WL#9769: Keyring migration tool and new commercial keyring_encrypted_file plugin.

New Keyring plugin called keyring_encrypted_file plugin is introduced which will
store keyring data in file local to server host which is encrypted using a password.
This plugin when installed must be provided with a password which will be used to
decrypt the file to read the contents of file. Similarly this password will be used
to encrypt the data which needs to be stored in the data file.

This WL also introduces keyring migration tool which is used to migrate keys from
one keyring plugin to another. This tool is embedded in mysql server, this when
mysqld is invoked with migration specific options, mysql server will ast like a
migration tool.

Author: Bharathy Satish

include/mysql/plugin_keyring.h

@@ -1,4 +1,4 @@
-/* Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2016, 2017 Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -21,7 +21,7 @@
 */
 
 #include "plugin.h"
-#define MYSQL_KEYRING_INTERFACE_VERSION 0x0100
+#define MYSQL_KEYRING_INTERFACE_VERSION 0x0101
 
 /**
   The descriptor structure for the plugin, that is referred from
@@ -105,5 +105,80 @@ struct st_mysql_keyring
   */
   my_bool (*mysql_key_generate)(const char *key_id, const char *key_type,
                                 const char *user_id, size_t key_len);
+
+  /**
+    Keys_iterator object refers to an iterator which is used to iterate
+    on a list which refers to Key_metadata. Key_metadata hold information
+    about individual keys keyd_id and user_id. Keys_iterator should be used
+    in following sequence only.
+
+    void* iterator_ptr;
+    char key_id[64]= { 0 };
+    char user_id[64]= { 0 };
+
+    plugin_handle->mysql_key_iterator_init(&iterator_ptr);
+
+    if (iterator_ptr == NULL)
+      report error;
+
+    while (!(plugin_handle->mysql_key_iterator_get_key(iterator_ptr,
+           key_id, user_id)))
+    {
+       Fetch the keys.
+       Perform operations on the fetched keys.
+       ..
+    }
+    plugin_handle->mysql_key_iterator_deinit(iterator_ptr);
+
+    init() method accepts a void pointer which is the made to point to
+    Keys_iterator instance. Keys_iterator instance internal pointer points
+    to Key_metadata list. This list holds information about all keys stored
+    in the backed end data store of keyring plugin. After call to init()
+    please check iterator_ptr.
+
+    get_key() method accepts the above iterator_ptr as IN param and then
+    fills the passes in key_id and user_id with valid values. This can be
+    used to fetch actual key information. Every call to this method will
+    change internal pointers to advance to next position, so that the next
+    call will fetch the next key.
+
+    deinit() method frees all internal pointers along with iterator_ptr.
+  */
+  /**
+    Initialize an iterator.
+
+    @param[out]  key_iterator   Iterator used to fetch individual keys
+                                from key_container.
+
+    @return VOID
+  */
+  void (*mysql_key_iterator_init)(void** key_iterator);
+
+  /**
+    Deinitialize an iterator.
+
+    @param[in]   key_iterator   Iterator used to fetch individual keys
+                                from key_container.
+
+    @return VOID
+  */
+  void (*mysql_key_iterator_deinit)(void* key_iterator);
+
+  /**
+    Get details of key. Every call to this service will change
+    internal pointers to advance to next position, so that the next call
+    will fetch the next key. In case iterator moves to the end, this service
+    will return error.
+
+    @param[in]   key_iterator   Iterator used to fetch individual keys
+                                from key_container.
+    @param[out]  key_id         id of the key
+    @param[out]  user_id        id of the owner
+
+    @return Operation status
+      @retval 0 OK
+      @retval 1 ERROR
+  */
+  bool (*mysql_key_iterator_get_key)(void* key_iterator, char *key_id, char *user_id);
 };
 #endif

include/mysql/plugin_keyring.h.pp

@@ -121,4 +121,7 @@
   my_bool (*mysql_key_remove)(const char *key_id, const char *user_id);
   my_bool (*mysql_key_generate)(const char *key_id, const char *key_type,
                                 const char *user_id, size_t key_len);
+  void (*mysql_key_iterator_init)(void** key_iterator);
+  void (*mysql_key_iterator_deinit)(void* key_iterator);
+  bool (*mysql_key_iterator_get_key)(void* key_iterator, char *key_id, char *user_id);
 };

libmysql/CMakeLists.txt

@@ -178,13 +178,13 @@ SET(CLIENT_API_FUNCTIONS_UNDOCUMENTED
 )
 
