mirror of
https://github.com/MariaDB/server.git
synced 2025-08-17 06:42:17 +03:00
c0f47a4a58
MariaDB data-at-rest encryption (innodb_encrypt_tables) had repurposed the same unused data field that was repurposed in MySQL 5.7 (and MariaDB 10.2) for the Split Sequence Number (SSN) field of SPATIAL INDEX. Because of this, MariaDB was unable to support encryption on SPATIAL INDEX pages. Furthermore, InnoDB page checksums skipped some bytes, and there are multiple variations and checksum algorithms. By default, InnoDB accepts all variations of all algorithms that ever existed. This unnecessarily weakens the page checksums. We hereby introduce two more innodb_checksum_algorithm variants (full_crc32, strict_full_crc32) that are special in a way: When either setting is active, newly created data files will carry a flag (fil_space_t::full_crc32()) that indicates that all pages of the file will use a full CRC-32C checksum over the entire page contents (excluding the bytes where the checksum is stored, at the very end of the page). Such files will always use that checksum, no matter what the parameter innodb_checksum_algorithm is assigned to. For old files, the old checksum algorithms will continue to be used. The value strict_full_crc32 will be equivalent to strict_crc32 and the value full_crc32 will be equivalent to crc32. ROW_FORMAT=COMPRESSED tables will only use the old format. These tables do not support new features, such as larger innodb_page_size or instant ADD/DROP COLUMN. They may be deprecated in the future. We do not want an unnecessary file format change for them. The new full_crc32() format also cleans up the MariaDB tablespace flags. We will reserve flags to store the page_compressed compression algorithm, and to store the compressed payload length, so that checksum can be computed over the compressed (and possibly encrypted) stream and can be validated without decrypting or decompressing the page. In the full_crc32 format, there no longer are separate before-encryption and after-encryption checksums for pages. The single checksum is computed on the page contents that is written to the file. We do not make the new algorithm the default for two reasons. First, MariaDB 10.4.2 was a beta release, and the default values of parameters should not change after beta. Second, we did not yet implement the full_crc32 format for page_compressed pages. This will be fixed in MDEV-18644. This is joint work with Marko Mäkelä.
286 lines
9.1 KiB
Plaintext
286 lines
9.1 KiB
Plaintext
#
|
