Identical key derivation code in XtraDB/InnoDB/Aria

* Extract it into the "encryption_scheme" service.
* Make these engines to use the service, remove duplicate code.
* Change MY_AES_xxx error codes, to return them safely
  from encryption_scheme_encrypt/decrypt without conflicting
  with ENCRYPTION_SCHEME_KEY_INVALID error

include/my_crypt.h

@@ -25,10 +25,10 @@ extern "C" {
 #endif
 
 /* return values from my_aes_encrypt/my_aes_decrypt functions */
-#define MY_AES_OK 0
-#define MY_AES_BAD_DATA  -1
-#define MY_AES_OPENSSL_ERROR -2
-#define MY_AES_BAD_KEYSIZE -3
+#define MY_AES_OK               0
+#define MY_AES_BAD_DATA         -100
+#define MY_AES_OPENSSL_ERROR    -101
+#define MY_AES_BAD_KEYSIZE      -102
 
 /* The block size for all supported algorithms */
 #define MY_AES_BLOCK_SIZE 16

include/mysql/plugin.h

@@ -75,7 +75,7 @@ typedef struct st_mysql_xid MYSQL_XID;
 #define MYSQL_PLUGIN_INTERFACE_VERSION 0x0104
 
 /* MariaDB plugin interface version */
-#define MARIA_PLUGIN_INTERFACE_VERSION 0x010a
+#define MARIA_PLUGIN_INTERFACE_VERSION 0x010b
 
 /*
   The allowable types of plugins

include/mysql/plugin_audit.h.pp

@@ -213,6 +213,43 @@ struct encryption_service_st {
   encrypt_decrypt_func encryption_decrypt_func;
 };
 extern struct encryption_service_st encryption_handler;
+#include <mysql/service_encryption_scheme.h>
+struct st_encryption_scheme_key {
+  unsigned int version;
+  unsigned char key[16];
+};
+struct st_encryption_scheme {
+  unsigned char iv[16];
+  struct st_encryption_scheme_key key[3];
+  unsigned int keyserver_requests;
+  unsigned int key_id;
+  unsigned int type;
+  void (*locker)(struct st_encryption_scheme *self, int release);
+};
+extern struct encryption_scheme_service_st {
+  int (*encryption_scheme_encrypt_func)
+                               (const unsigned char* src, unsigned int slen,
+                                unsigned char* dst, unsigned int* dlen,
+                                struct st_encryption_scheme *scheme,
+                                unsigned int key_version, unsigned int i32_1,
+                                unsigned int i32_2, unsigned long long i64);
+  int (*encryption_scheme_decrypt_func)
+                               (const unsigned char* src, unsigned int slen,
+                                unsigned char* dst, unsigned int* dlen,
+                                struct st_encryption_scheme *scheme,
+                                unsigned int key_version, unsigned int i32_1,
+                                unsigned int i32_2, unsigned long long i64);
+} *encryption_scheme_service;
+int encryption_scheme_encrypt(const unsigned char* src, unsigned int slen,
+                              unsigned char* dst, unsigned int* dlen,
+                              struct st_encryption_scheme *scheme,
+                              unsigned int key_version, unsigned int i32_1,
+                              unsigned int i32_2, unsigned long long i64);
+int encryption_scheme_decrypt(const unsigned char* src, unsigned int slen,
+                              unsigned char* dst, unsigned int* dlen,
+                              struct st_encryption_scheme *scheme,
+                              unsigned int key_version, unsigned int i32_1,
+                              unsigned int i32_2, unsigned long long i64);
 struct st_mysql_xid {
   long formatID;
   long gtrid_length;

include/mysql/plugin_auth.h.pp

@@ -213,6 +213,43 @@ struct encryption_service_st {
   encrypt_decrypt_func encryption_decrypt_func;
 };
 extern struct encryption_service_st encryption_handler;
+#include <mysql/service_encryption_scheme.h>
+struct st_encryption_scheme_key {
+  unsigned int version;
+  unsigned char key[16];
+};
+struct st_encryption_scheme {
+  unsigned char iv[16];
+  struct st_encryption_scheme_key key[3];
+  unsigned int keyserver_requests;
+  unsigned int key_id;
+  unsigned int type;
+  void (*locker)(struct st_encryption_scheme *self, int release);
+};
+extern struct encryption_scheme_service_st {
+  int (*encryption_scheme_encrypt_func)
+                               (const unsigned char* src, unsigned int slen,
+                                unsigned char* dst, unsigned int* dlen,
+                                struct st_encryption_scheme *scheme,
+                                unsigned int key_version, unsigned int i32_1,
+                                unsigned int i32_2, unsigned long long i64);
+  int (*encryption_scheme_decrypt_func)
+                               (const unsigned char* src, unsigned int slen,
+                                unsigned char* dst, unsigned int* dlen,
+                                struct st_encryption_scheme *scheme,
+                                unsigned int key_version, unsigned int i32_1,
+                                unsigned int i32_2, unsigned long long i64);
+} *encryption_scheme_service;
+int encryption_scheme_encrypt(const unsigned char* src, unsigned int slen,
+                              unsigned char* dst, unsigned int* dlen,
+                              struct st_encryption_scheme *scheme,
+                              unsigned int key_version, unsigned int i32_1,
+                              unsigned int i32_2, unsigned long long i64);
+int encryption_scheme_decrypt(const unsigned char* src, unsigned int slen,
+                              unsigned char* dst, unsigned int* dlen,
+                              struct st_encryption_scheme *scheme,
+                              unsigned int key_version, unsigned int i32_1,
+                              unsigned int i32_2, unsigned long long i64);
 struct st_mysql_xid {
   long formatID;
   long gtrid_length;

include/mysql/plugin_encryption.h.pp

@@ -213,6 +213,43 @@ struct encryption_service_st {
   encrypt_decrypt_func encryption_decrypt_func;
 };
 extern struct encryption_service_st encryption_handler;
+#include <mysql/service_encryption_scheme.h>
+struct st_encryption_scheme_key {
+  unsigned int version;
+  unsigned char key[16];
+};
+struct st_encryption_scheme {
+  unsigned char iv[16];
+  struct st_encryption_scheme_key key[3];
+  unsigned int keyserver_requests;
+  unsigned int key_id;
+  unsigned int type;
+  void (*locker)(struct st_encryption_scheme *self, int release);
+};
+extern struct encryption_scheme_service_st {
+  int (*encryption_scheme_encrypt_func)
+                               (const unsigned char* src, unsigned int slen,
+                                unsigned char* dst, unsigned int* dlen,
+                                struct st_encryption_scheme *scheme,
+                                unsigned int key_version, unsigned int i32_1,
+                                unsigned int i32_2, unsigned long long i64);
+  int (*encryption_scheme_decrypt_func)
+                               (const unsigned char* src, unsigned int slen,
+                                unsigned char* dst, unsigned int* dlen,
+                                struct st_encryption_scheme *scheme,
+                                unsigned int key_version, unsigned int i32_1,
+                                unsigned int i32_2, unsigned long long i64);
+} *encryption_scheme_service;
+int encryption_scheme_encrypt(const unsigned char* src, unsigned int slen,
+                              unsigned char* dst, unsigned int* dlen,
+                              struct st_encryption_scheme *scheme,
+                              unsigned int key_version, unsigned int i32_1,
+                              unsigned int i32_2, unsigned long long i64);
+int encryption_scheme_decrypt(const unsigned char* src, unsigned int slen,
+                              unsigned char* dst, unsigned int* dlen,
+                              struct st_encryption_scheme *scheme,
+                              unsigned int key_version, unsigned int i32_1,
+                              unsigned int i32_2, unsigned long long i64);
 struct st_mysql_xid {
   long formatID;
   long gtrid_length;