 SET(CLIENT_SOURCES
-  get_password.c 
   libmysql.c
   errmsg.c
   ../sql-common/client.c 
   ../sql-common/my_time.c 
   ../sql-common/client_plugin.c 
   ../sql-common/client_authentication.cc
+  ../sql-common/get_password.c
   ../sql/net_serv.cc
   ../sql-common/pack.c 
   ../sql/auth/password.c

mysql-test/include/check_keys_after_migration.inc

@@ -0,0 +1,38 @@
+--echo # now master key is migrated
+--echo # access to this table should pass
+SELECT * FROM T;
+
+let $wl9769_destination_key1 = `SELECT hex(keyring_key_fetch('$key_name1'))`;
+let $wl9769_destination_key2 = `SELECT hex(keyring_key_fetch('$key_name2'))`;
+let $wl9769_destination_key3 = `SELECT hex(keyring_key_fetch('$key_name3'))`;
+
+let $wl9769_destination_key1_type = `SELECT keyring_key_type_fetch('$key_name1')`;
+let $wl9769_destination_key2_type = `SELECT keyring_key_type_fetch('$key_name2')`;
+let $wl9769_destination_key3_type = `SELECT keyring_key_type_fetch('$key_name3')`;
+
+let $wl9769_destination_key1_len = `SELECT keyring_key_length_fetch('$key_name1')`;
+let $wl9769_destination_key2_len = `SELECT keyring_key_length_fetch('$key_name2')`;
+let $wl9769_destination_key3_len = `SELECT keyring_key_length_fetch('$key_name3')`;
+
+--echo check if migration took place correctly
+--replace_result $wl9769_destination_key1 <wl9769_destination_key1> $wl9769_source_key1 <wl9769_source_key1>
+eval SELECT '$wl9769_destination_key1' = '$wl9769_source_key1';
+--replace_result $wl9769_destination_key2 <wl9769_destination_key2> $wl9769_source_key2 <wl9769_source_key2>
+eval SELECT '$wl9769_destination_key2' = '$wl9769_source_key2';
+--replace_result $wl9769_destination_key3 <wl9769_destination_key3> $wl9769_source_key3 <wl9769_source_key3>
+eval SELECT '$wl9769_destination_key3' = '$wl9769_source_key3';
+
+eval SELECT '$wl9769_destination_key1_type' = '$wl9769_source_key1_type';
+eval SELECT '$wl9769_destination_key2_type' = '$wl9769_source_key2_type';
+eval SELECT '$wl9769_destination_key3_type' = '$wl9769_source_key3_type';
+
+eval SELECT '$wl9769_destination_key1_len' = '$wl9769_source_key1_len';
+eval SELECT '$wl9769_destination_key2_len' = '$wl9769_source_key2_len';
+eval SELECT '$wl9769_destination_key3_len' = '$wl9769_source_key3_len';
+
+--replace_regex /[0-9]*-[0-9]*-[0-9]* [0-9]*:[0-9]*:[0-9]*.[0-9]*/key1_timestamp/
+eval SELECT keyring_key_remove('$key_name1');
+--replace_regex /[0-9]*-[0-9]*-[0-9]* [0-9]*:[0-9]*:[0-9]*.[0-9]*/key2_timestamp/
+eval SELECT keyring_key_remove('$key_name2');
+--replace_regex /[0-9]*-[0-9]*-[0-9]* [0-9]*:[0-9]*:[0-9]*.[0-9]*/key3_timestamp/
+eval SELECT keyring_key_remove('$key_name3');

