encryption plugin controls the encryption

* no --encryption-algorithm option anymore
* encrypt/decrypt methods in the encryption plugin
* ecnrypt/decrypt methods in the encryption_km service
* file_km plugin has --file-key-management-encryption-algorithm
* debug_km always uses aes_cbc
* example_km changes between aes_cbc and aes_ecb for different key versions

include/my_aes.h

@@ -24,8 +24,6 @@
 
 #include <my_global.h>
 
-typedef int Crypt_result;
-
 #define AES_OK 0
 #define AES_BAD_DATA  -1
 #define AES_BAD_IV -2
@@ -49,84 +47,6 @@ typedef int Crypt_result;
 
 C_MODE_START
 
-/**
-  Crypt buffer with AES dynamic (defined at startup) encryption algorithm.
-
-  SYNOPSIS
-     my_aes_encrypt_dynamic()
-     @param source         [in]  Pointer to data for encryption
-     @param source_length  [in]  Size of encryption data
-     @param dest           [out] Buffer to place encrypted data (must be large enough)
-     @param dest_length    [out] Pointer to size of encrypted data
-     @param key            [in]  Key to be used for encryption
-     @param key_length     [in]  Length of the key. 16, 24 or 32
-     @param iv             [in]  Iv to be used for encryption
-     @param iv_length      [in]  Length of the iv. should be 16.
-     @param noPadding	   [in]  if set, algorithm specific padding behaviour is used
-
-  Method used defined by calling my_aes_init_dynamic_encrypt() at startup.
-
-  @return
-    != 0           error
-    0             no error
-*/
-
-typedef int (*my_aes_encrypt_dynamic_type)(const uchar* source, uint32 source_length,
-				           uchar* dest, uint32* dest_length,
-                                           const uchar* key, uint8 key_length,
-                                           const uchar* iv, uint8 iv_length,
-                                           uint noPadding);
-
-extern MYSQL_PLUGIN_IMPORT my_aes_encrypt_dynamic_type my_aes_encrypt_dynamic;
-
-/**
-  AES decryption AES dynamic (defined at startup) encryption algorithm.
-
-  SYNOPSIS
-     my_aes_decrypt_dynamic()
-     @param source         [in]  Pointer to data to decrypt
-     @param source_length  [in]  Size of data
-     @param dest           [out] Buffer to place decrypted data (must be large enough)
-     @param dest_length    [out] Pointer to size of decrypted data
-     @param key            [in]  Key to be used for decryption
-     @param key_length     [in]  Length of the key. 16, 24 or 32
-     @param iv             [in]  Iv to be used for encryption
-     @param iv_length      [in]  Length of the iv. should be 16.
-     @param noPadding	   [in]  if set, algorithm specific padding behaviour is used
-
-  @return
-    != 0           error
-    0             no error
-
-  Method used defined by calling my_aes_init_dynamic_encrypt() at startup.
-*/
-
-typedef int (*my_aes_decrypt_dynamic_type)(const uchar *source,
-                                           uint32 source_length,
-					   uchar *dest, uint32 *dest_length,
-                                           const uchar *key, uint8 key_length,
-                                           const uchar *iv, uint8 iv_length,
-                                           uint noPadding);
-extern MYSQL_PLUGIN_IMPORT my_aes_decrypt_dynamic_type my_aes_decrypt_dynamic;
-
-/**
-   Initialize dynamic crypt functions
-*/
-
-enum enum_my_aes_encryption_algorithm
-{
-  MY_AES_ALGORITHM_NONE, MY_AES_ALGORITHM_ECB, MY_AES_ALGORITHM_CBC,
-  MY_AES_ALGORITHM_CTR
-};
-
-my_aes_decrypt_dynamic_type get_aes_decrypt_func(enum enum_my_aes_encryption_algorithm method);
-my_aes_encrypt_dynamic_type get_aes_encrypt_func(enum enum_my_aes_encryption_algorithm method);
-
-
-my_bool my_aes_init_dynamic_encrypt(enum enum_my_aes_encryption_algorithm method);
-
-extern MYSQL_PLUGIN_IMPORT enum enum_my_aes_encryption_algorithm current_aes_dynamic_method;
-
 int my_aes_get_size(int source_length);
 
 C_MODE_END

include/my_crypt.h

@@ -26,45 +26,45 @@ C_MODE_START
 
 #ifdef HAVE_EncryptAes128Ctr
 
-Crypt_result my_aes_encrypt_ctr(const uchar* source, uint32 source_length,
-                                uchar* dest, uint32* dest_length,
-                                const unsigned char* key, uint8 key_length,
-                                const unsigned char* iv, uint8 iv_length,
-                                uint no_padding);
-
-Crypt_result my_aes_decrypt_ctr(const uchar* source, uint32 source_length,
-                                uchar* dest, uint32* dest_length,
-                                const unsigned char* key, uint8 key_length,
-                                const unsigned char* iv, uint8 iv_length,
-                                uint no_padding);
+int my_aes_encrypt_ctr(const uchar* source, uint source_length,
+                                uchar* dest, uint* dest_length,
+                                const unsigned char* key, uint key_length,
+                                const unsigned char* iv, uint iv_length,
+                                int no_padding);
+
+int my_aes_decrypt_ctr(const uchar* source, uint source_length,
+                                uchar* dest, uint* dest_length,
+                                const unsigned char* key, uint key_length,
+                                const unsigned char* iv, uint iv_length,
+                                int no_padding);
 
 #endif
 
-Crypt_result my_aes_encrypt_cbc(const uchar* source, uint32 source_length,
-                                uchar* dest, uint32* dest_length,
-                                const unsigned char* key, uint8 key_length,
-                                const unsigned char* iv, uint8 iv_length,
-                                uint no_padding);
-
-Crypt_result my_aes_decrypt_cbc(const uchar* source, uint32 source_length,
-                                uchar* dest, uint32* dest_length,
-                                const unsigned char* key, uint8 key_length,
-                                const unsigned char* iv, uint8 iv_length,
-                                uint no_padding);
-
-Crypt_result my_aes_encrypt_ecb(const uchar* source, uint32 source_length,
-                                uchar* dest, uint32* dest_length,
-                                const unsigned char* key, uint8 key_length,
-                                const unsigned char* iv, uint8 iv_length,
-                                uint no_padding);
-
-Crypt_result my_aes_decrypt_ecb(const uchar* source, uint32 source_length,
-                                uchar* dest, uint32* dest_length,
-                                const unsigned char* key, uint8 key_length,
-                                const unsigned char* iv, uint8 iv_length,
-                                uint no_padding);
-
-Crypt_result my_random_bytes(uchar* buf, int num);
+int my_aes_encrypt_cbc(const uchar* source, uint source_length,
+                                uchar* dest, uint* dest_length,
+                                const unsigned char* key, uint key_length,
+                                const unsigned char* iv, uint iv_length,
+                                int no_padding);
+
+int my_aes_decrypt_cbc(const uchar* source, uint source_length,
+                                uchar* dest, uint* dest_length,
+                                const unsigned char* key, uint key_length,
+                                const unsigned char* iv, uint iv_length,
+                                int no_padding);
+
+int my_aes_encrypt_ecb(const uchar* source, uint source_length,
+                                uchar* dest, uint* dest_length,
+                                const unsigned char* key, uint key_length,
+                                const unsigned char* iv, uint iv_length,
+                                int no_padding);
+
+int my_aes_decrypt_ecb(const uchar* source, uint source_length,
+                                uchar* dest, uint* dest_length,
+                                const unsigned char* key, uint key_length,
+                                const unsigned char* iv, uint iv_length,
+                                int no_padding);
+
+int my_random_bytes(uchar* buf, int num);
 