include/mysql/plugin_ftparser.h.pp

@@ -213,6 +213,43 @@ struct encryption_service_st {
   encrypt_decrypt_func encryption_decrypt_func;
 };
 extern struct encryption_service_st encryption_handler;
+#include <mysql/service_encryption_scheme.h>
+struct st_encryption_scheme_key {
+  unsigned int version;
+  unsigned char key[16];
+};
+struct st_encryption_scheme {
+  unsigned char iv[16];
+  struct st_encryption_scheme_key key[3];
+  unsigned int keyserver_requests;
+  unsigned int key_id;
+  unsigned int type;
+  void (*locker)(struct st_encryption_scheme *self, int release);
+};
+extern struct encryption_scheme_service_st {
+  int (*encryption_scheme_encrypt_func)
+                               (const unsigned char* src, unsigned int slen,
+                                unsigned char* dst, unsigned int* dlen,
+                                struct st_encryption_scheme *scheme,
+                                unsigned int key_version, unsigned int i32_1,
+                                unsigned int i32_2, unsigned long long i64);
+  int (*encryption_scheme_decrypt_func)
+                               (const unsigned char* src, unsigned int slen,
+                                unsigned char* dst, unsigned int* dlen,
+                                struct st_encryption_scheme *scheme,
+                                unsigned int key_version, unsigned int i32_1,
+                                unsigned int i32_2, unsigned long long i64);
+} *encryption_scheme_service;
+int encryption_scheme_encrypt(const unsigned char* src, unsigned int slen,
+                              unsigned char* dst, unsigned int* dlen,
+                              struct st_encryption_scheme *scheme,
+                              unsigned int key_version, unsigned int i32_1,
+                              unsigned int i32_2, unsigned long long i64);
+int encryption_scheme_decrypt(const unsigned char* src, unsigned int slen,
+                              unsigned char* dst, unsigned int* dlen,
+                              struct st_encryption_scheme *scheme,
+                              unsigned int key_version, unsigned int i32_1,
+                              unsigned int i32_2, unsigned long long i64);
 struct st_mysql_xid {
   long formatID;
   long gtrid_length;

include/mysql/plugin_password_validation.h.pp

@@ -213,6 +213,43 @@ struct encryption_service_st {
   encrypt_decrypt_func encryption_decrypt_func;
 };
 extern struct encryption_service_st encryption_handler;
+#include <mysql/service_encryption_scheme.h>
+struct st_encryption_scheme_key {
+  unsigned int version;
+  unsigned char key[16];
+};
+struct st_encryption_scheme {
+  unsigned char iv[16];
+  struct st_encryption_scheme_key key[3];
+  unsigned int keyserver_requests;
+  unsigned int key_id;
+  unsigned int type;
+  void (*locker)(struct st_encryption_scheme *self, int release);
+};
+extern struct encryption_scheme_service_st {
+  int (*encryption_scheme_encrypt_func)
+                               (const unsigned char* src, unsigned int slen,
+                                unsigned char* dst, unsigned int* dlen,
+                                struct st_encryption_scheme *scheme,
+                                unsigned int key_version, unsigned int i32_1,
+                                unsigned int i32_2, unsigned long long i64);
+  int (*encryption_scheme_decrypt_func)
+                               (const unsigned char* src, unsigned int slen,
+                                unsigned char* dst, unsigned int* dlen,
+                                struct st_encryption_scheme *scheme,
+                                unsigned int key_version, unsigned int i32_1,
+                                unsigned int i32_2, unsigned long long i64);
+} *encryption_scheme_service;
+int encryption_scheme_encrypt(const unsigned char* src, unsigned int slen,
+                              unsigned char* dst, unsigned int* dlen,
+                              struct st_encryption_scheme *scheme,
+                              unsigned int key_version, unsigned int i32_1,
+                              unsigned int i32_2, unsigned long long i64);
+int encryption_scheme_decrypt(const unsigned char* src, unsigned int slen,
+                              unsigned char* dst, unsigned int* dlen,
+                              struct st_encryption_scheme *scheme,
+                              unsigned int key_version, unsigned int i32_1,
+                              unsigned int i32_2, unsigned long long i64);
 struct st_mysql_xid {
   long formatID;
   long gtrid_length;

