WL#5769, WL#8821 and WL#8548

WL#5769: Keyring service for MySQL
- Added keyring service
- Added file based keyring plugin : keyring_file

WL#8821: Innodb tablespace encryption key rotation
         SQL commands
- Added syntax and server support for master key
  rotation SQL:
  ALTER INSTANCE ROTATE INNODB MASTER KEY
- Added support to load plugin before mandatory/built-in
  plugins using new option : --early-plugin-load
- Added support for compile time default for
  --early-plugin-load

WL#8548: InnoDB: Transparent data encryption
- Added new option for table creation for enablin
  data encryption : ENCRYPTION="Y"/"N"
- Added transparent data encryption using keyring service
- Added support for master key rotation
- Added support for import/export of encrypted tablespace

Author: harinvadodaria

CMakeLists.txt

@@ -1,4 +1,4 @@
-# Copyright (c) 2006, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2006, 2016, Oracle and/or its affiliates. All rights reserved.
 # 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -412,6 +412,11 @@ IF(INSTALL_MYSQLDATADIR MATCHES "^/.*")
 ELSE()
   SET(MYSQL_DATADIR "${DEFAULT_MYSQL_HOME}/${INSTALL_MYSQLDATADIR}" CACHE PATH "default MySQL data directory")
 ENDIF()
+IF(INSTALL_MYSQLKEYRINGDIR MATCHES "^/.*")
+  SET(MYSQL_KEYRINGDIR ${INSTALL_MYSQLKEYRINGDIR} CACHE PATH "default MySQL keyring directory")
+ELSE()
+  SET(MYSQL_KEYRINGDIR "${DEFAULT_MYSQL_HOME}/${INSTALL_MYSQLKEYRINGDIR}" CACHE PATH "default MySQL keyring directory")
+ENDIF()
 SET(DEFAULT_CHARSET_HOME "${DEFAULT_MYSQL_HOME}")
 SET(PLUGINDIR "${DEFAULT_MYSQL_HOME}/${INSTALL_PLUGINDIR}")
 IF(SYSCONFDIR)
@@ -534,6 +539,8 @@ IF(WITH_UNIT_TESTS)
 ENDIF()
 
 IF(NOT WITHOUT_SERVER)
+  # Set default keyring plugin information
+  SET(KEYRING_PLUGIN_INFO "" CACHE INTERNAL "")
   SET (MYSQLD_STATIC_PLUGIN_LIBS "" CACHE INTERNAL "")
   SET (MYSQLD_STATIC_EMBEDDED_PLUGIN_LIBS "" CACHE INTERNAL "")
   # Add storage engines and plugins.
@@ -600,6 +607,10 @@ IF(NOT WITHOUT_SERVER)
   IF(EXISTS ${CMAKE_SOURCE_DIR}/internal/CMakeLists.txt)
     ADD_SUBDIRECTORY(internal)
   ENDIF()
+  # Set default value for --early_load_plugin.
+  # KEYRING_PLUGIN_INFO should have been set to appropriate default
+  # by keyring plugin
+  SET(DEFAULT_EARLY_PLUGIN_LOAD "\"${KEYRING_PLUGIN_INFO}\"" CACHE INTERNAL "Default value for --early_plugin_load" FORCE)
   ADD_SUBDIRECTORY(packaging/rpm-oel)
   ADD_SUBDIRECTORY(packaging/rpm-fedora)
   ADD_SUBDIRECTORY(packaging/rpm-sles)

cmake/abi_check.cmake

@@ -1,4 +1,4 @@
-# Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2009, 2016, Oracle and/or its affiliates. All rights reserved.
 # 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -45,6 +45,7 @@ IF(CMAKE_COMPILER_IS_GNUCC AND RUN_ABI_CHECK)
     ${CMAKE_SOURCE_DIR}/include/mysql/client_plugin.h
     ${CMAKE_SOURCE_DIR}/include/mysql/plugin_auth.h
     ${CMAKE_SOURCE_DIR}/include/mysql/services.h
+    ${CMAKE_SOURCE_DIR}/include/mysql/plugin_keyring.h
   )
 