|
# MDEV-8773: InnoDB innochecksum does not work with encrypted or page compressed tables
|
|
#
|
|
|
|
# Don't test under embedded as we restart server
|
|
-- source include/not_embedded.inc
|
|
# Require InnoDB
|
|
-- source include/have_innodb.inc
|
|
-- source include/have_file_key_management_plugin.inc
|
|
-- source include/innodb_page_size_small.inc
|
|
-- source include/innodb_checksum_algorithm.inc
|
|
|
|
if (!$INNOCHECKSUM) {
|
|
--echo Need innochecksum binary
|
|
--die Need innochecksum binary
|
|
}
|
|
|
|
let $checksum_algorithm = `SELECT @@innodb_checksum_algorithm`;
|
|
SET GLOBAL innodb_file_per_table = ON;
|
|
# zlib
|
|
set global innodb_compression_algorithm = 1;
|
|
|
|
|
|
--echo # Create and populate a tables
|
|
CREATE TABLE t1 (a INT AUTO_INCREMENT PRIMARY KEY, b TEXT) ENGINE=InnoDB ENCRYPTED=YES ENCRYPTION_KEY_ID=4;
|
|
CREATE TABLE t2 (a INT AUTO_INCREMENT PRIMARY KEY, b TEXT) ENGINE=InnoDB ROW_FORMAT=COMPRESSED ENCRYPTED=YES ENCRYPTION_KEY_ID=4;
|
|
CREATE TABLE t3 (a INT AUTO_INCREMENT PRIMARY KEY, b TEXT) ENGINE=InnoDB ROW_FORMAT=COMPRESSED ENCRYPTED=NO;
|
|
CREATE TABLE t4 (a INT AUTO_INCREMENT PRIMARY KEY, b TEXT) ENGINE=InnoDB PAGE_COMPRESSED=1;
|
|
CREATE TABLE t5 (a INT AUTO_INCREMENT PRIMARY KEY, b TEXT) ENGINE=InnoDB PAGE_COMPRESSED=1 ENCRYPTED=YES ENCRYPTION_KEY_ID=4;
|
|
CREATE TABLE t6 (a INT AUTO_INCREMENT PRIMARY KEY, b TEXT) ENGINE=InnoDB;
|
|
|
|
--disable_query_log
|
|
--let $i = 1000
|
|
begin;
|
|
while ($i)
|
|
{
|
|
INSERT INTO t1 (b) VALUES (REPEAT('abcdefghijklmnopqrstuvwxyz', 100));
|
|
dec $i;
|
|
}
|
|
INSERT INTO t2 SELECT * FROM t1;
|
|
INSERT INTO t3 SELECT * FROM t1;
|
|
INSERT INTO t4 SELECT * FROM t1;
|
|
INSERT INTO t5 SELECT * FROM t1;
|
|
INSERT INTO t6 SELECT * FROM t1;
|
|
commit;
|
|
--enable_query_log
|
|
|
|
let $MYSQLD_DATADIR=`select @@datadir`;
|
|
let t1_IBD = $MYSQLD_DATADIR/test/t1.ibd;
|
|
let t2_IBD = $MYSQLD_DATADIR/test/t2.ibd;
|
|
let t3_IBD = $MYSQLD_DATADIR/test/t3.ibd;
|
|
let t4_IBD = $MYSQLD_DATADIR/test/t4.ibd;
|
|
let t5_IBD = $MYSQLD_DATADIR/test/t5.ibd;
|
|
let t6_IBD = $MYSQLD_DATADIR/test/t6.ibd;
|
|
|
|
let INNODB_PAGE_SIZE=`select @@innodb_page_size`;
|
|
let MYSQLD_DATADIR=`select @@datadir`;
|
|
|
|
--source include/shutdown_mysqld.inc
|
|
|
|
--echo # Run innochecksum on t1
|
|
-- disable_result_log
|
|
--exec $INNOCHECKSUM $t1_IBD
|
|
|
|
--echo # Run innochecksum on t2
|
|
|
|
--exec $INNOCHECKSUM $t2_IBD
|
|
|
|
--echo # Run innochecksum on t3
|
|
|
|
--exec $INNOCHECKSUM $t3_IBD
