codership/mariadb-wsrep#27 Galera cache encryption

* Created interface class for encryption support * Implemented function for setting enc key to provider, callback function for encryption/decryption
2025-07-30 07:23:07 +03:00 · 2018-11-10 11:07:52 +01:00
parent e7f2dfdf93
commit e7d72ae7f6
9 changed files with 178 additions and 17 deletions
--- a/src/server_state.cpp
+++ b/src/server_state.cpp
@ -337,12 +337,12 @@ static int apply_toi(wsrep::provider& provider,
 int wsrep::server_state::load_provider(const std::string& provider_spec,
                                       const std::string& provider_options)
 {
-    wsrep::log_info() << "Loading provider "
-                      << provider_spec
-                      << "initial position: "
-                      << initial_position_;
-    provider_ = wsrep::provider::make_provider(
-        *this, provider_spec, provider_options);
+    wsrep::log_info() << "Loading provider " << provider_spec
+                      << "initial position: " << initial_position_;
+
+    provider_ = wsrep::provider::make_provider(*this,
+                                               provider_spec,
+                                               provider_options);
    return (provider_ ? 0 : 1);
 }

@ -630,6 +630,18 @@ wsrep::server_state::wait_for_gtid(const wsrep::gtid& gtid, int timeout)
    return provider().wait_for_gtid(gtid, timeout);
 }

+int 
+wsrep::server_state::set_encryption_key(std::vector<unsigned char>& key)
+{
+    encryption_key_ = key;
+    if (state_ != s_disconnected)
+    {
+        return provider_->enc_set_key(wsrep::const_buffer(encryption_key_.data(),
+                                                          encryption_key_.size()));
+    }
+    return 0;
+}
+
 std::pair<wsrep::gtid, enum wsrep::provider::status>
 wsrep::server_state::causal_read(int timeout) const
 {
--- a/src/wsrep_provider_v26.cpp
+++ b/src/wsrep_provider_v26.cpp
@ -19,6 +19,7 @@

 #include "wsrep_provider_v26.hpp"

+#include "wsrep/encryption_service.hpp"
 #include "wsrep/server_state.hpp"
 #include "wsrep/high_priority_service.hpp"
 #include "wsrep/view.hpp"
@ -421,14 +422,42 @@ namespace
        }
    }

-    int encrypt_cb(void*                 /* app ctx */,
-                                 wsrep_enc_ctx_t*      /*ctx*/,
-                                 const wsrep_buf_t*    /*input*/,
-                                 void*                 /*output*/,
-                                 wsrep_enc_direction_t /*direction*/,
-                                 bool                  /*final*/)
+    int encrypt_cb(void*                 app_ctx,
+                   wsrep_enc_ctx_t*      enc_ctx,
+                   const wsrep_buf_t*    input,
+                   void*                 output,
+                   wsrep_enc_direction_t direction,
+                   bool                  last)
    {
-        return 0;
+        assert(app_ctx);
+        wsrep::server_state& server_state(
+            *static_cast<wsrep::server_state*>(app_ctx));
+
+        assert(server_state.encryption_service());
+        if (server_state.encryption_service() == 0)
+        {
+            wsrep::log_error() << "Encryption service not defined in encrypt_cb()";
+            return -1;
+        }
+
+        wsrep::const_buffer key(enc_ctx->key->ptr, enc_ctx->key->len);
+        wsrep::const_buffer in(input->ptr, input->len);
+        try
+        {   
+            return server_state.encryption_service()->do_crypt(&enc_ctx->ctx,
+                                                              key,
+                                                              enc_ctx->iv,
+                                                              in,
+                                                              output,
+                                                              direction == WSREP_ENC,
+                                                              last);
+        }
+        catch (const wsrep::runtime_error& e)
+        {
+            free(enc_ctx->ctx);
+            // Return negative value in case of callback error
+            return -1;
+        }
    }

    wsrep_cb_status_t apply_cb(void* ctx,
@ -549,6 +578,8 @@ wsrep::wsrep_provider_v26::wsrep_provider_v26(
    , wsrep_()
 {
    wsrep_gtid_t state_id;
+    bool encryption_enabled = server_state.encryption_service() &&
+                              server_state.encryption_service()->encryption_enabled();
    std::memcpy(state_id.uuid.data,
                server_state.initial_position().id().data(),
                sizeof(state_id.uuid.data));
@ -568,7 +599,7 @@ wsrep::wsrep_provider_v26::wsrep_provider_v26(
    init_args.connected_cb = &connected_cb;
    init_args.view_cb = &view_cb;
    init_args.sst_request_cb = &sst_request_cb;
-    init_args.encrypt_cb = &encrypt_cb;
+    init_args.encrypt_cb = encryption_enabled ? encrypt_cb : NULL;
    init_args.apply_cb = &apply_cb;
    init_args.unordered_cb = 0;
    init_args.sst_donate_cb = &sst_donate_cb;
@ -582,6 +613,19 @@ wsrep::wsrep_provider_v26::wsrep_provider_v26(
    {
        throw wsrep::runtime_error("Failed to initialize wsrep provider");
    }
+
+    if (encryption_enabled)
+    {
+        const std::vector<unsigned char>& key = server_state.get_encryption_key();
+        if (key.size())
+        {
+            wsrep::const_buffer const_key(key.data(), key.size());
+            if(enc_set_key(const_key))
+            {
+                throw wsrep::runtime_error("Failed to set encryption key");
+            }
+        }
+    }
 }

 wsrep::wsrep_provider_v26::~wsrep_provider_v26()
@ -856,6 +900,16 @@ int wsrep::wsrep_provider_v26::sst_received(const wsrep::gtid& gtid, int err)
    return 0;
 }

+int wsrep::wsrep_provider_v26::enc_set_key(const wsrep::const_buffer& key)
+{
+    wsrep_enc_key_t enc_key = {key.data(), key.size()};
+    if (wsrep_->enc_set_key(wsrep_, &enc_key) != WSREP_OK)
+    {
+        return 1;
+    }
+    return 0;
+}
+
 std::vector<wsrep::provider::status_variable>
 wsrep::wsrep_provider_v26::status() const
 {
--- a/src/wsrep_provider_v26.hpp
+++ b/src/wsrep_provider_v26.hpp
@ -78,7 +78,7 @@ namespace wsrep
        wsrep::gtid last_committed_gtid() const;
        int sst_sent(const wsrep::gtid&,int);
        int sst_received(const wsrep::gtid& gtid, int);
-
+        int enc_set_key(const wsrep::const_buffer& key);
        std::vector<status_variable> status() const;
        void reset_status();
        std::string options() const;