrypted) {
/* Copy the decrypted page back to page buffer, not /* Copy the decrypted page back to page buffer, not

11
storage/xtradb/fil/fil0fil.cc
View File

@@ -6482,6 +6482,7 @@ fil_iterate(
if ((iter.crypt_data != NULL && iter.crypt_data->encryption == FIL_SPACE_ENCRYPTION_ON) || if ((iter.crypt_data != NULL && iter.crypt_data->encryption == FIL_SPACE_ENCRYPTION_ON) ||
(srv_encrypt_tables && (srv_encrypt_tables &&
iter.crypt_data && iter.crypt_data->encryption == FIL_SPACE_ENCRYPTION_DEFAULT)) { iter.crypt_data && iter.crypt_data->encryption == FIL_SPACE_ENCRYPTION_DEFAULT)) {
encrypted = true; encrypted = true;
readptr = iter.crypt_io_buffer; readptr = iter.crypt_io_buffer;
writeptr = iter.crypt_io_buffer; writeptr = iter.crypt_io_buffer;
@@ -6501,6 +6502,7 @@ fil_iterate(
for (ulint i = 0; i < n_pages_read; ++i) { for (ulint i = 0; i < n_pages_read; ++i) {
ulint size = iter.page_size; ulint size = iter.page_size;
dberr_t err = DB_SUCCESS;
/* If tablespace is encrypted, we need to decrypt /* If tablespace is encrypted, we need to decrypt
the page. */ the page. */
@@ -6509,10 +6511,14 @@ fil_iterate(
iter.crypt_data, iter.crypt_data,
io_buffer + i * size, //dst io_buffer + i * size, //dst
iter.page_size, iter.page_size,
readptr + i * size); // src readptr + i * size, // src
&err); // src
if (err != DB_SUCCESS) {
return(err);
}
if (decrypted) { if (decrypted) {
/* write back unencrypted page */
updated = true; updated = true;
} else { } else {
/* TODO: remove unnecessary memcpy's */ /* TODO: remove unnecessary memcpy's */
@@ -6522,7 +6528,6 @@ fil_iterate(
buf_block_set_file_page(block, space_id, page_no++); buf_block_set_file_page(block, space_id, page_no++);
dberr_t err;
if ((err = callback(page_off, block)) != DB_SUCCESS) { if ((err = callback(page_off, block)) != DB_SUCCESS) {

5
storage/xtradb/include/fil0crypt.h
View File

@@ -211,7 +211,10 @@ fil_space_decrypt(
fil_space_crypt_t* crypt_data, /*!< in: crypt data */ fil_space_crypt_t* crypt_data, /*!< in: crypt data */
byte* tmp_frame, /*!< in: temporary buffer */ byte* tmp_frame, /*!< in: temporary buffer */
ulint page_size, /*!< in: page size */ ulint page_size, /*!< in: page size */
byte* src_frame); /*!< in:out: page buffer */ byte* src_frame, /*!< in:out: page buffer */
dberr_t* err); /*!< in: out: DB_SUCCESS or
error code */
/********************************************************************* /*********************************************************************
Encrypt buffer page Encrypt buffer page

12
storage/xtradb/row/row0import.cc
View File

@@ -1,6 +1,7 @@
/***************************************************************************** /*****************************************************************************
Copyright (c) 2012, 2013, Oracle and/or its affiliates. All Rights Reserved. Copyright (c) 2012, 2013, Oracle and/or its affiliates. All Rights Reserved.
Copyright (c) 2015, MariaDB Corporation.
This program is free software; you can redistribute it and/or modify it under This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software the terms of the GNU General Public License as published by the Free Software
@@ -3620,10 +3621,13 @@ row_import_for_mysql(
innobase_format_name( innobase_format_name(
table_name, sizeof(table_name), table->name, FALSE); table_name, sizeof(table_name), table->name, FALSE);
ib_errf(trx->mysql_thd, IB_LOG_LEVEL_ERROR, if (err != DB_DECRYPTION_FAILED) {
ER_INTERNAL_ERROR,
"Cannot reset LSNs in table '%s' : %s", ib_errf(trx->mysql_thd, IB_LOG_LEVEL_ERROR,
table_name, ut_strerr(err)); ER_INTERNAL_ERROR,
"Cannot reset LSNs in table '%s' : %s",
table_name, ut_strerr(err));
}
return(row_import_cleanup(prebuilt, trx, err)); return(row_import_cleanup(prebuilt, trx, err));
} }