include/mysql/service_encryption_scheme.h

+#ifndef MYSQL_SERVICE_ENCRYPTION_SCHEME_INCLUDED
+/* Copyright (c) 2015, MariaDB
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 of the License.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA */
+
+/**
+  @file
+  encryption scheme service
+
+  A higher-level access to encryption service.
+
+  This is a helper service that storage engines use to encrypt tables on disk.
+  It requests keys from the plugin, generates temporary or local keys
+  from the global (as returned by the plugin) keys, etc.
+
+  To use the service:
+
+  * st_encryption_scheme object is created per space. A "space" can be
+    a table space in XtraDB/InnoDB, a file in Aria, etc.  The whole
+    space is encrypted with the one key id.
+
+  * The service does not take the key and the IV as parameters for
+    encryption or decryption. Instead it takes two 32-bit integers and
+    one 64-bit integer (and requests the key from an encryption
+    plugin, if needed).
+
+  * The service requests the global key from the encryption plugin
+    automatically as needed. Three last keys are cached in the
+    st_encryption_scheme. Number of key requests (number of cache
+    misses) are counted in st_encryption_scheme::keyserver_requests
+
+  * If an st_encryption_scheme can be used concurrently by different
+    threads, it needs to be able to lock itself when accessing the key
+    cache.  Set the st_encryption_scheme::locker appropriately. If
+    non-zero, it will be invoked by encrypt/decrypt functions to lock
+    and unlock the scheme when needed.
+
+  * Implementation details (in particular, key derivation) are defined
+    by the scheme type. Currently only schema type 1 is supported.
+
+  In the schema type 1, every "space" (table space in XtraDB/InnoDB,
+  file in Aria) is encrypted with a different space-local key:
+
+  * Every space has a 16-byte unique identifier (typically it's
+    generated randomly and stored in the space). The caller should
+    put it into st_encryption_scheme::iv.
+
+  * Space-local key is generated by encrypting this identifier with
+    the global encryption key (of the given id and version) using AES_ECB.
+
+  * Encryption/decryption parameters for a page are typically the
+    4-byte space id, 4-byte page position (offset, page number, etc),
+    and the 8-byte LSN. This guarantees that they'll be different for
+    any two pages (of the same or different tablespaces) and also that
+    they'll change for the same page when it's modified. They don't need
+    to be secret (they create the IV, not the encryption key).
+*/
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define ENCRYPTION_SCHEME_KEY_INVALID    -1
+#define ENCRYPTION_SCHEME_BLOCK_LENGTH   16
+
+struct st_encryption_scheme_key {
+  unsigned int version;
+  unsigned char key[ENCRYPTION_SCHEME_BLOCK_LENGTH];
+};
+
+struct st_encryption_scheme {
+  unsigned char iv[ENCRYPTION_SCHEME_BLOCK_LENGTH];
+  struct st_encryption_scheme_key key[3];
+  unsigned int keyserver_requests;
+  unsigned int key_id;
+  unsigned int type;
+
+  void (*locker)(struct st_encryption_scheme *self, int release);
+};
+
+extern struct encryption_scheme_service_st {
+  int (*encryption_scheme_encrypt_func)
+                               (const unsigned char* src, unsigned int slen,
+                                unsigned char* dst, unsigned int* dlen,
+                                struct st_encryption_scheme *scheme,
+                                unsigned int key_version, unsigned int i32_1,
+                                unsigned int i32_2, unsigned long long i64);
+  int (*encryption_scheme_decrypt_func)
+                               (const unsigned char* src, unsigned int slen,
+                                unsigned char* dst, unsigned int* dlen,
+                                struct st_encryption_scheme *scheme,
+                                unsigned int key_version, unsigned int i32_1,
+                                unsigned int i32_2, unsigned long long i64);
+} *encryption_scheme_service;
+
+#ifdef MYSQL_DYNAMIC_PLUGIN
+
+#define encryption_scheme_encrypt(S,SL,D,DL,SCH,KV,I32,J32,I64) encryption_scheme_service->encryption_scheme_encrypt_func(S,SL,D,DL,SCH,KV,I32,J32,I64)
+#define encryption_scheme_decrypt(S,SL,D,DL,SCH,KV,I32,J32,I64) encryption_scheme_service->encryption_scheme_decrypt_func(S,SL,D,DL,SCH,KV,I32,J32,I64)
+
+#else
+
+int encryption_scheme_encrypt(const unsigned char* src, unsigned int slen,
+                              unsigned char* dst, unsigned int* dlen,
+                              struct st_encryption_scheme *scheme,
+                              unsigned int key_version, unsigned int i32_1,
+                              unsigned int i32_2, unsigned long long i64);
+int encryption_scheme_decrypt(const unsigned char* src, unsigned int slen,
+                              unsigned char* dst, unsigned int* dlen,
+                              struct st_encryption_scheme *scheme,
+                              unsigned int key_version, unsigned int i32_1,
+                              unsigned int i32_2, unsigned long long i64);
+
+#endif
+
+
+#ifdef __cplusplus
+}
+#endif
+
+#define MYSQL_SERVICE_ENCRYPTION_SCHEME_INCLUDED
+#endif

include/mysql/services.h

@@ -33,6 +33,7 @@ extern "C" {
 #include <mysql/service_thd_error_context.h>
 #include <mysql/service_thd_specifics.h>
 #include <mysql/service_encryption.h>
+#include <mysql/service_encryption_scheme.h>
 /*#include <mysql/service_wsrep.h>*/
 
 #ifdef __cplusplus

include/service_versions.h

@@ -36,4 +36,5 @@
 #define VERSION_thd_error_context       0x0100
 #define VERSION_thd_specifics           0x0100
 #define VERSION_encryption              0x0200
+#define VERSION_encryption_scheme       0x0100
 

libservices/CMakeLists.txt

@@ -29,6 +29,7 @@ SET(MYSQLSERVICES_SOURCES
   my_md5_service.c
   wsrep_service.c
   encryption_service.c
+  encryption_scheme_service.c
   kill_statement_service.c
   logger_service.c)
 

libservices/encryption_scheme_service.c

+/* Copyright (c) 2015 MariaDB
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 of the License.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA */
+
+#include <service_versions.h>
+SERVICE_VERSION encryption_scheme_service= (void*)VERSION_encryption_scheme;

mysql-test/r/handlersocket.result

@@ -5,7 +5,7 @@ plugin_version	1.0
 plugin_status	ACTIVE
 plugin_type	DAEMON
 plugin_library	handlersocket.so
-plugin_library_version	1.10
+plugin_library_version	1.11
 plugin_author	higuchi dot akira at dena dot jp
 plugin_description	Direct access into InnoDB
 plugin_license	BSD

mysql-test/r/plugin.result

@@ -15,7 +15,7 @@ PLUGIN_STATUS	ACTIVE
 PLUGIN_TYPE	STORAGE ENGINE
 PLUGIN_TYPE_VERSION	#
 PLUGIN_LIBRARY	ha_example.so
-PLUGIN_LIBRARY_VERSION	1.10
+PLUGIN_LIBRARY_VERSION	1.11
 PLUGIN_AUTHOR	Brian Aker, MySQL AB
 PLUGIN_DESCRIPTION	Example storage engine
 PLUGIN_LICENSE	GPL
@@ -28,7 +28,7 @@ PLUGIN_STATUS	ACTIVE
 PLUGIN_TYPE	DAEMON
 PLUGIN_TYPE_VERSION	#
 PLUGIN_LIBRARY	ha_example.so
-PLUGIN_LIBRARY_VERSION	1.10
+PLUGIN_LIBRARY_VERSION	1.11
 PLUGIN_AUTHOR	Sergei Golubchik
 PLUGIN_DESCRIPTION	Unusable Daemon
 PLUGIN_LICENSE	GPL
@@ -67,7 +67,7 @@ PLUGIN_STATUS	DELETED
 PLUGIN_TYPE	STORAGE ENGINE
 PLUGIN_TYPE_VERSION	#
 PLUGIN_LIBRARY	ha_example.so
-PLUGIN_LIBRARY_VERSION	1.10
+PLUGIN_LIBRARY_VERSION	1.11
 PLUGIN_AUTHOR	Brian Aker, MySQL AB
 PLUGIN_DESCRIPTION	Example storage engine
 PLUGIN_LICENSE	GPL

mysql-test/suite/plugins/r/show_all_plugins.result

@@ -4,8 +4,8 @@ Variable_name	Value
 Opened_plugin_libraries	0
 select * from information_schema.all_plugins where plugin_library='ha_example.so';
 PLUGIN_NAME	PLUGIN_VERSION	PLUGIN_STATUS	PLUGIN_TYPE	PLUGIN_TYPE_VERSION	PLUGIN_LIBRARY	PLUGIN_LIBRARY_VERSION	PLUGIN_AUTHOR	PLUGIN_DESCRIPTION	PLUGIN_LICENSE	LOAD_OPTION	PLUGIN_MATURITY	PLUGIN_AUTH_VERSION
-EXAMPLE	0.1	NOT INSTALLED	STORAGE ENGINE	MYSQL_VERSION_ID	ha_example.so	1.10	Brian Aker, MySQL AB	Example storage engine	GPL	OFF	Experimental	0.1
-UNUSABLE	3.14	NOT INSTALLED	DAEMON	MYSQL_VERSION_ID	ha_example.so	1.10	Sergei Golubchik	Unusable Daemon	GPL	OFF	Experimental	3.14.15.926
+EXAMPLE	0.1	NOT INSTALLED	STORAGE ENGINE	MYSQL_VERSION_ID	ha_example.so	1.11	Brian Aker, MySQL AB	Example storage engine	GPL	OFF	Experimental	0.1
+UNUSABLE	3.14	NOT INSTALLED	DAEMON	MYSQL_VERSION_ID	ha_example.so	1.11	Sergei Golubchik	Unusable Daemon	GPL	OFF	Experimental	3.14.15.926
 show status like '%libraries%';
 Variable_name	Value
 Opened_plugin_libraries	1