mysql-test/include/generate_keys_before_migration.inc

@@ -0,0 +1,42 @@
+
+--echo # create encrypted table with master key generated from source keyring plugin
+CREATE TABLE T(i INT) ENCRYPTION='Y';
+INSERT INTO T VALUES (9769);
+SELECT * FROM T;
+
+--replace_regex /\.dll/.so/
+eval INSTALL PLUGIN keyring_udf SONAME '$KEYRING_UDF';
+--replace_regex /\.dll/.so/
+eval CREATE FUNCTION keyring_key_generate RETURNS INTEGER SONAME '$KEYRING_UDF';
+--replace_regex /\.dll/.so/
+eval CREATE FUNCTION keyring_key_store RETURNS INTEGER SONAME '$KEYRING_UDF';
+--replace_regex /\.dll/.so/
+eval CREATE FUNCTION keyring_key_fetch RETURNS STRING SONAME '$KEYRING_UDF';
+--replace_regex /\.dll/.so/
+eval CREATE FUNCTION keyring_key_type_fetch RETURNS STRING SONAME '$KEYRING_UDF';
+--replace_regex /\.dll/.so/
+eval CREATE FUNCTION keyring_key_length_fetch RETURNS INTEGER SONAME '$KEYRING_UDF';
+--replace_regex /\.dll/.so/
+eval CREATE FUNCTION keyring_key_remove RETURNS INTEGER SONAME '$KEYRING_UDF';
+
+--let $key_name1=`select concat("key_", current_timestamp(6))`
+--replace_regex /[0-9]*-[0-9]*-[0-9]* [0-9]*:[0-9]*:[0-9]*.[0-9]*/key1_timestamp/
+--eval SELECT keyring_key_generate('$key_name1','AES',16)
+--let $key_name2=`select concat("key_", current_timestamp(6))`
+--replace_regex /[0-9]*-[0-9]*-[0-9]* [0-9]*:[0-9]*:[0-9]*.[0-9]*/key2_timestamp/
+--eval SELECT keyring_key_generate('$key_name2','AES',24)
+--let $key_name3=`select concat("key_", current_timestamp(6))`
+--replace_regex /[0-9]*-[0-9]*-[0-9]* [0-9]*:[0-9]*:[0-9]*.[0-9]*/key3_timestamp/
+--eval SELECT keyring_key_generate('$key_name3','AES',32)
+
+let $wl9769_source_key1 = `SELECT hex(keyring_key_fetch('$key_name1'))`;
+let $wl9769_source_key2 = `SELECT hex(keyring_key_fetch('$key_name2'))`;
+let $wl9769_source_key3 = `SELECT hex(keyring_key_fetch('$key_name3'))`;
+
+let $wl9769_source_key1_type = `SELECT keyring_key_type_fetch('$key_name1')`;
+let $wl9769_source_key2_type = `SELECT keyring_key_type_fetch('$key_name2')`;
+let $wl9769_source_key3_type = `SELECT keyring_key_type_fetch('$key_name3')`;
+
+let $wl9769_source_key1_len = `SELECT keyring_key_length_fetch('$key_name1')`;
+let $wl9769_source_key2_len = `SELECT keyring_key_length_fetch('$key_name2')`;
+let $wl9769_source_key3_len = `SELECT keyring_key_length_fetch('$key_name3')`;

mysql-test/r/mysqld--help-notwin.result

@@ -361,6 +361,26 @@ The following options may be given as the first argument:
  The default size of key cache blocks
  --key-cache-division-limit=# 
  The minimum percentage of warm blocks in key cache
+ --keyring-migration-destination=name 
+ Keyring plugin to which the keys are migrated to. This
+ option must be specified along with
+ --keyring-migration-source.
+ --keyring-migration-host=name 
+ Connect to host.
+ --keyring-migration-password[=name] 
+ Password to use when connecting to server during keyring
+ migration. If password value is not specified then it
+ will be asked from the tty.
+ --keyring-migration-port=# 
+ Port number to use for connection.
+ --keyring-migration-socket=name 
+ The socket file to use for connection.
+ --keyring-migration-source=name 
+ Keyring plugin from where the keys needs to be migrated
+ to. This option must be specified along with
+ --keyring-migration-destination.
+ --keyring-migration-user=name 
+ User to login to server.
  -L, --language=name Client error messages in given language. May be given as
  a full path. Deprecated. Use --lc-messages-dir instead.
  --large-pages       Enable support for large pages
@@ -1335,6 +1355,12 @@ key-buffer-size 8388608
 key-cache-age-threshold 300
 key-cache-block-size 1024
 key-cache-division-limit 100
+keyring-migration-destination (No default value)
+keyring-migration-host (No default value)
+keyring-migration-port 0
+keyring-migration-socket (No default value)
+keyring-migration-source (No default value)
+keyring-migration-user (No default value)
 language MYSQL_SHAREDIR/
 large-pages FALSE
 lc-messages en_US