 C_MODE_END
 

include/mysql/plugin_audit.h.pp

@@ -198,14 +198,31 @@ void thd_key_delete(MYSQL_THD_KEY_T *key);
 void* thd_getspecific(void* thd, MYSQL_THD_KEY_T key);
 int thd_setspecific(void* thd, MYSQL_THD_KEY_T key, void *value);
 #include <mysql/service_encryption_keys.h>
+typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen,
+                                    unsigned char* dst, unsigned int* dlen,
+                                    const unsigned char* key, unsigned int klen,
+                                    const unsigned char* iv, unsigned int ivlen,
+                                    int no_padding, unsigned int key_version);
 extern struct encryption_keys_service_st {
   unsigned int (*get_latest_encryption_key_version_func)();
   unsigned int (*has_encryption_key_func)(unsigned int);
   unsigned int (*get_encryption_key_func)(unsigned int, unsigned char*, unsigned int*);
+  encrypt_decrypt_func encrypt_data_func;
+  encrypt_decrypt_func decrypt_data_func;
 } *encryption_keys_service;
 unsigned int get_latest_encryption_key_version();
 unsigned int has_encryption_key(unsigned int version);
 unsigned int get_encryption_key(unsigned int version, unsigned char* key, unsigned int *keybufsize);
+int encrypt_data(const unsigned char* src, unsigned int slen,
+                 unsigned char* dst, unsigned int* dlen,
+                 const unsigned char* key, unsigned int klen,
+                 const unsigned char* iv, unsigned int ivlen,
+                 int no_padding, unsigned int key_version);
+int decrypt_data(const unsigned char* src, unsigned int slen,
+                 unsigned char* dst, unsigned int* dlen,
+                 const unsigned char* key, unsigned int klen,
+                 const unsigned char* iv, unsigned int ivlen,
+                 int no_padding, unsigned int key_version);
 struct st_mysql_xid {
   long formatID;
   long gtrid_length;

include/mysql/plugin_auth.h.pp

@@ -198,14 +198,31 @@ void thd_key_delete(MYSQL_THD_KEY_T *key);
 void* thd_getspecific(void* thd, MYSQL_THD_KEY_T key);
 int thd_setspecific(void* thd, MYSQL_THD_KEY_T key, void *value);
 #include <mysql/service_encryption_keys.h>
+typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen,
+                                    unsigned char* dst, unsigned int* dlen,
+                                    const unsigned char* key, unsigned int klen,
+                                    const unsigned char* iv, unsigned int ivlen,
+                                    int no_padding, unsigned int key_version);
 extern struct encryption_keys_service_st {
   unsigned int (*get_latest_encryption_key_version_func)();
   unsigned int (*has_encryption_key_func)(unsigned int);
   unsigned int (*get_encryption_key_func)(unsigned int, unsigned char*, unsigned int*);
+  encrypt_decrypt_func encrypt_data_func;
+  encrypt_decrypt_func decrypt_data_func;
 } *encryption_keys_service;
 unsigned int get_latest_encryption_key_version();
 unsigned int has_encryption_key(unsigned int version);
 unsigned int get_encryption_key(unsigned int version, unsigned char* key, unsigned int *keybufsize);
+int encrypt_data(const unsigned char* src, unsigned int slen,
+                 unsigned char* dst, unsigned int* dlen,
+                 const unsigned char* key, unsigned int klen,
+                 const unsigned char* iv, unsigned int ivlen,
+                 int no_padding, unsigned int key_version);
+int decrypt_data(const unsigned char* src, unsigned int slen,
+                 unsigned char* dst, unsigned int* dlen,
+                 const unsigned char* key, unsigned int klen,
+                 const unsigned char* iv, unsigned int ivlen,
+                 int no_padding, unsigned int key_version);
 struct st_mysql_xid {
   long formatID;
   long gtrid_length;

include/mysql/plugin_encryption.h

 #ifndef MYSQL_PLUGIN_ENCRYPTION_INCLUDED
-/* Copyright (C) 2014 Sergei Golubchik and MariaDB
+/* Copyright (C) 2014, 2015 Sergei Golubchik and MariaDB
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -29,9 +29,6 @@
 
 #define MariaDB_ENCRYPTION_INTERFACE_VERSION 0x0200
 
-#define BAD_ENCRYPTION_KEY_VERSION (~(unsigned int)0)
-#define KEY_BUFFER_TOO_SMALL       (100)
-
 /**
   Encryption plugin descriptor
 */
@@ -68,6 +65,9 @@ struct st_mariadb_encryption
   */
   unsigned int (*get_key)(unsigned int version, unsigned char *key,
                           unsigned int *key_length);
+
+  encrypt_decrypt_func encrypt;
+  encrypt_decrypt_func decrypt;
 };
 #endif
 

include/mysql/plugin_encryption.h.pp

@@ -198,14 +198,31 @@ void thd_key_delete(MYSQL_THD_KEY_T *key);
 void* thd_getspecific(void* thd, MYSQL_THD_KEY_T key);
 int thd_setspecific(void* thd, MYSQL_THD_KEY_T key, void *value);
 #include <mysql/service_encryption_keys.h>
+typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen,
+                                    unsigned char* dst, unsigned int* dlen,
+                                    const unsigned char* key, unsigned int klen,
+                                    const unsigned char* iv, unsigned int ivlen,
+                                    int no_padding, unsigned int key_version);
 extern struct encryption_keys_service_st {
   unsigned int (*get_latest_encryption_key_version_func)();
   unsigned int (*has_encryption_key_func)(unsigned int);
   unsigned int (*get_encryption_key_func)(unsigned int, unsigned char*, unsigned int*);
+  encrypt_decrypt_func encrypt_data_func;
+  encrypt_decrypt_func decrypt_data_func;
 } *encryption_keys_service;
 unsigned int get_latest_encryption_key_version();
 unsigned int has_encryption_key(unsigned int version);
 unsigned int get_encryption_key(unsigned int version, unsigned char* key, unsigned int *keybufsize);
+int encrypt_data(const unsigned char* src, unsigned int slen,
+                 unsigned char* dst, unsigned int* dlen,
+                 const unsigned char* key, unsigned int klen,
+                 const unsigned char* iv, unsigned int ivlen,
+                 int no_padding, unsigned int key_version);
+int decrypt_data(const unsigned char* src, unsigned int slen,
+                 unsigned char* dst, unsigned int* dlen,
+                 const unsigned char* key, unsigned int klen,
+                 const unsigned char* iv, unsigned int ivlen,
+                 int no_padding, unsigned int key_version);
 struct st_mysql_xid {
   long formatID;
   long gtrid_length;
@@ -368,4 +385,6 @@ struct st_mariadb_encryption
   unsigned int (*get_latest_key_version)();
   unsigned int (*get_key)(unsigned int version, unsigned char *key,
                           unsigned int *key_length);
+  encrypt_decrypt_func encrypt;
+  encrypt_decrypt_func decrypt;
 };

include/mysql/plugin_ftparser.h.pp

@@ -198,14 +198,31 @@ void thd_key_delete(MYSQL_THD_KEY_T *key);
 void* thd_getspecific(void* thd, MYSQL_THD_KEY_T key);
 int thd_setspecific(void* thd, MYSQL_THD_KEY_T key, void *value);
 #include <mysql/service_encryption_keys.h>
+typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen,
+                                    unsigned char* dst, unsigned int* dlen,
+                                    const unsigned char* key, unsigned int klen,
+                                    const unsigned char* iv, unsigned int ivlen,
+                                    int no_padding, unsigned int key_version);
 extern struct encryption_keys_service_st {
   unsigned int (*get_latest_encryption_key_version_func)();
   unsigned int (*has_encryption_key_func)(unsigned int);
   unsigned int (*get_encryption_key_func)(unsigned int, unsigned char*, unsigned int*);
+  encrypt_decrypt_func encrypt_data_func;
+  encrypt_decrypt_func decrypt_data_func;
 } *encryption_keys_service;
 unsigned int get_latest_encryption_key_version();
 unsigned int has_encryption_key(unsigned int version);
 unsigned int get_encryption_key(unsigned int version, unsigned char* key, unsigned int *keybufsize);
+int encrypt_data(const unsigned char* src, unsigned int slen,
+                 unsigned char* dst, unsigned int* dlen,
+                 const unsigned char* key, unsigned int klen,
+                 const unsigned char* iv, unsigned int ivlen,
+                 int no_padding, unsigned int key_version);
+int decrypt_data(const unsigned char* src, unsigned int slen,
+                 unsigned char* dst, unsigned int* dlen,
+                 const unsigned char* key, unsigned int klen,
+                 const unsigned char* iv, unsigned int ivlen,
+                 int no_padding, unsigned int key_version);
 struct st_mysql_xid {
   long formatID;
   long gtrid_length;