mysql-test/suite/plugins/r/simple_password_check.result

@@ -6,7 +6,7 @@ PLUGIN_STATUS	ACTIVE
 PLUGIN_TYPE	PASSWORD VALIDATION
 PLUGIN_TYPE_VERSION	1.0
 PLUGIN_LIBRARY	simple_password_check.so
-PLUGIN_LIBRARY_VERSION	1.10
+PLUGIN_LIBRARY_VERSION	1.11
 PLUGIN_AUTHOR	Sergei Golubchik
 PLUGIN_DESCRIPTION	Simple password strength checks
 PLUGIN_LICENSE	GPL

sql/encryption.cc

@@ -103,3 +103,110 @@ int finalize_encryption_plugin(st_plugin_int *plugin)
   return 0;
 }
 
+/******************************************************************
+  Encryption Scheme service
+******************************************************************/
+static uint scheme_get_key(st_encryption_scheme *scheme,
+                           st_encryption_scheme_key *key)
+{
+  if (scheme->locker)
+    scheme->locker(scheme, 0);
+
+  // Check if we already have key
+  for (uint i = 0; i < array_elements(scheme->key); i++)
+  {
+    if (scheme->key[i].version == 0) // no more keys
+      break;
+
+    if (scheme->key[i].version == key->version)
+    {
+      *key= scheme->key[i];
+      if (scheme->locker)
+        scheme->locker(scheme, 1);
+      return 0;
+    }
+  }
+
+  // Not found!
+  scheme->keyserver_requests++;
+
+  uchar global_key[MY_AES_MAX_KEY_LENGTH];
+  uint  global_key_len= sizeof(global_key), key_len;
+
+  uint rc = encryption_key_get(scheme->key_id, key->version,
+                              global_key, & global_key_len);
+  if (rc)
+    goto ret;
+
+  /* Now generate the local key by encrypting IV using the global key */
+  rc = my_aes_encrypt_ecb(scheme->iv, sizeof(scheme->iv), key->key, &key_len,
+                          global_key, global_key_len, NULL, 0, 1);
+
+  DBUG_ASSERT(key_len == sizeof(key->key));
+
+  if (rc)
+    goto ret;
+
+  // Rotate keys to make room for a new
+  for (uint i = array_elements(scheme->key) - 1; i; i--)
+    scheme->key[i] = scheme->key[i - 1];
+
+  scheme->key[0]= *key;
+
+ret:
+  if (scheme->locker)
+    scheme->locker(scheme, 1);
+  return rc;
+}
+
+int do_crypt(const unsigned char* src, unsigned int slen,
+             unsigned char* dst, unsigned int* dlen,
+             struct st_encryption_scheme *scheme,
+             unsigned int key_version, unsigned int i32_1,
+             unsigned int i32_2, unsigned long long i64,
+             encrypt_decrypt_func crypt)
+{
+  compile_time_assert(ENCRYPTION_SCHEME_KEY_INVALID ==
+                      (int)ENCRYPTION_KEY_VERSION_INVALID);
+
+  DBUG_ASSERT(scheme->type == 1);
+
+  if (key_version == ENCRYPTION_KEY_VERSION_INVALID ||
+      key_version == ENCRYPTION_KEY_NOT_ENCRYPTED)
+    return ENCRYPTION_SCHEME_KEY_INVALID;
+
+  st_encryption_scheme_key key;
+  key.version= key_version;
+  uint rc= scheme_get_key(scheme, &key);
+  if (rc)
+    return (int)rc;
+
+  unsigned char iv[4 + 4 + 8];
+  int4store(iv + 0, i32_1);
+  int4store(iv + 4, i32_2);
+  int8store(iv + 8, i64);
+
+  return crypt(src, slen, dst, dlen, key.key, sizeof(key.key),
+               iv, sizeof(iv), 1, scheme->key_id, key_version);
+}
+
+int encryption_scheme_encrypt(const unsigned char* src, unsigned int slen,
+                              unsigned char* dst, unsigned int* dlen,
+                              struct st_encryption_scheme *scheme,
+                              unsigned int key_version, unsigned int i32_1,
+                              unsigned int i32_2, unsigned long long i64)
+{
+  return do_crypt(src, slen, dst, dlen, scheme, key_version, i32_1,
+                  i32_2, i64, encryption_handler.encryption_encrypt_func);
+}
+
+
+int encryption_scheme_decrypt(const unsigned char* src, unsigned int slen,
+                              unsigned char* dst, unsigned int* dlen,
+                              struct st_encryption_scheme *scheme,
+                              unsigned int key_version, unsigned int i32_1,
+                              unsigned int i32_2, unsigned long long i64)
+{
+  return do_crypt(src, slen, dst, dlen, scheme, key_version, i32_1,
+                  i32_2, i64, encryption_handler.encryption_decrypt_func);
+}

sql/sql_plugin_services.h

@@ -147,6 +147,12 @@ static struct thd_specifics_service_st thd_specifics_handler=
   thd_setspecific
 };
 
+static struct encryption_scheme_service_st encryption_scheme_handler=
+{
+ encryption_scheme_encrypt,
+ encryption_scheme_decrypt
+};
+
 static struct st_service_ref list_of_services[]=
 {
   { "my_snprintf_service",         VERSION_my_snprintf,         &my_snprintf_handler },
@@ -162,6 +168,7 @@ static struct st_service_ref list_of_services[]=
   { "thd_autoinc_service",         VERSION_thd_autoinc,         &thd_autoinc_handler },
   { "wsrep_service",               VERSION_wsrep,               &wsrep_handler },
   { "encryption_service",          VERSION_encryption,          &encryption_handler },
+  { "encryption_scheme_service",   VERSION_encryption_scheme,   &encryption_scheme_handler },
   { "thd_specifics_service",       VERSION_thd_specifics,       &thd_specifics_handler },
   { "thd_error_context_service",   VERSION_thd_error_context,   &thd_error_conext_handler },
 };

storage/innobase/fil/fil0crypt.cc

@@ -149,82 +149,6 @@ fil_space_crypt_cleanup()
 	os_event_free(fil_crypt_throttle_sleep_event);
 }
 