|
|
|
|
--echo # Run innochecksum on t4
|
|
|
|
--exec $INNOCHECKSUM $t4_IBD
|
|
|
|
--echo # Run innochecksum on t4
|
|
|
|
--exec $INNOCHECKSUM $t4_IBD
|
|
|
|
--echo # Run innochecksum on t5
|
|
|
|
--exec $INNOCHECKSUM $t5_IBD
|
|
|
|
--echo # Run innochecksum on t6
|
|
|
|
--exec $INNOCHECKSUM $t6_IBD
|
|
|
|
--enable_result_log
|
|
|
|
--echo # Backup tables before corrupting
|
|
--copy_file $MYSQLD_DATADIR/test/t1.ibd $MYSQLD_DATADIR/test/t1.ibd.backup
|
|
--copy_file $MYSQLD_DATADIR/test/t2.ibd $MYSQLD_DATADIR/test/t2.ibd.backup
|
|
--copy_file $MYSQLD_DATADIR/test/t3.ibd $MYSQLD_DATADIR/test/t3.ibd.backup
|
|
--copy_file $MYSQLD_DATADIR/test/t4.ibd $MYSQLD_DATADIR/test/t4.ibd.backup
|
|
--copy_file $MYSQLD_DATADIR/test/t5.ibd $MYSQLD_DATADIR/test/t5.ibd.backup
|
|
--copy_file $MYSQLD_DATADIR/test/t6.ibd $MYSQLD_DATADIR/test/t6.ibd.backup
|
|
|
|
#
|
|
# MDEV-11939: innochecksum mistakes a file for an encrypted one
|
|
#
|
|
|
|
--echo # Corrupt FIL_PAGE_FILE_FLUSH_LSN_OR_KEY_VERSION
|
|
|
|
perl;
|
|
open(FILE, "+<", "$ENV{MYSQLD_DATADIR}/test/t1.ibd") or die "open";
|
|
binmode FILE;
|
|
seek(FILE, $ENV{'INNODB_PAGE_SIZE'} * 3 + 26, SEEK_SET) or die "seek";
|
|
print FILE pack("H*", "c00lcafedeadb017");
|
|
close FILE or die "close";
|
|
open(FILE, "+<", "$ENV{MYSQLD_DATADIR}/test/t2.ibd") or die "open";
|
|
binmode FILE;
|
|
seek(FILE, $ENV{'INNODB_PAGE_SIZE'} * 3 + 26, SEEK_SET) or die "seek";
|
|
print FILE pack("H*", "c00lcafedeadb017");
|
|
close FILE or die "close";
|
|
open(FILE, "+<", "$ENV{MYSQLD_DATADIR}/test/t3.ibd") or die "open";
|
|
binmode FILE;
|
|
seek(FILE, $ENV{'INNODB_PAGE_SIZE'} * 3 + 26, SEEK_SET) or die "seek";
|
|
print FILE pack("H*", "c00lcafedeadb017");
|
|
close FILE or die "close";
|
|
open(FILE, "+<", "$ENV{MYSQLD_DATADIR}/test/t6.ibd") or die "open";
|
|
binmode FILE;
|
|
seek(FILE, $ENV{'INNODB_PAGE_SIZE'} * 3 + 26, SEEK_SET) or die "seek";
|
|
print FILE pack("H*", "c00lcafedeadb017");
|
|
close FILE or die "close";
|
|
EOF
|
|
|
|
-- disable_result_log
|
|
--error 1
|
|
--exec $INNOCHECKSUM $t1_IBD
|
|
|
|
--echo # Run innochecksum on t2
|
|
|
|
--error 1
|
|
--exec $INNOCHECKSUM $t2_IBD
|
|
|
|
--echo # Run innochecksum on t3
|
|
--echo # no encryption corrupting the field should not have effect
|
|
--exec $INNOCHECKSUM $t3_IBD
|
|
|
|
--echo # Run innochecksum on t6
|
|
--echo # In new checksum format, checksum calculated for whole page.
|
|
--echo # So It should affected.
|
|
let $error_code = 0;
|
|
if ($checksum_algorithm == "full_crc32")