include/mysql/plugin_password_validation.h.pp

@@ -198,14 +198,31 @@ void thd_key_delete(MYSQL_THD_KEY_T *key);
 void* thd_getspecific(void* thd, MYSQL_THD_KEY_T key);
 int thd_setspecific(void* thd, MYSQL_THD_KEY_T key, void *value);
 #include <mysql/service_encryption_keys.h>
+typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen,
+                                    unsigned char* dst, unsigned int* dlen,
+                                    const unsigned char* key, unsigned int klen,
+                                    const unsigned char* iv, unsigned int ivlen,
+                                    int no_padding, unsigned int key_version);
 extern struct encryption_keys_service_st {
   unsigned int (*get_latest_encryption_key_version_func)();
   unsigned int (*has_encryption_key_func)(unsigned int);
   unsigned int (*get_encryption_key_func)(unsigned int, unsigned char*, unsigned int*);
+  encrypt_decrypt_func encrypt_data_func;
+  encrypt_decrypt_func decrypt_data_func;
 } *encryption_keys_service;
 unsigned int get_latest_encryption_key_version();
 unsigned int has_encryption_key(unsigned int version);
 unsigned int get_encryption_key(unsigned int version, unsigned char* key, unsigned int *keybufsize);
+int encrypt_data(const unsigned char* src, unsigned int slen,
+                 unsigned char* dst, unsigned int* dlen,
+                 const unsigned char* key, unsigned int klen,
+                 const unsigned char* iv, unsigned int ivlen,
+                 int no_padding, unsigned int key_version);
+int decrypt_data(const unsigned char* src, unsigned int slen,
+                 unsigned char* dst, unsigned int* dlen,
+                 const unsigned char* key, unsigned int klen,
+                 const unsigned char* iv, unsigned int ivlen,
+                 int no_padding, unsigned int key_version);
 struct st_mysql_xid {
   long formatID;
   long gtrid_length;

include/mysql/service_encryption_keys.h

@@ -25,10 +25,21 @@
 extern "C" {
 #endif
 
+#define BAD_ENCRYPTION_KEY_VERSION (~(unsigned int)0)
+#define KEY_BUFFER_TOO_SMALL       (100)
+
+typedef int (*encrypt_decrypt_func)(const unsigned char* src, unsigned int slen,
+                                    unsigned char* dst, unsigned int* dlen,
+                                    const unsigned char* key, unsigned int klen,
+                                    const unsigned char* iv, unsigned int ivlen,
+                                    int no_padding, unsigned int key_version);
+
 extern struct encryption_keys_service_st {
   unsigned int (*get_latest_encryption_key_version_func)();
   unsigned int (*has_encryption_key_func)(unsigned int);
   unsigned int (*get_encryption_key_func)(unsigned int, unsigned char*, unsigned int*);
+  encrypt_decrypt_func encrypt_data_func;
+  encrypt_decrypt_func decrypt_data_func;
 } *encryption_keys_service;
 
 #ifdef MYSQL_DYNAMIC_PLUGIN
@@ -36,13 +47,23 @@ extern struct encryption_keys_service_st {
 #define get_latest_encryption_key_version() encryption_keys_service->get_latest_encryption_key_version_func()
 #define has_encryption_key(V) encryption_keys_service->has_encryption_key_func(V)
 #define get_encryption_key(V,K,S) encryption_keys_service->get_encryption_key_func((V), (K), (S))
-
+#define encrypt_data(S,SL,D,DL,K,KL,I,IL,NP,KV) encryption_keys_service->encrypt_data_func(S,SL,D,DL,K,KL,I,IL,NP,KV)
+#define decrypt_data(S,SL,D,DL,K,KL,I,IL,NP,KV) encryption_keys_service->decrypt_data_func(S,SL,D,DL,K,KL,I,IL,NP,KV)
 #else
 
 unsigned int get_latest_encryption_key_version();
 unsigned int has_encryption_key(unsigned int version);
 unsigned int get_encryption_key(unsigned int version, unsigned char* key, unsigned int *keybufsize);
-
+int encrypt_data(const unsigned char* src, unsigned int slen,
+                 unsigned char* dst, unsigned int* dlen,
+                 const unsigned char* key, unsigned int klen,
+                 const unsigned char* iv, unsigned int ivlen,
+                 int no_padding, unsigned int key_version);
+int decrypt_data(const unsigned char* src, unsigned int slen,
+                 unsigned char* dst, unsigned int* dlen,
+                 const unsigned char* key, unsigned int klen,
+                 const unsigned char* iv, unsigned int ivlen,
+                 int no_padding, unsigned int key_version);
 #endif
 
 #ifdef __cplusplus

mysql-test/include/encryption_algorithms.combinations

 [cbc]
-encryption-algorithm=aes_cbc
-
-[ecb]
-encryption-algorithm=aes_ecb
+file-key-management-encryption-algorithm=aes_cbc
 
 [ctr]
-encryption-algorithm=aes_ctr
+file-key-management-encryption-algorithm=aes_ctr

mysql-test/include/have_example_key_management_plugin.inc

--- source encryption_algorithms.inc
-
 if (!$EXAMPLE_KEY_MANAGEMENT_SO)
 {
   --skip Needs example_key_management

mysql-test/include/have_file_key_management_plugin.inc

--- source encryption_algorithms.inc
+--source encryption_algorithms.inc
 
 if (!$FILE_KEY_MANAGEMENT_SO)
 {

mysql-test/r/mysqld--help.result

@@ -165,10 +165,6 @@ The following options may be given as the first argument:
  --encrypt-tmp-disk-tables 
  Encrypt tmp disk tables (created as part of query
  execution)
- --encryption-algorithm=name 
- Which encryption algorithm to use for table encryption.
- aes_cbc is the recommended one.. One of: none, aes_ecb, 
- aes_cbc, aes_ctr
  --enforce-storage-engine=name 
  Force the use of a storage engine for new tables
  --event-scheduler[=name] 
@@ -1151,7 +1147,6 @@ delayed-insert-timeout 300
 delayed-queue-size 1000
 div-precision-increment 4
 encrypt-tmp-disk-tables FALSE
-encryption-algorithm none
 enforce-storage-engine (No default value)
 event-scheduler OFF
 expensive-subquery-limit 100

mysql-test/suite/plugins/t/filekeys_plugin.opt

 --plugin-load-add=$FILE_KEY_MANAGEMENT_SO
---encryption-algorithm=aes_cbc

mysql-test/suite/sys_vars/r/encryption_algorithm_basic.result

-select @@global.encryption_algorithm;
-@@global.encryption_algorithm
-none
-select @@session.encryption_algorithm;
-ERROR HY000: Variable 'encryption_algorithm' is a GLOBAL variable
-set global encryption_algorithm="none";
-ERROR HY000: Variable 'encryption_algorithm' is a read only variable

mysql-test/suite/sys_vars/r/sysvars_server_embedded.result

@@ -681,20 +681,6 @@ NUMERIC_BLOCK_SIZE	1
 ENUM_VALUE_LIST	NULL
 READ_ONLY	NO
 COMMAND_LINE_ARGUMENT	REQUIRED
-VARIABLE_NAME	ENCRYPTION_ALGORITHM
-SESSION_VALUE	NULL
-GLOBAL_VALUE	none
-GLOBAL_VALUE_ORIGIN	COMPILE-TIME
-DEFAULT_VALUE	none
-VARIABLE_SCOPE	GLOBAL
-VARIABLE_TYPE	ENUM
-VARIABLE_COMMENT	Which encryption algorithm to use for table encryption. aes_cbc is the recommended one.
-NUMERIC_MIN_VALUE	NULL
-NUMERIC_MAX_VALUE	NULL
-NUMERIC_BLOCK_SIZE	NULL
-ENUM_VALUE_LIST	none,aes_ecb,aes_cbc,aes_ctr
-READ_ONLY	YES
-COMMAND_LINE_ARGUMENT	REQUIRED
 VARIABLE_NAME	ENCRYPT_TMP_DISK_TABLES
 SESSION_VALUE	NULL
 GLOBAL_VALUE	OFF