-/******************************************************************
-Get key bytes for a space/key-version */
-static
-void
-fil_crypt_get_key(
-/*==============*/
-	byte*		dst,		/*<! out: Key */
-	uint*		key_length,	/*<! out: Key length */
-	fil_space_crypt_t* crypt_data,	/*<! in: crypt data */
-	uint 		version)	/*<! in: Key version */
-{
-        unsigned char keybuf[MY_AES_MAX_KEY_LENGTH];
-
-	mutex_enter(&crypt_data->mutex);
-
-	// Check if we already have key
-	for (uint i = 0; i < crypt_data->key_count; i++) {
-		if (crypt_data->keys[i].key_version == version) {
-			memcpy(dst, crypt_data->keys[i].key,
-			       crypt_data->keys[i].key_length);
-			*key_length = crypt_data->keys[i].key_length;
-			mutex_exit(&crypt_data->mutex);
-			return;
-		}
-	}
-
-	// Not found!
-	crypt_data->keyserver_requests++;
-
-	// Rotate keys to make room for a new
-	for (uint i = 1; i < array_elements(crypt_data->keys); i++) {
-		crypt_data->keys[i] = crypt_data->keys[i - 1];
-	}
-
-	*key_length = sizeof(keybuf);
-	uint rc = encryption_key_get(crypt_data->key_id, version, keybuf, key_length);
-	if (rc) {
-		ib_logf(IB_LOG_LEVEL_FATAL,
-			"Key id %u version %u can not be found. Reason=%u",
-			crypt_data->key_id, version, rc);
-		ut_error;
-	}
-
-	/* Now compute L by encrypting IV using this key. Note
-	that we use random IV from crypt data. */
-	const unsigned char* src = crypt_data->iv;
-	const int srclen = crypt_data->iv_length;
-	unsigned char* buf = crypt_data->keys[0].key;
-	uint32 buflen = CRYPT_SCHEME_1_IV_LEN;
-
-	/* We use AES_ECB to encrypt IV */
-	rc = my_aes_encrypt_ecb(src, srclen, buf, &buflen,
-		keybuf, *key_length, NULL, 0, 1);
-
-	if (rc != MY_AES_OK) {
-		ib_logf(IB_LOG_LEVEL_FATAL,
-			"Unable to encrypt key-block "
-			" src: %p srclen: %d buf: %p buflen: %d."
-			" return-code: %d. Can't continue!\n",
-			src, srclen, buf, buflen, rc);
-		ut_error;
-	}
-
-	crypt_data->keys[0].key_version = version;
-	crypt_data->key_count++;
-	*key_length = buflen;
-	crypt_data->keys[0].key_length = buflen;
-
-	if (crypt_data->key_count > array_elements(crypt_data->keys)) {
-		crypt_data->key_count = array_elements(crypt_data->keys);
-	}
-
-	memcpy(dst, buf, buflen);
-	mutex_exit(&crypt_data->mutex);
-}
-
 /******************************************************************
 Get the latest(key-version), waking the encrypt thread, if needed */
 static inline
@@ -244,27 +168,17 @@ fil_crypt_get_latest_key_version(
 }
 
 /******************************************************************
-Get key bytes for a space/latest(key-version) */
-static inline
-void
-fil_crypt_get_latest_key(
-/*=====================*/
-	byte*		dst,		/*!< out: Key */
-	uint*		key_length,	/*!< out: Key length */
-	fil_space_crypt_t* crypt_data, 	/*!< in: crypt data */
-	uint*		version)	/*!< in: Key version */
+Mutex helper for crypt_data->scheme */
+static void crypt_data_scheme_locker(st_encryption_scheme *scheme, int exit)
 {
-        // used for key rotation - get the next key id from the key provider
-	uint rc = *version = fil_crypt_get_latest_key_version(crypt_data);
+	fil_space_crypt_t* crypt_data =
+		static_cast<fil_space_crypt_t*>(scheme);
 
-	if (rc == ENCRYPTION_KEY_VERSION_INVALID) {
-		ib_logf(IB_LOG_LEVEL_FATAL,
-			"Unknown key id %u. Can't continue!\n",
-                        crypt_data->key_id);
-		ut_error;
+	if (exit) {
+		mutex_exit(&crypt_data->mutex);
+	} else {
+		mutex_enter(&crypt_data->mutex);
 	}
-
-	return fil_crypt_get_key(dst, key_length, crypt_data, *version);
 }
 
 /******************************************************************
@@ -277,8 +191,7 @@ fil_space_create_crypt_data(
 	fil_encryption_t	encrypt_mode,	/*!< in: encryption mode */
 	uint			key_id)		/*!< in: encryption key id */
 {
-	const uint iv_length = CRYPT_SCHEME_1_IV_LEN;
-	const uint sz = sizeof(fil_space_crypt_t) + iv_length;
+	const uint sz = sizeof(fil_space_crypt_t);
 	fil_space_crypt_t* crypt_data =
 		static_cast<fil_space_crypt_t*>(malloc(sz));
 
@@ -290,14 +203,14 @@ fil_space_create_crypt_data(
 		crypt_data->min_key_version = 0;
 	} else {
 		crypt_data->type = CRYPT_SCHEME_1;
-                crypt_data->key_id = key_id;
+		crypt_data->key_id = key_id;
 		crypt_data->min_key_version = encryption_key_get_latest_version(key_id);
 	}
 
 	mutex_create(fil_crypt_data_mutex_key,
 		&crypt_data->mutex, SYNC_NO_ORDER_CHECK);
-	crypt_data->iv_length = iv_length;
-	my_random_bytes(crypt_data->iv, iv_length);
+	crypt_data->locker = crypt_data_scheme_locker;
+	my_random_bytes(crypt_data->iv, sizeof(crypt_data->iv));
 	crypt_data->encryption = FIL_SPACE_ENCRYPTION_DEFAULT;
 	return crypt_data;
 }
@@ -317,12 +230,9 @@ fil_space_crypt_compare(
 	ut_a(crypt_data2->type == CRYPT_SCHEME_UNENCRYPTED ||
 	     crypt_data2->type == CRYPT_SCHEME_1);
 
-	ut_a(crypt_data1->iv_length == CRYPT_SCHEME_1_IV_LEN);
-	ut_a(crypt_data2->iv_length == CRYPT_SCHEME_1_IV_LEN);
-
 	/* no support for changing iv (yet?) */
 	ut_a(memcmp(crypt_data1->iv, crypt_data2->iv,
-		    crypt_data1->iv_length) == 0);
+		    sizeof(crypt_data1->iv)) == 0);
 
 	return 0;
 }
@@ -378,9 +288,10 @@ fil_space_read_crypt_data(
 		ut_error;
 	}
 
+	fil_space_crypt_t* crypt_data;
 	ulint iv_length = mach_read_from_1(page + offset + MAGIC_SZ + 1);
 