mysql-test/r/mysqld--help-win.result

@@ -360,6 +360,26 @@ The following options may be given as the first argument:
  The default size of key cache blocks
  --key-cache-division-limit=# 
  The minimum percentage of warm blocks in key cache
+ --keyring-migration-destination=name 
+ Keyring plugin to which the keys are migrated to. This
+ option must be specified along with
+ --keyring-migration-source.
+ --keyring-migration-host=name 
+ Connect to host.
+ --keyring-migration-password[=name] 
+ Password to use when connecting to server during keyring
+ migration. If password value is not specified then it
+ will be asked from the tty.
+ --keyring-migration-port=# 
+ Port number to use for connection.
+ --keyring-migration-socket=name 
+ The socket file to use for connection.
+ --keyring-migration-source=name 
+ Keyring plugin from where the keys needs to be migrated
+ to. This option must be specified along with
+ --keyring-migration-destination.
+ --keyring-migration-user=name 
+ User to login to server.
  -L, --language=name Client error messages in given language. May be given as
  a full path. Deprecated. Use --lc-messages-dir instead.
  --lc-messages=name  Set the language used for the error messages.
@@ -1333,6 +1353,12 @@ key-buffer-size 8388608
 key-cache-age-threshold 300
 key-cache-block-size 1024
 key-cache-division-limit 100
+keyring-migration-destination (No default value)
+keyring-migration-host (No default value)
+keyring-migration-port 0
+keyring-migration-socket (No default value)
+keyring-migration-source (No default value)
+keyring-migration-user (No default value)
 language MYSQL_SHAREDIR/
 lc-messages en_US
 lc-messages-dir MYSQL_SHAREDIR/

mysql-test/suite/perfschema/r/show_sanity.result

@@ -410,6 +410,7 @@ SHOW_MODE	SOURCE	VARIABLE_NAME
 5.6	I_S.SESSION_VARIABLES	GTID_EXECUTED
 5.6	I_S.SESSION_VARIABLES	INNODB_DEADLOCK_DETECT
 5.6	I_S.SESSION_VARIABLES	INNODB_STATS_INCLUDE_DELETE_MARKED
+5.6	I_S.SESSION_VARIABLES	KEYRING_OPERATIONS
 5.6	I_S.SESSION_VARIABLES	LOG_STATEMENTS_UNSAFE_FOR_BINLOG
 5.6	I_S.SESSION_VARIABLES	TLS_VERSION
 
@@ -435,6 +436,7 @@ SHOW_MODE	SOURCE	VARIABLE_NAME
 5.6	I_S.SESSION_VARIABLES	GTID_EXECUTED
 5.6	I_S.SESSION_VARIABLES	INNODB_DEADLOCK_DETECT
 5.6	I_S.SESSION_VARIABLES	INNODB_STATS_INCLUDE_DELETE_MARKED
+5.6	I_S.SESSION_VARIABLES	KEYRING_OPERATIONS
 5.6	I_S.SESSION_VARIABLES	LOG_STATEMENTS_UNSAFE_FOR_BINLOG
 5.6	I_S.SESSION_VARIABLES	TLS_VERSION
 

mysql-test/suite/sys_vars/r/all_vars.result

@@ -15,6 +15,8 @@ left join t1 on variable_name=test_name where test_name is null ORDER BY variabl
 There should be *no* variables listed below:
 DISABLED_STORAGE_ENGINES
 DISABLED_STORAGE_ENGINES
+KEYRING_OPERATIONS
+KEYRING_OPERATIONS
 TLS_VERSION
 TLS_VERSION
 drop table t1;

packaging/deb-in/CMakeLists.txt

@@ -65,6 +65,7 @@ debian/extra/authentication_ldap_sasl-plugin
 debian/extra/authentication_ldap_simple-plugin
 debian/extra/firewall-plugin
 debian/extra/keyring_okv-plugin
+debian/extra/keyring_encrypted_file-plugin
 debian/extra/openssl_udf-plugin
 debian/extra/thread_pool-plugin
 ")
@@ -75,6 +76,7 @@ usr/lib/mysql/plugin/authentication_pam.so
 usr/lib/mysql/plugin/authentication_ldap_sasl.so
 usr/lib/mysql/plugin/authentication_ldap_simple.so
 usr/lib/mysql/plugin/keyring_okv.so
+usr/lib/mysql/plugin/keyring_encrypted_file.so
 usr/lib/mysql/plugin/openssl_udf.so
 usr/lib/mysql/plugin/thread_pool.so
 usr/lib/mysql/plugin/firewall.so
@@ -87,6 +89,7 @@ usr/lib/mysql/plugin/debug/authentication_pam.so
 usr/lib/mysql/plugin/debug/authentication_ldap_sasl.so
 usr/lib/mysql/plugin/debug/authentication_ldap_simple.so
 usr/lib/mysql/plugin/debug/keyring_okv.so
+usr/lib/mysql/plugin/debug/keyring_encrypted_file.so
 usr/lib/mysql/plugin/debug/openssl_udf.so
 usr/lib/mysql/plugin/debug/thread_pool.so
 usr/lib/mysql/plugin/debug/firewall.so