mysql-test/suite/sys_vars/r/sysvars_server_notembedded.result

@@ -695,20 +695,6 @@ NUMERIC_BLOCK_SIZE	1
 ENUM_VALUE_LIST	NULL
 READ_ONLY	NO
 COMMAND_LINE_ARGUMENT	REQUIRED
-VARIABLE_NAME	ENCRYPTION_ALGORITHM
-SESSION_VALUE	NULL
-GLOBAL_VALUE	none
-GLOBAL_VALUE_ORIGIN	COMPILE-TIME
-DEFAULT_VALUE	none
-VARIABLE_SCOPE	GLOBAL
-VARIABLE_TYPE	ENUM
-VARIABLE_COMMENT	Which encryption algorithm to use for table encryption. aes_cbc is the recommended one.
-NUMERIC_MIN_VALUE	NULL
-NUMERIC_MAX_VALUE	NULL
-NUMERIC_BLOCK_SIZE	NULL
-ENUM_VALUE_LIST	none,aes_ecb,aes_cbc,aes_ctr
-READ_ONLY	YES
-COMMAND_LINE_ARGUMENT	REQUIRED
 VARIABLE_NAME	ENCRYPT_TMP_DISK_TABLES
 SESSION_VALUE	NULL
 GLOBAL_VALUE	OFF

mysql-test/suite/sys_vars/t/encryption_algorithm_basic.test

-# bool global
-
-# exists as global only
-#
-select @@global.encryption_algorithm;
---error ER_INCORRECT_GLOBAL_LOCAL_VAR
-select @@session.encryption_algorithm;
-
-#
-# show that it's not writable
-#
---error 1238
-set global encryption_algorithm="none";

mysys_ssl/my_aes.cc

@@ -18,164 +18,10 @@
 #include <my_aes.h>
 #include <my_crypt.h>
 
-/**
-   Encryption interface that doesn't do anything (for testing)
-
-   SYNOPSIS
-     my_aes_encrypt_none()
-     @param source         [in]  Pointer to data for encryption
-     @param source_length  [in]  Size of encryption data
-     @param dest           [out] Buffer to place encrypted data (must be large enough)
-     @param dest_length    [out] Pointer to size of encrypted data
-     @param key            [in]  Key to be used for encryption
-     @param key_length     [in]  Length of the key. 16, 24 or 32
-     @param iv             [in]  Iv to be used for encryption
-     @param iv_length      [in]  Length of the iv. should be 16.
-     @param noPadding	   [in]  unused
-  @return
-    != 0           error
-    0             no error
-*/
-
-static int my_aes_encrypt_none(const uchar* source, uint32 source_length,
-                               uchar* dest, uint32* dest_length,
-                               const unsigned char* key, uint8 key_length,
-                               const unsigned char* iv, uint8 iv_length,
-                               uint noPadding)
-{
-  memcpy(dest, source, source_length);
-  *dest_length= source_length;
-  return 0;
-}
-
-
-/**
-   Decryption interface that doesn't do anything (for testing)
-
-   SYNOPSIS
-     my_aes_decrypt_none()
-     @param source         [in]  Pointer to data to decrypt
-     @param source_length  [in]  Size of data
-     @param dest           [out] Buffer to place decrypted data (must be large enough)
-     @param dest_length    [out] Pointer to size of decrypted data
-     @param key            [in]  Key to be used for decryption
-     @param key_length     [in]  Length of the key. 16, 24 or 32
-     @param iv             [in]  Iv to be used for encryption
-     @param iv_length      [in]  Length of the iv. should be 16.
-     @param noPadding	   [in]  unused
-
-  @return
-    != 0           error
-    0             no error
-*/
-
-int my_aes_decrypt_none(const uchar* source, uint32 source_length,
-                        uchar* dest, uint32 *dest_length,
-                        const unsigned char* key, uint8 key_length,
-                        const unsigned char* iv, uint8 iv_length,
-                        uint noPadding)
-{
-  memcpy(dest, source, source_length);
-  *dest_length= source_length;
-  return 0;
-}
-
 /**
   Initialize encryption methods
 */
 
-my_aes_decrypt_dynamic_type my_aes_decrypt_dynamic= my_aes_decrypt_none;
-my_aes_encrypt_dynamic_type my_aes_encrypt_dynamic= my_aes_encrypt_none;
-enum_my_aes_encryption_algorithm current_aes_dynamic_method= MY_AES_ALGORITHM_NONE;
-
-my_bool my_aes_init_dynamic_encrypt(enum_my_aes_encryption_algorithm method)
-{
-  switch (method)
-  {
-    /* used for encrypting tables */
-  case MY_AES_ALGORITHM_ECB:
-    my_aes_encrypt_dynamic= my_aes_encrypt_ecb;
-    my_aes_decrypt_dynamic= my_aes_decrypt_ecb;
-    break;
-  case MY_AES_ALGORITHM_CBC:
-    my_aes_encrypt_dynamic= my_aes_encrypt_cbc;
-    my_aes_decrypt_dynamic= my_aes_decrypt_cbc;
-    break;
-#ifdef HAVE_EncryptAes128Ctr
-    /* encrypt everything, with a set of keys */
-  case MY_AES_ALGORITHM_CTR:
-    my_aes_encrypt_dynamic= my_aes_encrypt_ctr;
-    my_aes_decrypt_dynamic= my_aes_decrypt_ctr;
-    break;
-#endif
-    /* Simulate encrypting interface */
-  case MY_AES_ALGORITHM_NONE:
-    my_aes_encrypt_dynamic= my_aes_encrypt_none;
-    my_aes_decrypt_dynamic= my_aes_decrypt_none;
-    break;
-  default:
-    return 1;
-  }
-  current_aes_dynamic_method= method;
-  return 0;
-}
-
-my_aes_decrypt_dynamic_type
-get_aes_decrypt_func(enum_my_aes_encryption_algorithm method)
-{
-  switch (method)
-  {
-    /* used for encrypting tables */
-  case MY_AES_ALGORITHM_ECB:
-    return my_aes_decrypt_ecb;
-    break;
-  case MY_AES_ALGORITHM_CBC:
-    return my_aes_decrypt_cbc;
-    break;
-#ifdef HAVE_EncryptAes128Ctr
-    /* encrypt everything, with a set of keys */
-  case MY_AES_ALGORITHM_CTR:
-    return my_aes_decrypt_ctr;
-    break;
-#endif
-    /* Simulate encrypting interface */
-  case MY_AES_ALGORITHM_NONE:
-    return my_aes_decrypt_none;
-    break;
-  default:
-    return NULL;
-  }
-  return NULL;
-}
-
-my_aes_encrypt_dynamic_type
-get_aes_encrypt_func(enum_my_aes_encryption_algorithm method)
-{
-  switch (method)
-  {
-    /* used for encrypting tables */
-  case MY_AES_ALGORITHM_ECB:
-    return my_aes_encrypt_ecb;
-    break;
-  case MY_AES_ALGORITHM_CBC:
-    return my_aes_encrypt_cbc;
-    break;
-#ifdef HAVE_EncryptAes128Ctr
-    /* encrypt everything, with a set of keys */
-  case MY_AES_ALGORITHM_CTR:
-    return my_aes_encrypt_ctr;
-    break;
-#endif
-    /* Simulate encrypting interface */
-  case MY_AES_ALGORITHM_NONE:
-    return my_aes_encrypt_none;
-    break;
-  default:
-    return NULL;
-  }
-  return NULL;
-}
-
 /**
   Get size of buffer which will be large enough for encrypted data
 

mysys_ssl/my_crypt.cc

@@ -26,8 +26,8 @@ static const Dir CRYPT_ENCRYPT = TaoCrypt::ENCRYPTION;
 static const Dir CRYPT_DECRYPT = TaoCrypt::DECRYPTION;
 
 typedef TaoCrypt::Mode CipherMode;
-static inline CipherMode aes_ecb(uint8) { return TaoCrypt::ECB; }
-static inline CipherMode aes_cbc(uint8) { return TaoCrypt::CBC; }
+static inline CipherMode aes_ecb(uint) { return TaoCrypt::ECB; }
+static inline CipherMode aes_cbc(uint) { return TaoCrypt::CBC; }
 
 typedef TaoCrypt::byte KeyByte;
 