-	if (! (iv_length == CRYPT_SCHEME_1_IV_LEN)) {
+	if (! (iv_length == sizeof(crypt_data->iv))) {
 		ib_logf(IB_LOG_LEVEL_ERROR,
 			"Found non sensible iv length: %lu for space %lu "
 			" offset: %lu type: %lu bytes: "
@@ -405,8 +316,7 @@ fil_space_read_crypt_data(
 		page + offset + MAGIC_SZ + 2 + iv_length + 8);
 
 	const uint sz = sizeof(fil_space_crypt_t) + iv_length;
-	fil_space_crypt_t* crypt_data = static_cast<fil_space_crypt_t*>(
-		malloc(sz));
+	crypt_data = static_cast<fil_space_crypt_t*>(malloc(sz));
 	memset(crypt_data, 0, sz);
 
 	crypt_data->type = type;
@@ -416,7 +326,7 @@ fil_space_read_crypt_data(
 	crypt_data->encryption = encryption;
 	mutex_create(fil_crypt_data_mutex_key,
 		     &crypt_data->mutex, SYNC_NO_ORDER_CHECK);
-	crypt_data->iv_length = iv_length;
+	crypt_data->locker = crypt_data_scheme_locker;
 	memcpy(crypt_data->iv, page + offset + MAGIC_SZ + 2, iv_length);
 
 	return crypt_data;
@@ -453,7 +363,7 @@ fil_space_write_crypt_data_low(
 	ut_a(offset > 0 && offset < UNIV_PAGE_SIZE);
 	ulint space_id = mach_read_from_4(
 		page + FIL_PAGE_ARCH_LOG_NO_OR_SPACE_ID);
-	const uint len = crypt_data->iv_length;
+	const uint len = sizeof(crypt_data->iv);
 	const uint min_key_version = crypt_data->min_key_version;
 	const uint key_id = crypt_data->key_id;
 	const fil_encryption_t encryption = crypt_data->encryption;
@@ -662,9 +572,6 @@ fil_space_encrypt(
 	fil_space_crypt_t* crypt_data = NULL;
 	ulint page_size = (zip_size) ? zip_size : UNIV_PAGE_SIZE;
 	uint key_version;
-	unsigned char key[MY_AES_MAX_KEY_LENGTH];
-	uint key_length = MY_AES_MAX_KEY_LENGTH;
-	unsigned char iv[MY_AES_BLOCK_SIZE];
 
 	ulint orig_page_type = mach_read_from_2(src_frame+FIL_PAGE_TYPE);
 
@@ -686,12 +593,14 @@ fil_space_encrypt(
 		return;
 	}
 
-	fil_crypt_get_latest_key(key, &key_length, crypt_data, &key_version);
+	key_version = fil_crypt_get_latest_key_version(crypt_data);
 
-	/* create iv/counter */
-	mach_write_to_4(iv + 0, space);
-	mach_write_to_4(iv + 4, offset);
-	mach_write_to_8(iv + 8, lsn);
+	if (key_version == ENCRYPTION_KEY_VERSION_INVALID) {
+		ib_logf(IB_LOG_LEVEL_FATAL,
+			"Unknown key id %u. Can't continue!\n",
+			crypt_data->key_id);
+		ut_error;
+	}
 
 	ibool page_compressed = (mach_read_from_2(src_frame+FIL_PAGE_TYPE) == FIL_PAGE_PAGE_COMPRESSED);
 
@@ -719,9 +628,9 @@ fil_space_encrypt(
 		dst+=2;
 	}
 
-	int rc = encryption_encrypt(src, srclen, dst, &dstlen,
-	                      key, key_length, iv, sizeof(iv), 1,
-                              crypt_data->key_id, key_version);
+	int rc = encryption_scheme_encrypt(src, srclen, dst, &dstlen,
+					   crypt_data, key_version,
+					   space, offset, lsn);
 
 	if (! ((rc == MY_AES_OK) && ((ulint) dstlen == srclen))) {
 		ib_logf(IB_LOG_LEVEL_FATAL,
@@ -837,17 +746,6 @@ fil_space_decrypt(
 	/* Copy FIL page header, it is not encrypted */
 	memcpy(dst_frame, src_frame, FIL_PAGE_DATA);
 
-	/* Get key */
-	byte key[MY_AES_MAX_KEY_LENGTH];
-	uint key_length;
-	unsigned char iv[MY_AES_BLOCK_SIZE];
-	fil_crypt_get_key(key, &key_length, crypt_data, key_version);
-
-	/* create iv/counter */
-	mach_write_to_4(iv + 0, space);
-	mach_write_to_4(iv + 4, offset);
-	mach_write_to_8(iv + 8, lsn);
-
 	/* Calculate the offset where decryption starts */
 	const byte* src = src_frame + FIL_PAGE_DATA;
 	byte* dst = dst_frame + FIL_PAGE_DATA;
@@ -865,9 +763,9 @@ fil_space_decrypt(
 		srclen = compressed_len;
 	}
 
-	int rc = encryption_decrypt(src, srclen, dst, &dstlen, key, key_length,
-				    iv, sizeof(iv), 1,
-                                    crypt_data->key_id, key_version);
+	int rc = encryption_scheme_decrypt(src, srclen, dst, &dstlen,
+					   crypt_data, key_version,
+					   space, offset, lsn);
 
 	if (! ((rc == MY_AES_OK) && ((ulint) dstlen == srclen))) {
 		ib_logf(IB_LOG_LEVEL_FATAL,

storage/innobase/handler/ha_innodb.cc

@@ -11729,8 +11729,7 @@ ha_innobase::create(
 
 		/* If there is old crypt data, copy IV */
 		if (old_crypt_data) {
-			memcpy(crypt_data->iv, old_crypt_data->iv, old_crypt_data->iv_length);
-			crypt_data->iv_length = old_crypt_data->iv_length;
+			memcpy(crypt_data->iv, old_crypt_data->iv, sizeof(crypt_data->iv));
 		}
 
 		mtr_t mtr;

storage/innobase/include/fil0crypt.h

@@ -80,13 +80,8 @@ struct fil_space_rotate_state_t
 	} scrubbing;
 };
 
-struct fil_space_crypt_struct
+struct fil_space_crypt_struct : st_encryption_scheme
 {
-	ulint type;	    // CRYPT_SCHEME
-	uint keyserver_requests; // no of key requests to key server
-	uint key_count;	    // No of initalized key-structs
-	uint key_id;	    // Key id for this space
-	key_struct keys[3]; // cached L = AES_ECB(KEY, IV)
 	uint min_key_version; // min key version for this space
 	ulint page0_offset;   // byte offset on page 0 for crypt data
 	fil_encryption_t encryption; // Encryption setup
@@ -94,9 +89,6 @@ struct fil_space_crypt_struct
 	ib_mutex_t mutex;   // mutex protecting following variables
 	bool closing;	    // is tablespace being closed
 	fil_space_rotate_state_t rotate_state;
-
-	uint iv_length;	    // length of IV
-	byte iv[1];	    // IV-data
 };
 
 /* structure containing encryption specification */

storage/maria/ma_check_standalone.h

@@ -33,6 +33,33 @@ struct encryption_service_st encryption_handler=
   no_key, 0, 0, 0, 0, 0
 };
 
+int encryption_scheme_encrypt(const unsigned char* src __attribute__((unused)),
+                              unsigned int slen __attribute__((unused)),
+                              unsigned char* dst __attribute__((unused)),
+                              unsigned int* dlen __attribute__((unused)),
+                              struct st_encryption_scheme *scheme __attribute__((unused)),
+                              unsigned int key_version __attribute__((unused)),
+                              unsigned int i32_1 __attribute__((unused)),
+                              unsigned int i32_2 __attribute__((unused)),
+                              unsigned long long i64 __attribute__((unused)))
+{
+  return -1;
+}
+
+
+int encryption_scheme_decrypt(const unsigned char* src __attribute__((unused)),
+                              unsigned int slen __attribute__((unused)),
+                              unsigned char* dst __attribute__((unused)),
+                              unsigned int* dlen __attribute__((unused)),
+                              struct st_encryption_scheme *scheme __attribute__((unused)),
+                              unsigned int key_version __attribute__((unused)),
+                              unsigned int i32_1 __attribute__((unused)),
+                              unsigned int i32_2 __attribute__((unused)),
+                              unsigned long long i64 __attribute__((unused)))
+{
+  return -1;
+}
+
 /* only those that included myisamchk.h may need and can use the below */
 #ifdef _myisamchk_h
 /*

storage/xtradb/fil/fil0crypt.cc

@@ -149,82 +149,6 @@ fil_space_crypt_cleanup()
 	os_event_free(fil_crypt_throttle_sleep_event);
 }
 
