New encryption API. Piece-wise encryption.

Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
2025-07-30 16:24:05 +03:00 · 2015-09-04 10:32:52 +02:00
parent d94a982adb
commit 66b9a9409c
24 changed files with 915 additions and 666 deletions
--- a/plugin/example_key_management/example_key_management_plugin.cc
+++ b/plugin/example_key_management/example_key_management_plugin.cc
@ -77,26 +77,24 @@ get_key(unsigned int key_id, unsigned int version,

 /*
  for the sake of an example, let's use different encryption algorithms/modes
-  for different keys.
+  for different keys versions:
 */
-int encrypt(const unsigned char* src, unsigned int slen,
-            unsigned char* dst, unsigned int* dlen,
-            const unsigned char* key, unsigned int klen,
-            const unsigned char* iv, unsigned int ivlen,
-            int no_padding, unsigned int keyid, unsigned int key_version)
+static inline enum my_aes_mode mode(unsigned int key_version)
 {
-  return ((key_version & 1) ? my_aes_encrypt_cbc : my_aes_encrypt_ecb)
-    (src, slen, dst, dlen, key, klen, iv, ivlen, no_padding);
+  return key_version & 1 ? MY_AES_ECB : MY_AES_CBC;
 }

-int decrypt(const unsigned char* src, unsigned int slen,
-            unsigned char* dst, unsigned int* dlen,
-            const unsigned char* key, unsigned int klen,
-            const unsigned char* iv, unsigned int ivlen,
-            int no_padding, unsigned int keyid, unsigned int key_version)
+int ctx_init(void *ctx, const unsigned char* key, unsigned int klen, const
+             unsigned char* iv, unsigned int ivlen, int flags, unsigned int
+             key_id, unsigned int key_version)
 {
-  return ((key_version & 1) ? my_aes_decrypt_cbc : my_aes_decrypt_ecb)
-    (src, slen, dst, dlen, key, klen, iv, ivlen, no_padding);
+  return my_aes_crypt_init(ctx, mode(key_version), flags, key, klen, iv, ivlen);
+}
+
+static unsigned int get_length(unsigned int slen, unsigned int key_id,
+                               unsigned int key_version)
+{
+  return my_aes_get_size(mode(key_version), slen);
 }

 static int example_key_management_plugin_init(void *p)
@ -119,8 +117,11 @@ struct st_mariadb_encryption example_key_management_plugin= {
  MariaDB_ENCRYPTION_INTERFACE_VERSION,
  get_latest_key_version,
  get_key,
-  encrypt,
-  decrypt
+  (uint (*)(unsigned int, unsigned int))my_aes_ctx_size,
+  ctx_init,
+  my_aes_crypt_update,
+  my_aes_crypt_finish,
+  get_length
 };

 /*