@@ -42,7 +42,7 @@ static const Dir CRYPT_DECRYPT = 0;
 typedef const EVP_CIPHER *CipherMode;
 
 #define make_aes_dispatcher(mode)                               \
-  static inline CipherMode aes_ ## mode(uint8 key_length)       \
+  static inline CipherMode aes_ ## mode(uint key_length)       \
   {                                                             \
     switch (key_length) {                                       \
     case 16: return EVP_aes_128_ ## mode();                     \
@@ -67,10 +67,10 @@ struct MyCTX : EVP_CIPHER_CTX {
 #endif
 
 static int do_crypt(CipherMode cipher, Dir dir,
-                    const uchar* source, uint32 source_length,
-                    uchar* dest, uint32* dest_length,
-                    const KeyByte *key, uint8 key_length,
-                    const KeyByte *iv, uint8 iv_length, int no_padding)
+                    const uchar* source, uint source_length,
+                    uchar* dest, uint* dest_length,
+                    const KeyByte *key, uint key_length,
+                    const KeyByte *iv, uint iv_length, int no_padding)
 {
   int tail= source_length % MY_AES_BLOCK_SIZE;
 
@@ -123,8 +123,8 @@ static int do_crypt(CipherMode cipher, Dir dir,
 
   EVP_CIPHER_CTX_set_padding(&ctx, !no_padding);
 
-  DBUG_ASSERT(EVP_CIPHER_CTX_key_length(&ctx) == key_length);
-  DBUG_ASSERT(EVP_CIPHER_CTX_iv_length(&ctx) == iv_length);
+  DBUG_ASSERT(EVP_CIPHER_CTX_key_length(&ctx) == (int)key_length);
+  DBUG_ASSERT(EVP_CIPHER_CTX_iv_length(&ctx) == (int)iv_length);
   DBUG_ASSERT(EVP_CIPHER_CTX_block_size(&ctx) == MY_AES_BLOCK_SIZE || !no_padding);
 
   /* use built-in OpenSSL padding, if possible */
@@ -164,11 +164,11 @@ C_MODE_START
 
 #ifdef HAVE_EncryptAes128Ctr
 
-int my_aes_encrypt_ctr(const uchar* source, uint32 source_length,
-                       uchar* dest, uint32* dest_length,
-                       const uchar* key, uint8 key_length,
-                       const uchar* iv, uint8 iv_length,
-                       uint no_padding)
+int my_aes_encrypt_ctr(const uchar* source, uint source_length,
+                       uchar* dest, uint* dest_length,
+                       const uchar* key, uint key_length,
+                       const uchar* iv, uint iv_length,
+                       int no_padding)
 {
   /* CTR is a stream cipher mode, it needs no special padding code */
   return do_crypt(aes_ctr(key_length), CRYPT_ENCRYPT, source, source_length,
@@ -176,11 +176,11 @@ int my_aes_encrypt_ctr(const uchar* source, uint32 source_length,
 }
 
 
-int my_aes_decrypt_ctr(const uchar* source, uint32 source_length,
-                       uchar* dest, uint32* dest_length,
-                       const uchar* key, uint8 key_length,
-                       const uchar* iv, uint8 iv_length,
-                       uint no_padding)
+int my_aes_decrypt_ctr(const uchar* source, uint source_length,
+                       uchar* dest, uint* dest_length,
+                       const uchar* key, uint key_length,
+                       const uchar* iv, uint iv_length,
+                       int no_padding)
 {
   return do_crypt(aes_ctr(key_length), CRYPT_DECRYPT, source, source_length,
                   dest, dest_length, key, key_length, iv, iv_length, 0);
@@ -188,41 +188,41 @@ int my_aes_decrypt_ctr(const uchar* source, uint32 source_length,
 
 #endif /* HAVE_EncryptAes128Ctr */
 
-int my_aes_encrypt_ecb(const uchar* source, uint32 source_length,
-                       uchar* dest, uint32* dest_length,
-                       const uchar* key, uint8 key_length,
-                       const uchar* iv, uint8 iv_length,
-                       uint no_padding)
+int my_aes_encrypt_ecb(const uchar* source, uint source_length,
+                       uchar* dest, uint* dest_length,
+                       const uchar* key, uint key_length,
+                       const uchar* iv, uint iv_length,
+                       int no_padding)
 {
   return do_crypt(aes_ecb(key_length), CRYPT_ENCRYPT, source, source_length,
                         dest, dest_length, key, key_length, 0, 0, no_padding);
 }
 
-int my_aes_decrypt_ecb(const uchar* source, uint32 source_length,
-                       uchar* dest, uint32* dest_length,
-                       const uchar* key, uint8 key_length,
-                       const uchar* iv, uint8 iv_length,
-                       uint no_padding)
+int my_aes_decrypt_ecb(const uchar* source, uint source_length,
+                       uchar* dest, uint* dest_length,
+                       const uchar* key, uint key_length,
+                       const uchar* iv, uint iv_length,
+                       int no_padding)
 {
   return do_crypt(aes_ecb(key_length), CRYPT_DECRYPT, source, source_length,
                         dest, dest_length, key, key_length, 0, 0, no_padding);
 }
 
-int my_aes_encrypt_cbc(const uchar* source, uint32 source_length,
-                       uchar* dest, uint32* dest_length,
-                       const uchar* key, uint8 key_length,
-                       const uchar* iv, uint8 iv_length,
-                       uint no_padding)
+int my_aes_encrypt_cbc(const uchar* source, uint source_length,
+                       uchar* dest, uint* dest_length,
+                       const uchar* key, uint key_length,
+                       const uchar* iv, uint iv_length,
+                       int no_padding)
 {
   return do_crypt(aes_cbc(key_length), CRYPT_ENCRYPT, source, source_length,
                         dest, dest_length, key, key_length, iv, iv_length, no_padding);
 }
 
-int my_aes_decrypt_cbc(const uchar* source, uint32 source_length,
-                       uchar* dest, uint32* dest_length,
-                       const uchar* key, uint8 key_length,
-                       const uchar* iv, uint8 iv_length,
-                       uint no_padding)
+int my_aes_decrypt_cbc(const uchar* source, uint source_length,
+                       uchar* dest, uint* dest_length,
+                       const uchar* key, uint key_length,
+                       const uchar* iv, uint iv_length,
+                       int no_padding)
 {
   return do_crypt(aes_cbc(key_length), CRYPT_DECRYPT, source, source_length,
                         dest, dest_length, key, key_length, iv, iv_length, no_padding);

plugin/debug_key_management/debug_key_management_plugin.cc

@@ -64,7 +64,8 @@ static unsigned int get_key(unsigned int version, unsigned char* dstbuf, unsigne
 struct st_mariadb_encryption debug_key_management_plugin= {
   MariaDB_ENCRYPTION_INTERFACE_VERSION,
   get_latest_key_version,
-  get_key
+  get_key,
+  0, 0 // use default encrypt/decrypt functions
 };
 
 /*

plugin/example_key_management/example_key_management_plugin.cc

@@ -27,11 +27,9 @@
 
 #include <my_global.h>
 #include <my_pthread.h>
-#include <my_aes.h>
 #include <mysql/plugin_encryption.h>
-#include <my_md5.h>
 #include <my_rnd.h>
-#include "sql_class.h"
+#include <my_crypt.h>
 
 /* rotate key randomly between 45 and 90 seconds */
 #define KEY_ROTATION_MIN 45
@@ -61,12 +59,12 @@ get_latest_key_version()
 static unsigned int
 get_key(unsigned int version, unsigned char* dstbuf, unsigned *buflen)
 {
-  if (*buflen < MD5_HASH_SIZE)
+  if (*buflen < MY_MD5_HASH_SIZE)
   {
-    *buflen= MD5_HASH_SIZE;
+    *buflen= MY_MD5_HASH_SIZE;
     return KEY_BUFFER_TOO_SMALL;
   }
-  *buflen= MD5_HASH_SIZE;
+  *buflen= MY_MD5_HASH_SIZE;
   if (!dstbuf)
     return 0;
 