-/******************************************************************
-Get key bytes for a space/key-version */
-static
-void
-fil_crypt_get_key(
-/*==============*/
-	byte*		dst,		/*<! out: Key */
-	uint*		key_length,	/*<! out: Key length */
-	fil_space_crypt_t* crypt_data,	/*<! in: crypt data */
-	uint 		version)	/*<! in: Key version */
-{
-        unsigned char keybuf[MY_AES_MAX_KEY_LENGTH];
-
-	mutex_enter(&crypt_data->mutex);
-
-	// Check if we already have key
-	for (uint i = 0; i < crypt_data->key_count; i++) {
-		if (crypt_data->keys[i].key_version == version) {
-			memcpy(dst, crypt_data->keys[i].key,
-			       crypt_data->keys[i].key_length);
-			*key_length = crypt_data->keys[i].key_length;
-			mutex_exit(&crypt_data->mutex);
-			return;
-		}
-	}
-
-	// Not found!
-	crypt_data->keyserver_requests++;
-
-	// Rotate keys to make room for a new
-	for (uint i = 1; i < array_elements(crypt_data->keys); i++) {
-		crypt_data->keys[i] = crypt_data->keys[i - 1];
-	}
-
-	*key_length = sizeof(keybuf);
-	uint rc = encryption_key_get(crypt_data->key_id, version, keybuf, key_length);
-	if (rc) {
-		ib_logf(IB_LOG_LEVEL_FATAL,
-			"Key id %u version %u can not be found. Reason=%u",
-			crypt_data->key_id, version, rc);
-		ut_error;
-	}
-
-	/* Now compute L by encrypting IV using this key. Note
-	that we use random IV from crypt data. */
-	const unsigned char* src = crypt_data->iv;
-	const int srclen = crypt_data->iv_length;
-	unsigned char* buf = crypt_data->keys[0].key;
-	uint32 buflen = CRYPT_SCHEME_1_IV_LEN;
-
-	/* We use AES_ECB to encrypt IV */
-	rc = my_aes_encrypt_ecb(src, srclen, buf, &buflen,
-				keybuf, *key_length, NULL, 0, 1);
-
-	if (rc != MY_AES_OK) {
-		ib_logf(IB_LOG_LEVEL_FATAL,
-			"Unable to encrypt key-block "
-			" src: %p srclen: %d buf: %p buflen: %d."
-			" return-code: %d. Can't continue!\n",
-			src, srclen, buf, buflen, rc);
-		ut_error;
-	}
-
-	crypt_data->keys[0].key_version = version;
-	crypt_data->key_count++;
-	*key_length = buflen;
-	crypt_data->keys[0].key_length = buflen;
-
-	if (crypt_data->key_count > array_elements(crypt_data->keys)) {
-		crypt_data->key_count = array_elements(crypt_data->keys);
-	}
-
-	memcpy(dst, buf, buflen);
-	mutex_exit(&crypt_data->mutex);
-}
-
 /******************************************************************
 Get the latest(key-version), waking the encrypt thread, if needed */
 static inline
@@ -244,27 +168,17 @@ fil_crypt_get_latest_key_version(
 }
 
 /******************************************************************
-Get key bytes for a space/latest(key-version) */
-static inline
-void
-fil_crypt_get_latest_key(
-/*=====================*/
-	byte*		dst,		/*!< out: Key */
-	uint*		key_length,	/*!< out: Key length */
-	fil_space_crypt_t* crypt_data, 	/*!< in: crypt data */
-	uint*		version)	/*!< in: Key version */
+Mutex helper for crypt_data->scheme */
+static void crypt_data_scheme_locker(st_encryption_scheme *scheme, int exit)
 {
-        // used for key rotation - get the next key id from the key provider
-	uint rc = *version = fil_crypt_get_latest_key_version(crypt_data);
+	fil_space_crypt_t* crypt_data =
+		static_cast<fil_space_crypt_t*>(scheme);
 
-	if (rc == ENCRYPTION_KEY_VERSION_INVALID) {
-		ib_logf(IB_LOG_LEVEL_FATAL,
-			"Unknown key id %u. Can't continue!\n",
-                        crypt_data->key_id);
-		ut_error;
+	if (exit) {
+		mutex_exit(&crypt_data->mutex);
+	} else {
+		mutex_enter(&crypt_data->mutex);
 	}
-
-	return fil_crypt_get_key(dst, key_length, crypt_data, *version);
 }
 
 /******************************************************************
@@ -277,8 +191,7 @@ fil_space_create_crypt_data(
 	fil_encryption_t	encrypt_mode,	/*!< in: encryption mode */
 	uint			key_id)		/*!< in: encryption key id */
 {
-	const uint iv_length = CRYPT_SCHEME_1_IV_LEN;
-	const uint sz = sizeof(fil_space_crypt_t) + iv_length;
+	const uint sz = sizeof(fil_space_crypt_t);
 	fil_space_crypt_t* crypt_data =
 		static_cast<fil_space_crypt_t*>(malloc(sz));
 
@@ -290,14 +203,14 @@ fil_space_create_crypt_data(
 		crypt_data->min_key_version = 0;
 	} else {
 		crypt_data->type = CRYPT_SCHEME_1;
-                crypt_data->key_id = key_id;
+		crypt_data->key_id = key_id;
 		crypt_data->min_key_version = encryption_key_get_latest_version(key_id);
 	}
 
 	mutex_create(fil_crypt_data_mutex_key,
 		&crypt_data->mutex, SYNC_NO_ORDER_CHECK);
-	crypt_data->iv_length = iv_length;
-	my_random_bytes(crypt_data->iv, iv_length);
+	crypt_data->locker = crypt_data_scheme_locker;
+	my_random_bytes(crypt_data->iv, sizeof(crypt_data->iv));
 	crypt_data->encryption = FIL_SPACE_ENCRYPTION_DEFAULT;
 	return crypt_data;
 }
@@ -317,12 +230,9 @@ fil_space_crypt_compare(
 	ut_a(crypt_data2->type == CRYPT_SCHEME_UNENCRYPTED ||
 	     crypt_data2->type == CRYPT_SCHEME_1);
 
-	ut_a(crypt_data1->iv_length == CRYPT_SCHEME_1_IV_LEN);
-	ut_a(crypt_data2->iv_length == CRYPT_SCHEME_1_IV_LEN);
-
 	/* no support for changing iv (yet?) */
 	ut_a(memcmp(crypt_data1->iv, crypt_data2->iv,
-		    crypt_data1->iv_length) == 0);
+		    sizeof(crypt_data1->iv)) == 0);
 
 	return 0;
 }
@@ -378,9 +288,10 @@ fil_space_read_crypt_data(
 		ut_error;
 	}
 
+	fil_space_crypt_t* crypt_data;
 	ulint iv_length = mach_read_from_1(page + offset + MAGIC_SZ + 1);
 