   ADD_CUSTOM_TARGET(abi_check ALL

cmake/install_layout.cmake

@@ -1,4 +1,4 @@
-# Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2010, 2016, Oracle and/or its affiliates. All rights reserved.
 # 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -71,6 +71,7 @@
 # - INSTALL_SUPPORTFILESDIR (various extra support files)
 #
 # - INSTALL_MYSQLDATADIR    (data directory)
+# - INSTALL_MYSQLKEYRING    (keyring directory)
 # - INSTALL_SECURE_FILE_PRIVDIR (--secure-file-priv directory)
 #
 # When changing this page,  _please_ do not forget to update public Wiki
@@ -172,6 +173,7 @@ SET(INSTALL_MYSQLTESTDIR_STANDALONE     "mysql-test")
 SET(INSTALL_SUPPORTFILESDIR_STANDALONE  "support-files")
 #
 SET(INSTALL_MYSQLDATADIR_STANDALONE     "data")
+SET(INSTALL_MYSQLKEYRINGDIR_STANDALONE  "keyring")
 SET(INSTALL_PLUGINTESTDIR_STANDALONE    ${plugin_tests})
 SET(INSTALL_SECURE_FILE_PRIVDIR_STANDALONE ${secure_file_priv_path})
 SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_STANDALONE ${secure_file_priv_embedded_path})
@@ -199,6 +201,7 @@ SET(INSTALL_MYSQLTESTDIR_WIN     "mysql-test")
 SET(INSTALL_SUPPORTFILESDIR_WIN  "support-files")
 #
 SET(INSTALL_MYSQLDATADIR_WIN     "data")
+SET(INSTALL_MYSQLKEYRINGDIR_WIN  "keyring")
 SET(INSTALL_PLUGINTESTDIR_WIN    ${plugin_tests})
 SET(INSTALL_SECURE_FILE_PRIVDIR_WIN ${secure_file_priv_path})
 SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_WIN ${secure_file_priv_embedded_path})
@@ -226,6 +229,7 @@ SET(INSTALL_MYSQLTESTDIR_FREEBSD     "mysql-test")
 SET(INSTALL_SUPPORTFILESDIR_FREEBSD  "support-files")
 #
 SET(INSTALL_MYSQLDATADIR_FREEBSD     "data")
+SET(INSTALL_MYSQLKEYRINGDIR_FREEBSD  "keyring")
 SET(INSTALL_PLUGINTESTDIR_FREEBSD    ${plugin_tests})
 SET(INSTALL_SECURE_FILE_PRIVDIR_FREEBSD ${secure_file_priv_path})
 SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_FREEBSD ${secure_file_priv_embedded_path})
@@ -253,6 +257,7 @@ SET(INSTALL_MYSQLTESTDIR_GLIBC     "mysql-test")
 SET(INSTALL_SUPPORTFILESDIR_GLIBC  "support-files")
 #
 SET(INSTALL_MYSQLDATADIR_GLIBC     "data")
+SET(INSTALL_MYSQLKEYRINGDIR_GLIBC  "keyring")
 SET(INSTALL_PLUGINTESTDIR_GLIBC    ${plugin_tests})
 SET(INSTALL_SECURE_FILE_PRIVDIR_GLIBC ${secure_file_priv_path})
 SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_GLIBC ${secure_file_priv_embedded_path})
@@ -280,6 +285,7 @@ SET(INSTALL_MYSQLTESTDIR_OSX     "mysql-test")
 SET(INSTALL_SUPPORTFILESDIR_OSX  "support-files")
 #
 SET(INSTALL_MYSQLDATADIR_OSX     "data")
+SET(INSTALL_MYSQLKEYRINGDIR_OSX  "keyring")
 SET(INSTALL_PLUGINTESTDIR_OSX    ${plugin_tests})
 SET(INSTALL_SECURE_FILE_PRIVDIR_OSX ${secure_file_priv_path})
 SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_OSX ${secure_file_priv_embedded_path})
@@ -307,6 +313,7 @@ SET(INSTALL_MYSQLTESTDIR_TARGZ     "mysql-test")
 SET(INSTALL_SUPPORTFILESDIR_TARGZ  "support-files")
 #
 SET(INSTALL_MYSQLDATADIR_TARGZ     "data")
+SET(INSTALL_MYSQLKEYRINGDIR_TARGZ  "keyring")
 SET(INSTALL_PLUGINTESTDIR_TARGZ    ${plugin_tests})
 SET(INSTALL_SECURE_FILE_PRIVDIR_TARGZ ${secure_file_priv_path})
 SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_TARGZ ${secure_file_priv_embedded_path})
@@ -343,6 +350,7 @@ SET(INSTALL_MYSQLTESTDIR_RPM            "share/mysql-test")
 SET(INSTALL_SUPPORTFILESDIR_RPM         "share/mysql")
 #
 SET(INSTALL_MYSQLDATADIR_RPM            "/var/lib/mysql")
+SET(INSTALL_MYSQLKEYRINGDIR_RPM         "/var/lib/mysql-keyring")
 SET(INSTALL_PLUGINTESTDIR_RPM           ${plugin_tests})
 SET(INSTALL_SECURE_FILE_PRIVDIR_RPM     ${secure_file_priv_path})
 SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_RPM     ${secure_file_priv_embedded_path})
@@ -375,6 +383,7 @@ SET(INSTALL_MYSQLTESTDIR_SLES            "share/mysql-test")
 SET(INSTALL_SUPPORTFILESDIR_SLES         "share/mysql")
 #
 SET(INSTALL_MYSQLDATADIR_SLES            "/var/lib/mysql")
+SET(INSTALL_MYSQLKEYRINGDIR_SLES         "/var/lib/mysql-keyring")
 SET(INSTALL_PLUGINTESTDIR_SLES           ${plugin_tests})
 SET(INSTALL_SECURE_FILE_PRIVDIR_SLES     ${secure_file_priv_path})
 SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_SLES     ${secure_file_priv_embedded_path})
@@ -402,6 +411,7 @@ SET(INSTALL_MYSQLTESTDIR_DEB            "mysql-test")
 SET(INSTALL_SUPPORTFILESDIR_DEB         "support-files")
 #
 SET(INSTALL_MYSQLDATADIR_DEB            "/var/lib/mysql")
+SET(INSTALL_MYSQLKEYRINGDIR_DEB         "/var/lib/mysql-keyring")
 SET(INSTALL_PLUGINTESTDIR_DEB           ${plugin_tests})
 SET(INSTALL_SECURE_FILE_PRIVDIR_DEB     ${secure_file_priv_path})
 SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_DEB     ${secure_file_priv_embedded_path})
@@ -429,6 +439,7 @@ SET(INSTALL_MYSQLTESTDIR_SVR4           "mysql-test")
 SET(INSTALL_SUPPORTFILESDIR_SVR4        "support-files")
 #
 SET(INSTALL_MYSQLDATADIR_SVR4           "/var/lib/mysql")
+SET(INSTALL_MYSQLKEYRINGDIR_SVR4        "/var/lib/mysql-keyring")
 SET(INSTALL_PLUGINTESTDIR_SVR4          ${plugin_tests})
 SET(INSTALL_SECURE_FILE_PRIVDIR_SVR4    ${secure_file_priv_path})
 SET(INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIR_SVR4    ${secure_file_priv_embedded_path})
@@ -447,7 +458,7 @@ SET(OLD_INSTALL_LAYOUT ${INSTALL_LAYOUT} CACHE INTERNAL "")
 # layout is chosen)
 FOREACH(var BIN SBIN LIB MYSQLSHARE SHARE PLUGIN INCLUDE SCRIPT DOC MAN
   INFO MYSQLTEST DOCREADME SUPPORTFILES MYSQLDATA PLUGINTEST
-  SECURE_FILE_PRIV SECURE_FILE_PRIV_EMBEDDED)
+  SECURE_FILE_PRIV SECURE_FILE_PRIV_EMBEDDED MYSQLKEYRING)
   SET(INSTALL_${var}DIR  ${INSTALL_${var}DIR_${INSTALL_LAYOUT}}
   CACHE STRING "${var} installation directory" ${FORCE})
   MARK_AS_ADVANCED(INSTALL_${var}DIR)