@@ -75,21 +73,35 @@ get_key(unsigned int version, unsigned char* dstbuf, unsigned *buflen)
   return 0;
 }
 
+/*
+  for the sake of an example, let's use different encryption algorithms/modes
+  for different keys.
+*/
+int encrypt(const unsigned char* src, unsigned int slen,
+            unsigned char* dst, unsigned int* dlen,
+            const unsigned char* key, unsigned int klen,
+            const unsigned char* iv, unsigned int ivlen,
+            int no_padding, unsigned int key_version)
+{
+  return ((key_version & 1) ? my_aes_encrypt_cbc : my_aes_encrypt_ecb)
+    (src, slen, dst, dlen, key, klen, iv, ivlen, no_padding);
+}
+
+int decrypt(const unsigned char* src, unsigned int slen,
+            unsigned char* dst, unsigned int* dlen,
+            const unsigned char* key, unsigned int klen,
+            const unsigned char* iv, unsigned int ivlen,
+            int no_padding, unsigned int key_version)
+{
+  return ((key_version & 1) ? my_aes_decrypt_cbc : my_aes_decrypt_ecb)
+    (src, slen, dst, dlen, key, klen, iv, ivlen, no_padding);
+}
+
 static int example_key_management_plugin_init(void *p)
 {
   /* init */
   my_rnd_init(&seed, time(0), 0);
   get_latest_key_version();
-
-  if (current_aes_dynamic_method == MY_AES_ALGORITHM_NONE)
-  {
-    sql_print_error("No encryption method choosen with --encryption-algorithm. "
-                    "example_key_management_plugin disabled");
-    return 1;
-  }
-
-  my_aes_init_dynamic_encrypt(current_aes_dynamic_method);
-
   pthread_mutex_init(&mutex, NULL);
 
   return 0;
@@ -104,7 +116,9 @@ static int example_key_management_plugin_deinit(void *p)
 struct st_mariadb_encryption example_key_management_plugin= {
   MariaDB_ENCRYPTION_INTERFACE_VERSION,
   get_latest_key_version,
-  get_key
+  get_key,
+  encrypt,
+  decrypt
 };
 
 /*

plugin/file_key_management/file_key_management_plugin.cc

@@ -15,12 +15,28 @@
 
 
 #include "parser.h"
-#include <mysql_version.h>
 #include <mysql/plugin_encryption.h>
 #include <string.h>
 
 static char* filename;
 static char* filekey;
+static unsigned long encryption_algorithm;
+
+static const char *encryption_algorithm_names[]=
+{
+  "aes_cbc",
+#ifdef HAVE_EncryptAes128Ctr
+  "aes_ctr",
+#endif
+  0
+};
+
+static TYPELIB encryption_algorithm_typelib=
+{
+  array_elements(encryption_algorithm_names)-1,"",
+  encryption_algorithm_names, NULL
+};
+
 
 static MYSQL_SYSVAR_STR(filename, filename,
   PLUGIN_VAR_RQCMDARG | PLUGIN_VAR_READONLY,
@@ -32,9 +48,15 @@ static MYSQL_SYSVAR_STR(filekey, filekey,
   "Key to encrypt / decrypt the keyfile.",
   NULL, NULL, "");
 
+static MYSQL_SYSVAR_ENUM(encryption_algorithm, encryption_algorithm,
+  PLUGIN_VAR_RQCMDARG | PLUGIN_VAR_READONLY,
+  "Encryption algorithm to use.",
+  NULL, NULL, 0, &encryption_algorithm_typelib);
+
 static struct st_mysql_sys_var* settings[] = {
   MYSQL_SYSVAR(filename),
   MYSQL_SYSVAR(filekey),
+  MYSQL_SYSVAR(encryption_algorithm),
   NULL
 };
 
@@ -88,18 +110,37 @@ static unsigned int get_key_from_key_file(unsigned int key_id,
   return 0;
 }
 
+struct st_mariadb_encryption file_key_management_plugin= {
+  MariaDB_ENCRYPTION_INTERFACE_VERSION,
+  get_highest_key_used_in_key_file,
+  get_key_from_key_file,
+  0,0
+};
+
 static int file_key_management_plugin_init(void *p)
 {
   Parser parser(filename, filekey);
+  switch (encryption_algorithm) {
+  case 0: // AES_CBC
+    file_key_management_plugin.encrypt=
+      (encrypt_decrypt_func)my_aes_encrypt_cbc;
+    file_key_management_plugin.decrypt=
+      (encrypt_decrypt_func)my_aes_decrypt_cbc;
+    break;
+#ifdef HAVE_EncryptAes128Ctr
+  case 1: // AES_CTR
+    file_key_management_plugin.encrypt=
+      (encrypt_decrypt_func)my_aes_encrypt_ctr;
+    file_key_management_plugin.decrypt=
+      (encrypt_decrypt_func)my_aes_decrypt_ctr;
+    break;
+#endif
+  default:
+    return 1; // cannot happen
+  }
   return parser.parse(&keys);
 }
 
-struct st_mariadb_encryption file_key_management_plugin= {
-  MariaDB_ENCRYPTION_INTERFACE_VERSION,
-  get_highest_key_used_in_key_file,
-  get_key_from_key_file
-};
-
 /*
   Plugin library descriptor
 */

sql/encryption_keys.cc

+/* Copyright (C) 2015 MariaDB
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 of the License.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA */
+
 #include <my_global.h>
 #include <mysql/plugin_encryption.h>
 #include "log.h"
 #include "sql_plugin.h"
+#include <my_crypt.h>
 
 /* there can be only one encryption plugin enabled */
 static plugin_ref encryption_key_manager= 0;
@@ -34,6 +50,34 @@ uint get_encryption_key(uint version, uchar* key, uint *size)
   return BAD_ENCRYPTION_KEY_VERSION;
 }
 
+int encrypt_data(const uchar* source, uint source_length,
+                 uchar* dest, uint* dest_length,
+                 const uchar* key, uint key_length,
+                 const uchar* iv, uint iv_length,
+                 int no_padding, uint key_version)
+{
+  if (encryption_key_manager)
+    return handle->encrypt(source, source_length,
+                           dest, dest_length, key, key_length,
+                           iv, iv_length, no_padding, key_version);
+  return 1;
+}
+
+
+int decrypt_data(const uchar* source, uint source_length,
+                 uchar* dest, uint* dest_length,
+                 const uchar* key, uint key_length,
+                 const uchar* iv, uint iv_length,
+                 int no_padding, uint key_version)
+{
+  if (encryption_key_manager)
+    return handle->decrypt(source, source_length,
+                           dest, dest_length, key, key_length,
+                           iv, iv_length, no_padding, key_version);
+  return 1;
+}
+
+
 int initialize_encryption_plugin(st_plugin_int *plugin)
 {
   if (encryption_key_manager)
@@ -49,6 +93,13 @@ int initialize_encryption_plugin(st_plugin_int *plugin)
   encryption_key_manager= plugin_lock(NULL, plugin_int_to_ref(plugin));
   handle= (struct st_mariadb_encryption*)
             plugin->plugin->info;
+
+  /* default encryption algorithm */
+  if (!handle->encrypt)
+    handle->encrypt= (encrypt_decrypt_func)my_aes_encrypt_cbc;
+  if (!handle->decrypt)
+    handle->decrypt= (encrypt_decrypt_func)my_aes_decrypt_cbc;
+
   return 0;
 }
 

sql/item_strfunc.h

@@ -142,7 +142,9 @@ class Item_aes_crypt :public Item_str_func
   void create_key(String *user_key, uchar* key);
 
 protected:
-  my_aes_encrypt_dynamic_type crypt;
+  int (*crypt)(const uchar* src, uint slen, uchar* dst, uint* dlen,
+               const uchar* key, uint klen, const uchar* iv, uint ivlen,
+               int no_padding);
 
 public:
   Item_aes_crypt(Item *a, Item *b) :Item_str_func(a,b) {}

sql/mysqld.cc

@@ -630,7 +630,6 @@ char *mysqld_unix_port, *opt_mysql_tmpdir;
 ulong thread_handling;
 
 my_bool encrypt_tmp_disk_tables;
-ulong   encryption_algorithm;
 