|
|
{
|
|
let $error_code = 1;
|
|
}
|
|
|
|
if ($checksum_algorithm == "strict_full_crc32")
|
|
{
|
|
let $error_code = 1;
|
|
}
|
|
|
|
--error $error_code
|
|
--exec $INNOCHECKSUM $t6_IBD
|
|
|
|
--enable_result_log
|
|
|
|
--echo # Restore the original tables
|
|
--remove_file $MYSQLD_DATADIR/test/t1.ibd
|
|
--remove_file $MYSQLD_DATADIR/test/t2.ibd
|
|
--remove_file $MYSQLD_DATADIR/test/t3.ibd
|
|
--remove_file $MYSQLD_DATADIR/test/t4.ibd
|
|
--remove_file $MYSQLD_DATADIR/test/t5.ibd
|
|
--remove_file $MYSQLD_DATADIR/test/t6.ibd
|
|
--copy_file $MYSQLD_DATADIR/test/t1.ibd.backup $MYSQLD_DATADIR/test/t1.ibd
|
|
--copy_file $MYSQLD_DATADIR/test/t2.ibd.backup $MYSQLD_DATADIR/test/t2.ibd
|
|
--copy_file $MYSQLD_DATADIR/test/t3.ibd.backup $MYSQLD_DATADIR/test/t3.ibd
|
|
--copy_file $MYSQLD_DATADIR/test/t4.ibd.backup $MYSQLD_DATADIR/test/t4.ibd
|
|
--copy_file $MYSQLD_DATADIR/test/t5.ibd.backup $MYSQLD_DATADIR/test/t5.ibd
|
|
--copy_file $MYSQLD_DATADIR/test/t6.ibd.backup $MYSQLD_DATADIR/test/t6.ibd
|
|
|
|
--echo # Corrupt FIL_PAGE_FILE_FLUSH_LSN_OR_KEY_VERSION+4 (post encryption checksum)
|
|
|
|
perl;
|
|
open(FILE, "+<", "$ENV{MYSQLD_DATADIR}/test/t1.ibd") or die "open";
|
|
binmode FILE;
|
|
seek(FILE, $ENV{'INNODB_PAGE_SIZE'} * 3 + 30, SEEK_SET) or die "seek";
|
|
print FILE pack("H*", "c00lcafedeadb017");
|
|
close FILE or die "close";
|
|
open(FILE, "+<", "$ENV{MYSQLD_DATADIR}/test/t2.ibd") or die "open";
|
|
binmode FILE;
|
|
seek(FILE, $ENV{'INNODB_PAGE_SIZE'} * 3 + 30, SEEK_SET) or die "seek";
|
|
print FILE pack("H*", "c00lcafedeadb017");
|
|
close FILE or die "close";
|
|
open(FILE, "+<", "$ENV{MYSQLD_DATADIR}/test/t3.ibd") or die "open";
|
|
binmode FILE;
|
|
seek(FILE, $ENV{'INNODB_PAGE_SIZE'} * 3 + 30, SEEK_SET) or die "seek";
|
|
print FILE pack("H*", "c00lcafedeadb017");
|
|
close FILE or die "close";
|
|
open(FILE, "+<", "$ENV{MYSQLD_DATADIR}/test/t6.ibd") or die "open";
|
|
binmode FILE;
|
|
seek(FILE, $ENV{'INNODB_PAGE_SIZE'} * 3 + 30, SEEK_SET) or die "seek";
|
|
print FILE pack("H*", "c00lcafedeadb017");
|
|
close FILE or die "close";
|
|
EOF
|
|
|
|
-- disable_result_log
|
|
--error 1
|
|
--exec $INNOCHECKSUM $t1_IBD
|
|
|
|
--echo # Run innochecksum on t2
|
|
--error 1
|
|
--exec $INNOCHECKSUM $t2_IBD
|
|
|
|
--echo # Run innochecksum on t3
|
|
--error 1
|
|
--exec $INNOCHECKSUM $t3_IBD
|
|
|
|
--echo # Run innochecksum on t6
|
|
--echo # In new checksum format, checksum calculated for whole page.
|
|
--echo # So It should affected.
