codership/mariadb-wsrep#27 Galera cache encryption

* Created interface class for encryption support
* Implemented function for setting enc key to provider, callback function for encryption/decryption

include/wsrep/encryption_service.hpp

@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2019 Codership Oy <info@codership.com>
+ *
+ * This file is part of wsrep-lib.
+ *
+ * Wsrep-lib is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * Wsrep-lib is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with wsrep-lib.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#ifndef WSREP_ENCRYPTION_SERVICE_HPP
+#define WSREP_ENCRYPTION_SERVICE_HPP
+
+#include "buffer.hpp"
+
+namespace wsrep
+{
+    /**
+     * Encryption service.
+     */
+    class encryption_service
+    {
+    public:
+
+        virtual ~encryption_service() { }
+
+        /**
+         * Encryption/decryption callback. Can be NULL for no encryption.
+         *
+         * @param ctx       Encryption context
+         * @param key       Key used in encryption/decryption
+         * @param iv        IV vector
+         * @param input     Input data buffer
+         * @param output    An output buffer, must be at least the size of the input
+         *                  data plus unwritten bytes from the previous call(s).
+         * @param encrypt   Flag used to either encrypt or decrypt data
+         * @param last      true if this is the last buffer to encrypt/decrypt
+         *
+         * @return          Number of bytes written to output or a negative error code.
+         */
+        virtual int do_crypt(void**                ctx,
+                             wsrep::const_buffer&  key,
+                             const char            (*iv)[32],
+                             wsrep::const_buffer&  input,
+                             void*                 output,
+                             bool                  encrypt,
+                             bool                  last) = 0;
+
+        /**
+         * Is encryption enabled on server.
+         * 
+         * @return True if encryption is enabled. False otherwise
+         */
+        virtual bool encryption_enabled() = 0;
+    };
+}
+
+#endif // WSREP_ENCRYPTION_SERVICE_HPP

include/wsrep/provider.hpp

@@ -341,7 +341,7 @@ namespace wsrep
         virtual wsrep::gtid last_committed_gtid() const = 0;
         virtual int sst_sent(const wsrep::gtid&, int) = 0;
         virtual int sst_received(const wsrep::gtid&, int) = 0;
-
+        virtual int enc_set_key(const wsrep::const_buffer& key) = 0;
         virtual std::vector<status_variable> status() const = 0;
         virtual void reset_status() = 0;
 

include/wsrep/server_state.hpp

@@ -104,6 +104,7 @@ namespace wsrep
     class const_buffer;
     class server_service;
     class client_service;
+    class encryption_service;
 
     /** @class Server Context
      *
@@ -180,8 +181,11 @@ namespace wsrep
 
         virtual ~server_state();
 
+        wsrep::encryption_service* encryption_service()
+        { return encryption_service_; }
 
         wsrep::server_service& server_service() { return server_service_; }
+
         /**
          * Return human readable server name.
          *
@@ -369,6 +373,21 @@ namespace wsrep
         enum wsrep::provider::status
         wait_for_gtid(const wsrep::gtid&, int timeout) const;
 
+        /**
+         * Set encryption key
+         * 
+         * @param key Encryption key
+         * 
+         * @return Zero on success, non-zero on failure.
+         */
+        int set_encryption_key(std::vector<unsigned char>& key);
+
+         /**
+         * Return encryption key.
+         */
+        const std::vector<unsigned char>& get_encryption_key() const
+        { return encryption_key_; }
+
         /**
          * Perform a causal read in the cluster. After the call returns,
          * all the causally preceding write sets have been committed
@@ -553,6 +572,7 @@ namespace wsrep
         server_state(wsrep::mutex& mutex,
                      wsrep::condition_variable& cond,
                      wsrep::server_service& server_service,
+                     wsrep::encryption_service* encryption_service,
                      const std::string& name,
                      const std::string& incoming_address,
                      const std::string& address,
@@ -563,6 +583,7 @@ namespace wsrep
             : mutex_(mutex)
             , cond_(cond)
             , server_service_(server_service)
+            , encryption_service_(encryption_service)
             , state_(s_disconnected)
             , state_hist_()
             , state_waiters_(n_states_)
@@ -584,6 +605,7 @@ namespace wsrep
             , incoming_address_(incoming_address)
             , address_(address)
             , working_dir_(working_dir)
+            , encryption_key_()
             , max_protocol_version_(max_protocol_version)
             , rollback_mode_(rollback_mode)
             , connected_gtid_()
@@ -631,6 +653,7 @@ namespace wsrep
         wsrep::mutex& mutex_;
         wsrep::condition_variable& cond_;
         wsrep::server_service& server_service_;
+        wsrep::encryption_service* encryption_service_;
         enum state state_;
         std::vector<enum state> state_hist_;
         mutable std::vector<int> state_waiters_;
@@ -672,6 +695,7 @@ namespace wsrep
         std::string incoming_address_;
         std::string address_;
         std::string working_dir_;
+        std::vector<unsigned char> encryption_key_;
         int max_protocol_version_;
         enum rollback_mode rollback_mode_;
         wsrep::gtid connected_gtid_;