 /** name of reference on left expression in rewritten IN subquery */
 const char *in_left_expr_name= "<left expr>";
@@ -4804,13 +4803,6 @@ static int init_server_components()
   my_rnd_init(&sql_rand,(ulong) server_start_time,(ulong) server_start_time/2);
   setup_fpu();
   init_thr_lock();
-  if (my_aes_init_dynamic_encrypt((enum_my_aes_encryption_algorithm)
-                                  encryption_algorithm))
-  {
-    fprintf(stderr, "Can't initialize encryption algorithm to \"%s\".\nCheck that the program is linked with the right library (openssl?)\n",
-            encryption_algorithm_names[encryption_algorithm]);
-    unireg_abort(1);
-  }
 
 #ifndef EMBEDDED_LIBRARY
   if (init_thr_timer(thread_scheduler->max_threads + extra_max_connections))

sql/sql_plugin_services.h

@@ -143,7 +143,9 @@ static struct encryption_keys_service_st encryption_keys_handler=
 {
   get_latest_encryption_key_version,
   has_encryption_key,
-  get_encryption_key
+  get_encryption_key,
+  encrypt_data,
+  decrypt_data
 };
 
 static struct thd_specifics_service_st thd_specifics_handler=

sql/sys_vars.cc

@@ -5168,14 +5168,6 @@ static Sys_var_mybool Sys_encrypt_tmp_disk_tables(
        GLOBAL_VAR(encrypt_tmp_disk_tables),
        CMD_LINE(OPT_ARG), DEFAULT(FALSE));
 
-const char *encryption_algorithm_names[]=
-{ "none", "aes_ecb", "aes_cbc", "aes_ctr", 0 };
-static Sys_var_enum Sys_encryption_algorithm(
-       "encryption_algorithm",
-       "Which encryption algorithm to use for table encryption. aes_cbc is the recommended one.",
-       READ_ONLY GLOBAL_VAR(encryption_algorithm),CMD_LINE(REQUIRED_ARG),
-       encryption_algorithm_names, DEFAULT(0));
-
 static bool check_pseudo_slave_mode(sys_var *self, THD *thd, set_var *var)
 {
   longlong previous_val= thd->variables.pseudo_slave_mode;

storage/innobase/fil/fil0crypt.cc

@@ -693,11 +693,9 @@ fil_space_encrypt(ulint space, ulint offset, lsn_t lsn,
 		srclen = page_size -  FIL_PAGE_DATA;
 	}
 
-	int rc = (* my_aes_encrypt_dynamic)(src, srclen,
-	                                    dst, &dstlen,
-	                                    (unsigned char*)key, key_length,
-	                                    (unsigned char*)iv, sizeof(iv),
-	                                    1);
+	int rc = encrypt_data(src, srclen, dst, &dstlen,
+	                      (unsigned char*)key, key_length,
+	                      (unsigned char*)iv, sizeof(iv), 1, key_version);
 
 	if (! ((rc == AES_OK) && ((ulint) dstlen == srclen))) {
 		ib_logf(IB_LOG_LEVEL_FATAL,
@@ -867,11 +865,9 @@ fil_space_decrypt(fil_space_crypt_t* crypt_data,
 		srclen = pow((double)2, (double)((int)compressed_len)) - FIL_PAGE_DATA;
 	}
 
-	int rc = (* my_aes_decrypt_dynamic)(src, srclen,
-	                                    dst, &dstlen,
-	                                    (unsigned char*)key, key_length,
-	                                    (unsigned char*)iv, sizeof(iv),
-	                                    1);
+	int rc = decrypt_data(src, srclen, dst, &dstlen,
+	                      (unsigned char*)key, key_length,
+	                      (unsigned char*)iv, sizeof(iv), 1, key_version);
 
 	if (! ((rc == AES_OK) && ((ulint) dstlen == srclen))) {
 		ib_logf(IB_LOG_LEVEL_FATAL,

storage/innobase/include/log0crypt.h

@@ -17,6 +17,8 @@ Created 11/25/2013 Minli Zhu
 #define PURPOSE_BYTE_OFFSET	0
 #define UNENCRYPTED_KEY_VER	0
 
+typedef int Crypt_result;
+
 /* If true, enable redo log encryption. */
 extern my_bool srv_encrypt_log;
 /* Plain text used by AES_ECB to generate redo log crypt key. */

storage/innobase/log/log0crypt.cc

@@ -32,7 +32,6 @@ Modified           Jan Lindström jan.lindstrom@mariadb.com
 #include "srv0start.h" // for srv_start_lsn
 #include "log0recv.h"  // for recv_sys
 
-#include "mysql/plugin_encryption.h" // for BAD_ENCRYPTION_KEY_VERSION
 #include "ha_prototypes.h" // IB_LOG_
 
 /* If true, enable redo log encryption. */
@@ -127,12 +126,10 @@ log_init_crypt_key(
 	}
 
 	uint32 dst_len;
-	my_aes_encrypt_dynamic_type func= get_aes_encrypt_func(MY_AES_ALGORITHM_ECB);
-	int rc= (*func)(crypt_msg, MY_AES_BLOCK_SIZE, //src, srclen
+	int rc= my_aes_encrypt_ecb(crypt_msg, MY_AES_BLOCK_SIZE, //src, srclen
                         key, &dst_len, //dst, &dstlen
                         (unsigned char*)&mysqld_key, sizeof(mysqld_key),
-                        NULL, 0,
-                        1);
+                        NULL, 0, 1);
 
 	if (rc != AES_OK || dst_len != MY_AES_BLOCK_SIZE)
 	{
@@ -207,11 +204,11 @@ log_blocks_crypt(
 		mach_write_to_4(aes_ctr_counter + 11, log_block_no);
 		bzero(aes_ctr_counter + 15, 1);
 
-		int rc = (* my_aes_encrypt_dynamic)(log_block + LOG_BLOCK_HDR_SIZE, src_len,
-		                                dst_block + LOG_BLOCK_HDR_SIZE, &dst_len,
-		                                (unsigned char*)key, 16,
-		                                aes_ctr_counter, MY_AES_BLOCK_SIZE,
-		                                1);
+		int rc = encrypt_data(log_block + LOG_BLOCK_HDR_SIZE, src_len,
+		                      dst_block + LOG_BLOCK_HDR_SIZE, &dst_len,
+		                      (unsigned char*)key, 16,
+		                      aes_ctr_counter, MY_AES_BLOCK_SIZE, 1,
+                                      recv_sys->recv_log_crypt_ver);
 
 		ut_a(rc == AES_OK);
 		ut_a(dst_len == src_len);
@@ -266,8 +263,7 @@ log_crypt_set_ver_and_key(
 		encrypted = true;
 
 		if (vkey == UNENCRYPTED_KEY_VER ||
-		    vkey == BAD_ENCRYPTION_KEY_VERSION ||
-			vkey == (unsigned int)CRYPT_KEY_UNKNOWN) {
+		    vkey == BAD_ENCRYPTION_KEY_VERSION) {
 			encrypted = false;
 
 			ib_logf(IB_LOG_LEVEL_WARN,

storage/maria/ma_check_standalone.h

@@ -23,6 +23,40 @@ void _mi_report_crashed(void *file __attribute__((unused)),
 {
 }
 