packaging/rpm-oel/mysql.spec.in

@@ -1016,6 +1016,7 @@ fi
 %attr(755, root, root) %{_libdir}/mysql/plugin/authentication_ldap_sasl.so
 %attr(755, root, root) %{_libdir}/mysql/plugin/authentication_ldap_simple.so
 %attr(755, root, root) %{_libdir}/mysql/plugin/keyring_okv.so
+%attr(755, root, root) %{_libdir}/mysql/plugin/keyring_encrypted_file.so
 %attr(755, root, root) %{_libdir}/mysql/plugin/thread_pool.so
 %attr(755, root, root) %{_libdir}/mysql/plugin/openssl_udf.so
 %attr(755, root, root) %{_libdir}/mysql/plugin/firewall.so
@@ -1025,6 +1026,7 @@ fi
 %attr(755, root, root) %{_libdir}/mysql/plugin/debug/authentication_ldap_sasl.so
 %attr(755, root, root) %{_libdir}/mysql/plugin/debug/authentication_ldap_simple.so
 %attr(755, root, root) %{_libdir}/mysql/plugin/debug/keyring_okv.so
+%attr(755, root, root) %{_libdir}/mysql/plugin/debug/keyring_encrypted_file.so
 %attr(755, root, root) %{_libdir}/mysql/plugin/debug/thread_pool.so
 %attr(755, root, root) %{_libdir}/mysql/plugin/debug/openssl_udf.so
 %attr(755, root, root) %{_libdir}/mysql/plugin/debug/firewall.so
@@ -1360,6 +1362,9 @@ fi
 %endif # cluster
 
 %changelog
+* Wed Nov 08 2017 Bharathy Satish <bharathy.x.satish. - 5.7.21-1
+- Add keyring_encrypted_file.so plugin
+
 * Tue Oct 31 2017 Bjorn Munch <[email protected]> - 5.7.21-1
 - Remove obsoleted mysqltest man pages
 

packaging/rpm-sles/mysql.spec.in

@@ -838,6 +838,7 @@ fi
 %attr(755, root, root) %{_libdir}/mysql/plugin/authentication_ldap_sasl.so
 %attr(755, root, root) %{_libdir}/mysql/plugin/authentication_ldap_simple.so
 %attr(755, root, root) %{_libdir}/mysql/plugin/keyring_okv.so
+%attr(755, root, root) %{_libdir}/mysql/plugin/keyring_encrypted_file.so
 %attr(755, root, root) %{_libdir}/mysql/plugin/thread_pool.so
 %attr(755, root, root) %{_libdir}/mysql/plugin/openssl_udf.so
 %attr(755, root, root) %{_libdir}/mysql/plugin/firewall.so
@@ -847,6 +848,7 @@ fi
 %attr(755, root, root) %{_libdir}/mysql/plugin/debug/authentication_ldap_sasl.so
 %attr(755, root, root) %{_libdir}/mysql/plugin/debug/authentication_ldap_simple.so
 %attr(755, root, root) %{_libdir}/mysql/plugin/debug/keyring_okv.so
+%attr(755, root, root) %{_libdir}/mysql/plugin/debug/keyring_encrypted_file.so
 %attr(755, root, root) %{_libdir}/mysql/plugin/debug/thread_pool.so
 %attr(755, root, root) %{_libdir}/mysql/plugin/debug/openssl_udf.so
 %attr(755, root, root) %{_libdir}/mysql/plugin/debug/firewall.so
@@ -1165,6 +1167,9 @@ fi
 %endif # cluster
 
 %changelog
+* Wed 08 2017 Bharathy Satish <[email protected]> - 5.7.21-1
+- Add keyring_encrypted_file.so plugin
+
 * Tue Oct 31 2017 Bjorn Munch <[email protected]> - 5.7.21-1
 - Remove obsoleted mysqltest man pages
 

plugin/keyring/CMakeLists.txt

@@ -22,6 +22,7 @@ SET(
     KEYRING_FILE_SOURCES
     common/keyring_key.cc
     common/keys_container.cc
+    common/keys_iterator.cc
     common/keyring_impl.cc
     keyring.cc
     hash_to_buffer_serializer.cc