config.h.cmake

@@ -1,4 +1,4 @@
-/* Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2009, 2016, Oracle and/or its affiliates. All rights reserved.
 
  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@@ -237,6 +237,7 @@
 #cmakedefine SHAREDIR "@SHAREDIR@"
 #cmakedefine DEFAULT_BASEDIR "@DEFAULT_BASEDIR@"
 #cmakedefine MYSQL_DATADIR "@MYSQL_DATADIR@"
+#cmakedefine MYSQL_KEYRINGDIR "@MYSQL_KEYRINGDIR@"
 #cmakedefine DEFAULT_CHARSET_HOME "@DEFAULT_CHARSET_HOME@"
 #cmakedefine PLUGINDIR "@PLUGINDIR@"
 #cmakedefine DEFAULT_SYSCONFDIR "@DEFAULT_SYSCONFDIR@"
@@ -249,6 +250,7 @@
 #cmakedefine INSTALL_INCLUDEDIR "@default_prefix@/@INSTALL_INCLUDEDIR@"
 #cmakedefine INSTALL_SCRIPTDIR "@default_prefix@/@INSTALL_SCRIPTDIR@"
 #cmakedefine INSTALL_MYSQLDATADIR "@default_prefix@/@INSTALL_MYSQLDATADIR@"
+#cmakedefine INSTALL_MYSQLKEYRINGDIR "@default_prefix@/@INSTALL_MYSQLKEYRINGDIR@"
 #cmakedefine INSTALL_PLUGINTESTDIR "@INSTALL_PLUGINTESTDIR@"
 #cmakedefine INSTALL_INFODIR "@default_prefix@/@INSTALL_INFODIR@"
 #cmakedefine INSTALL_MYSQLTESTDIR "@default_prefix@/@INSTALL_MYSQLTESTDIR@"
@@ -432,4 +434,7 @@
 #cmakedefine DEFAULT_SECURE_FILE_PRIV_EMBEDDED_DIR @DEFAULT_SECURE_FILE_PRIV_EMBEDDED_DIR@
 #cmakedefine HAVE_LIBNUMA 1
 