-	if (! (iv_length == CRYPT_SCHEME_1_IV_LEN)) {
+	if (! (iv_length == sizeof(crypt_data->iv))) {
 		ib_logf(IB_LOG_LEVEL_ERROR,
 			"Found non sensible iv length: %lu for space %lu "
 			" offset: %lu type: %lu bytes: "
@@ -405,8 +316,7 @@ fil_space_read_crypt_data(
 		page + offset + MAGIC_SZ + 2 + iv_length + 8);
 
 	const uint sz = sizeof(fil_space_crypt_t) + iv_length;
-	fil_space_crypt_t* crypt_data = static_cast<fil_space_crypt_t*>(
-		malloc(sz));
+	crypt_data = static_cast<fil_space_crypt_t*>(malloc(sz));
 	memset(crypt_data, 0, sz);
 
 	crypt_data->type = type;
@@ -416,7 +326,7 @@ fil_space_read_crypt_data(
 	crypt_data->encryption = encryption;
 	mutex_create(fil_crypt_data_mutex_key,
 		     &crypt_data->mutex, SYNC_NO_ORDER_CHECK);
-	crypt_data->iv_length = iv_length;
+	crypt_data->locker = crypt_data_scheme_locker;
 	memcpy(crypt_data->iv, page + offset + MAGIC_SZ + 2, iv_length);
 
 	return crypt_data;
@@ -453,7 +363,7 @@ fil_space_write_crypt_data_low(
 	ut_a(offset > 0 && offset < UNIV_PAGE_SIZE);
 	ulint space_id = mach_read_from_4(
 		page + FIL_PAGE_ARCH_LOG_NO_OR_SPACE_ID);
-	const uint len = crypt_data->iv_length;
+	const uint len = sizeof(crypt_data->iv);
 	const uint min_key_version = crypt_data->min_key_version;
 	const uint key_id = crypt_data->key_id;
 	const fil_encryption_t encryption = crypt_data->encryption;
@@ -662,9 +572,6 @@ fil_space_encrypt(
 	fil_space_crypt_t* crypt_data = NULL;
 	ulint page_size = (zip_size) ? zip_size : UNIV_PAGE_SIZE;
 	uint key_version;
-	unsigned char key[MY_AES_MAX_KEY_LENGTH];
-	uint key_length = MY_AES_MAX_KEY_LENGTH;
-	unsigned char iv[MY_AES_BLOCK_SIZE];
 
 	ulint orig_page_type = mach_read_from_2(src_frame+FIL_PAGE_TYPE);
 
@@ -686,12 +593,14 @@ fil_space_encrypt(
 		return;
 	}
 
-	fil_crypt_get_latest_key(key, &key_length, crypt_data, &key_version);
+	key_version = fil_crypt_get_latest_key_version(crypt_data);
 
-	/* create iv/counter */
-	mach_write_to_4(iv + 0, space);
-	mach_write_to_4(iv + 4, offset);
-	mach_write_to_8(iv + 8, lsn);
+	if (key_version == ENCRYPTION_KEY_VERSION_INVALID) {
+		ib_logf(IB_LOG_LEVEL_FATAL,
+			"Unknown key id %u. Can't continue!\n",
+			crypt_data->key_id);
+		ut_error;
+	}
 
 	ibool page_compressed = (mach_read_from_2(src_frame+FIL_PAGE_TYPE) == FIL_PAGE_PAGE_COMPRESSED);
 
@@ -719,9 +628,9 @@ fil_space_encrypt(
 		dst+=2;
 	}
 
-	int rc = encryption_encrypt(src, srclen, dst, &dstlen,
-	                      key, key_length, iv, sizeof(iv), 1,
-                              crypt_data->key_id, key_version);
+	int rc = encryption_scheme_encrypt(src, srclen, dst, &dstlen,
+					   crypt_data, key_version,
+					   space, offset, lsn);
 
 	if (! ((rc == MY_AES_OK) && ((ulint) dstlen == srclen))) {
 		ib_logf(IB_LOG_LEVEL_FATAL,
@@ -837,17 +746,6 @@ fil_space_decrypt(
 	/* Copy FIL page header, it is not encrypted */
 	memcpy(dst_frame, src_frame, FIL_PAGE_DATA);
 
-	/* Get key */
-	byte key[MY_AES_MAX_KEY_LENGTH];
-	uint key_length;
-	unsigned char iv[MY_AES_BLOCK_SIZE];
-	fil_crypt_get_key(key, &key_length, crypt_data, key_version);
-
-	/* create iv/counter */
-	mach_write_to_4(iv + 0, space);
-	mach_write_to_4(iv + 4, offset);
-	mach_write_to_8(iv + 8, lsn);
-
 	/* Calculate the offset where decryption starts */
 	const byte* src = src_frame + FIL_PAGE_DATA;
 	byte* dst = dst_frame + FIL_PAGE_DATA;
@@ -865,9 +763,9 @@ fil_space_decrypt(
 		srclen = compressed_len;
 	}
 
-	int rc = encryption_decrypt(src, srclen, dst, &dstlen, key, key_length,
-				    iv, sizeof(iv), 1,
-                                    crypt_data->key_id, key_version);
+	int rc = encryption_scheme_decrypt(src, srclen, dst, &dstlen,
+					   crypt_data, key_version,
+					   space, offset, lsn);
 
 	if (! ((rc == MY_AES_OK) && ((ulint) dstlen == srclen))) {
 		ib_logf(IB_LOG_LEVEL_FATAL,

storage/xtradb/handler/ha_innodb.cc

@@ -12242,8 +12242,7 @@ ha_innobase::create(
 
 		/* If there is old crypt data, copy IV */
 		if (old_crypt_data) {
-			memcpy(crypt_data->iv, old_crypt_data->iv, old_crypt_data->iv_length);
-			crypt_data->iv_length = old_crypt_data->iv_length;
+			memcpy(crypt_data->iv, old_crypt_data->iv, sizeof(crypt_data->iv));
 		}
 
 		mtr_t mtr;

storage/xtradb/include/fil0crypt.h

@@ -80,13 +80,8 @@ struct fil_space_rotate_state_t
 	} scrubbing;
 };
 
-struct fil_space_crypt_struct
+struct fil_space_crypt_struct : st_encryption_scheme
 {
-	ulint type;	    // CRYPT_SCHEME
-	uint keyserver_requests; // no of key requests to key server
-	uint key_count;	    // No of initalized key-structs
-	uint key_id;	    // Key id for this space
-	key_struct keys[3]; // cached L = AES_ECB(KEY, IV)
 	uint min_key_version; // min key version for this space
 	ulint page0_offset;   // byte offset on page 0 for crypt data
 	fil_encryption_t encryption; // Encryption setup
@@ -94,9 +89,6 @@ struct fil_space_crypt_struct
 	ib_mutex_t mutex;   // mutex protecting following variables
 	bool closing;	    // is tablespace being closed
 	fil_space_rotate_state_t rotate_state;
-
-	uint iv_length;	    // length of IV
-	byte iv[1];	    // IV-data
 };
 
 /* structure containing encryption specification */