|
|
--error $error_code
|
|
--exec $INNOCHECKSUM $t6_IBD
|
|
|
|
--enable_result_log
|
|
|
|
--echo # Restore the original tables
|
|
--remove_file $MYSQLD_DATADIR/test/t1.ibd
|
|
--remove_file $MYSQLD_DATADIR/test/t2.ibd
|
|
--remove_file $MYSQLD_DATADIR/test/t3.ibd
|
|
--remove_file $MYSQLD_DATADIR/test/t4.ibd
|
|
--remove_file $MYSQLD_DATADIR/test/t5.ibd
|
|
--remove_file $MYSQLD_DATADIR/test/t6.ibd
|
|
--copy_file $MYSQLD_DATADIR/test/t1.ibd.backup $MYSQLD_DATADIR/test/t1.ibd
|
|
--copy_file $MYSQLD_DATADIR/test/t2.ibd.backup $MYSQLD_DATADIR/test/t2.ibd
|
|
--copy_file $MYSQLD_DATADIR/test/t3.ibd.backup $MYSQLD_DATADIR/test/t3.ibd
|
|
--copy_file $MYSQLD_DATADIR/test/t4.ibd.backup $MYSQLD_DATADIR/test/t4.ibd
|
|
--copy_file $MYSQLD_DATADIR/test/t5.ibd.backup $MYSQLD_DATADIR/test/t5.ibd
|
|
--copy_file $MYSQLD_DATADIR/test/t6.ibd.backup $MYSQLD_DATADIR/test/t6.ibd
|
|
|
|
--echo # Corrupt FIL_DATA+10 (data)
|
|
|
|
perl;
|
|
open(FILE, "+<", "$ENV{MYSQLD_DATADIR}/test/t1.ibd") or die "open";
|
|
binmode FILE;
|
|
seek(FILE, $ENV{'INNODB_PAGE_SIZE'} * 3 + 48, SEEK_SET) or die "seek";
|
|
print FILE pack("H*", "c00lcafedeadb017");
|
|
close FILE or die "close";
|
|
open(FILE, "+<", "$ENV{MYSQLD_DATADIR}/test/t2.ibd") or die "open";
|
|
binmode FILE;
|
|
seek(FILE, $ENV{'INNODB_PAGE_SIZE'} * 3 + 48, SEEK_SET) or die "seek";
|
|
print FILE pack("H*", "c00lcafedeadb017");
|
|
close FILE or die "close";
|
|
open(FILE, "+<", "$ENV{MYSQLD_DATADIR}/test/t3.ibd") or die "open";
|
|
binmode FILE;
|
|
seek(FILE, $ENV{'INNODB_PAGE_SIZE'} * 3 + 48, SEEK_SET) or die "seek";
|
|
print FILE pack("H*", "c00lcafedeadb017");
|
|
close FILE or die "close";
|
|
open(FILE, "+<", "$ENV{MYSQLD_DATADIR}/test/t6.ibd") or die "open";
|
|
binmode FILE;
|
|
seek(FILE, $ENV{'INNODB_PAGE_SIZE'} * 3 + 48, SEEK_SET) or die "seek";
|
|
print FILE pack("H*", "c00lcafedeadb017");
|
|
close FILE or die "close";
|
|
EOF
|
|
|
|
-- disable_result_log
|
|
--error 1
|
|
--exec $INNOCHECKSUM $t1_IBD
|
|
|
|
--echo # Run innochecksum on t2
|
|
--error 1
|
|
--exec $INNOCHECKSUM $t2_IBD
|
|
|
|
--echo # Run innochecksum on t3
|
|
--error 1
|
|
--exec $INNOCHECKSUM $t3_IBD
|
|
|
|
--echo # Run innochecksum on t6
|
|
--error 1
|
|
--exec $INNOCHECKSUM $t6_IBD
|
|
|
|
--enable_result_log
|
|
|
|
--echo # Restore the original tables
|
|
--move_file $MYSQLD_DATADIR/test/t1.ibd.backup $MYSQLD_DATADIR/test/t1.ibd
|
|
--move_file $MYSQLD_DATADIR/test/t2.ibd.backup $MYSQLD_DATADIR/test/t2.ibd
|
|
--move_file $MYSQLD_DATADIR/test/t3.ibd.backup $MYSQLD_DATADIR/test/t3.ibd
|
|
--move_file $MYSQLD_DATADIR/test/t4.ibd.backup $MYSQLD_DATADIR/test/t4.ibd
|
|
--move_file $MYSQLD_DATADIR/test/t5.ibd.backup $MYSQLD_DATADIR/test/t5.ibd
|
|
--move_file $MYSQLD_DATADIR/test/t6.ibd.backup $MYSQLD_DATADIR/test/t6.ibd
|
|
|
|
--source include/start_mysqld.inc
|
|
DROP TABLE t1, t2, t3, t4, t5, t6;
|