+unsigned int get_latest_encryption_key_version()
+{
+  return BAD_ENCRYPTION_KEY_VERSION;
+}
+
+int encrypt_data(const uchar* source __attribute__((unused)),
+                 uint source_length __attribute__((unused)),
+                 uchar* dest __attribute__((unused)),
+                 uint* dest_length __attribute__((unused)),
+                 const uchar* key __attribute__((unused)),
+                 uint key_length __attribute__((unused)),
+                 const uchar* iv __attribute__((unused)),
+                 uint iv_length __attribute__((unused)),
+                 int no_padding __attribute__((unused)),
+                 uint key_version __attribute__((unused)))
+{
+  return 1;
+}
+
+
+int decrypt_data(const uchar* source __attribute__((unused)),
+                 uint source_length __attribute__((unused)),
+                 uchar* dest __attribute__((unused)),
+                 uint* dest_length __attribute__((unused)),
+                 const uchar* key __attribute__((unused)),
+                 uint key_length __attribute__((unused)),
+                 const uchar* iv __attribute__((unused)),
+                 uint iv_length __attribute__((unused)),
+                 int no_padding __attribute__((unused)),
+                 uint key_version __attribute__((unused)))
+{
+  return 1;
+}
+
 /* only those that included myisamchk.h may need and can use the below */
 #ifdef _myisamchk_h
 /*
@@ -121,5 +155,6 @@ void _ma_check_print_error(HA_CHECK *param, const char *fmt,...)
   va_end(args);
   DBUG_VOID_RETURN;
 }
+
 #endif
 

storage/maria/ma_crypt.c

@@ -16,7 +16,6 @@
   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA */
 
 #include <my_global.h>
-#include "ma_crypt.h"
 #include "maria_def.h"
 #include "ma_blockrec.h"
 #include <my_crypt.h>
@@ -291,7 +290,7 @@ void ma_crypt_set_data_pagecache_callbacks(PAGECACHE_FILE *file,
                                            __attribute__((unused)))
 {
   /* Only use encryption if we have defined it */
-  if (likely(current_aes_dynamic_method != MY_AES_ALGORITHM_NONE))
+  if (get_latest_encryption_key_version() != BAD_ENCRYPTION_KEY_VERSION)
   {
     file->pre_read_hook= ma_crypt_pre_read_hook;
     file->post_read_hook= ma_crypt_data_post_read_hook;
@@ -411,17 +410,16 @@ static int ma_encrypt(MARIA_CRYPT_DATA *crypt_data,
   int rc;
   uint32 dstlen;
   uchar counter[COUNTER_LEN];
+  *key_version= 1;
 
   // create counter block
   memcpy(counter + 0, crypt_data->iv + CRYPT_SCHEME_1_IV_LEN, 4);
   int4store(counter + 4, pageno);
   int8store(counter + 8, lsn);
 
-  rc = my_aes_encrypt_dynamic(src, size,
-                              dst, &dstlen,
-                              crypt_data->iv, CRYPT_SCHEME_1_IV_LEN,
-                              counter, sizeof(counter),
-                              1);
+  rc = encrypt_data(src, size, dst, &dstlen,
+                    crypt_data->iv, CRYPT_SCHEME_1_IV_LEN,
+                    counter, sizeof(counter), 1, *key_version);
 
   DBUG_ASSERT(rc == AES_OK);
   DBUG_ASSERT(dstlen == size);
@@ -434,7 +432,6 @@ static int ma_encrypt(MARIA_CRYPT_DATA *crypt_data,
     return 1;
   }
 
-  *key_version= 1;
   return 0;
 }
 
@@ -452,11 +449,9 @@ static int ma_decrypt(MARIA_CRYPT_DATA *crypt_data,
   int4store(counter + 4, pageno);
   int8store(counter + 8, lsn);
 
-  rc = my_aes_decrypt_dynamic(src, size,
-                              dst, &dstlen,
-                              crypt_data->iv, CRYPT_SCHEME_1_IV_LEN,
-                              counter, sizeof(counter),
-                              1);
+  rc =decrypt_data(src, size, dst, &dstlen,
+                   crypt_data->iv, CRYPT_SCHEME_1_IV_LEN,
+                   counter, sizeof(counter), 1, key_version);
 
   DBUG_ASSERT(rc == AES_OK);
   DBUG_ASSERT(dstlen == size);

storage/xtradb/fil/fil0crypt.cc

@@ -693,11 +693,9 @@ fil_space_encrypt(ulint space, ulint offset, lsn_t lsn,
 		srclen = page_size -  FIL_PAGE_DATA;
 	}
 
-	int rc = (* my_aes_encrypt_dynamic)(src, srclen,
-	                                    dst, &dstlen,
-	                                    (unsigned char*)key, key_length,
-	                                    (unsigned char*)iv, sizeof(iv),
-	                                    1);
+	int rc = encrypt_data(src, srclen, dst, &dstlen,
+	                      (unsigned char*)key, key_length,
+	                      (unsigned char*)iv, sizeof(iv), 1, key_version);
 
 	if (! ((rc == AES_OK) && ((ulint) dstlen == srclen))) {
 		ib_logf(IB_LOG_LEVEL_FATAL,
@@ -867,11 +865,9 @@ fil_space_decrypt(fil_space_crypt_t* crypt_data,
 		srclen = pow((double)2, (double)((int)compressed_len)) - FIL_PAGE_DATA;
 	}
 
-	int rc = (* my_aes_decrypt_dynamic)(src, srclen,
-	                                    dst, &dstlen,
-	                                    (unsigned char*)key, key_length,
-	                                    (unsigned char*)iv, sizeof(iv),
-	                                    1);
+	int rc = decrypt_data(src, srclen, dst, &dstlen,
+	                      (unsigned char*)key, key_length,
+	                      (unsigned char*)iv, sizeof(iv), 1, key_version);
 
 	if (! ((rc == AES_OK) && ((ulint) dstlen == srclen))) {
 		ib_logf(IB_LOG_LEVEL_FATAL,

storage/xtradb/include/log0crypt.h

@@ -17,6 +17,8 @@ Created 11/25/2013 Minli Zhu
 #define PURPOSE_BYTE_OFFSET	0
 #define UNENCRYPTED_KEY_VER	0
 
+typedef int Crypt_result;
+
 /* If true, enable redo log encryption. */
 extern my_bool srv_encrypt_log;
 /* Plain text used by AES_ECB to generate redo log crypt key. */

storage/xtradb/log/log0crypt.cc

@@ -32,7 +32,6 @@ Modified           Jan Lindström jan.lindstrom@mariadb.com
 #include "srv0start.h" // for srv_start_lsn
 #include "log0recv.h"  // for recv_sys
 
-#include "mysql/plugin_encryption.h" // for BAD_ENCRYPTION_KEY_VERSION
 #include "ha_prototypes.h" // IB_LOG_
 
 /* If true, enable redo log encryption. */
@@ -127,12 +126,10 @@ log_init_crypt_key(
 	}
 
 	uint32 dst_len;
-	my_aes_encrypt_dynamic_type func= get_aes_encrypt_func(MY_AES_ALGORITHM_ECB);
-	int rc= (*func)(crypt_msg, MY_AES_BLOCK_SIZE, //src, srclen
+	int rc= my_aes_encrypt_ecb(crypt_msg, MY_AES_BLOCK_SIZE, //src, srclen
                         key, &dst_len, //dst, &dstlen
                         (unsigned char*)&mysqld_key, sizeof(mysqld_key),
-                        NULL, 0,
-                        1);
+                        NULL, 0, 1);
 
 	if (rc != AES_OK || dst_len != MY_AES_BLOCK_SIZE)
 	{
@@ -207,11 +204,11 @@ log_blocks_crypt(
 		mach_write_to_4(aes_ctr_counter + 11, log_block_no);
 		bzero(aes_ctr_counter + 15, 1);
 
-		int rc = (* my_aes_encrypt_dynamic)(log_block + LOG_BLOCK_HDR_SIZE, src_len,
-		                                dst_block + LOG_BLOCK_HDR_SIZE, &dst_len,
-		                                (unsigned char*)key, 16,
-		                                aes_ctr_counter, MY_AES_BLOCK_SIZE,
-		                                1);
+		int rc = encrypt_data(log_block + LOG_BLOCK_HDR_SIZE, src_len,
+		                      dst_block + LOG_BLOCK_HDR_SIZE, &dst_len,
+		                      (unsigned char*)key, 16,
+		                      aes_ctr_counter, MY_AES_BLOCK_SIZE, 1,
+                                      log_sys->redo_log_crypt_ver);
 
 		ut_a(rc == AES_OK);
 		ut_a(dst_len == src_len);
@@ -266,8 +263,7 @@ log_crypt_set_ver_and_key(
 		encrypted = true;
 
 		if (vkey == UNENCRYPTED_KEY_VER ||
-		    vkey == BAD_ENCRYPTION_KEY_VERSION ||
-			vkey == (unsigned int)CRYPT_KEY_UNKNOWN) {
+		    vkey == BAD_ENCRYPTION_KEY_VERSION) {
 			encrypted = false;
 
 			ib_logf(IB_LOG_LEVEL_WARN,