+/* For default value of --early_plugin_load */
+#cmakedefine DEFAULT_EARLY_PLUGIN_LOAD @DEFAULT_EARLY_PLUGIN_LOAD@
+
 #endif

include/CMakeLists.txt

@@ -1,4 +1,4 @@
-# Copyright (c) 2006, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2006, 2016, Oracle and/or its affiliates. All rights reserved.
 # 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -32,6 +32,7 @@ SET(HEADERS_ABI
   mysql/plugin_audit.h
   mysql/plugin_ftparser.h
   mysql/plugin_validate_password.h
+  mysql/plugin_keyring.h
   mysql/plugin_group_replication.h
 )
 

include/my_aes.h

@@ -1,7 +1,7 @@
 #ifndef MY_AES_INCLUDED
 #define MY_AES_INCLUDED
 
-/* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
 
  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@@ -25,6 +25,9 @@ C_MODE_START
 /** AES IV size is 16 bytes for all supported ciphers except ECB */
 #define MY_AES_IV_SIZE 16
 
+/** AES block size is fixed to be 128 bits for CBC and ECB */
+#define MY_AES_BLOCK_SIZE 16
+
 
 /** Supported AES cipher/block mode combos */
 enum my_aes_opmode
@@ -74,13 +77,15 @@ extern const char *my_aes_opmode_names[];
   @param key_length     [in]  Length of the key. Will handle keys of any length
   @param mode           [in]  encryption mode
   @param iv             [in]  16 bytes initialization vector if needed. Otherwise NULL
+  @param padding        [in]  if padding needed.
   @return              size of encrypted data, or negative in case of error
 */
 
 int my_aes_encrypt(const unsigned char *source, uint32 source_length,
                    unsigned char *dest,
 		   const unsigned char *key, uint32 key_length,
-                   enum my_aes_opmode mode, const unsigned char *iv);
+                   enum my_aes_opmode mode, const unsigned char *iv,
+                   bool padding = true);
 
 /**
   Decrypt an AES encrypted buffer
@@ -92,14 +97,16 @@ int my_aes_encrypt(const unsigned char *source, uint32 source_length,
   @param key_length     Length of the key. Will handle keys of any length
   @param mode           encryption mode
   @param iv             16 bytes initialization vector if needed. Otherwise NULL
+  @param padding        if padding needed.
   @return size of original data.
 */
 
 
 int my_aes_decrypt(const unsigned char *source, uint32 source_length,
                    unsigned char *dest,
- 		   const unsigned char *key, uint32 key_length,
-                   enum my_aes_opmode mode, const unsigned char *iv);
+                   const unsigned char *key, uint32 key_length,
+                   enum my_aes_opmode mode, const unsigned char *iv,
+                   bool padding = true);
 
 /**
   Calculate the size of a buffer large enough for encrypted data

include/my_sqlcommand.h

@@ -1,4 +1,4 @@
-/* Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
 
 This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -171,6 +171,7 @@ enum enum_sql_command {
   SQLCOM_EXPLAIN_OTHER,
   SQLCOM_SHOW_CREATE_USER,
   SQLCOM_SHUTDOWN,
+  SQLCOM_ALTER_INSTANCE,
   /* This should be the last !!! */
   SQLCOM_END
 };

include/mysql/plugin.h

@@ -1,4 +1,4 @@
-/* Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -95,7 +95,8 @@ typedef struct st_mysql_xid MYSQL_XID;
 #define MYSQL_AUTHENTICATION_PLUGIN  7  /* The authentication plugin type */
 #define MYSQL_VALIDATE_PASSWORD_PLUGIN  8   /* validate password plugin type */
 #define MYSQL_GROUP_REPLICATION_PLUGIN  9  /* The Group Replication plugin */
-#define MYSQL_MAX_PLUGIN_TYPE_NUM    10  /* The number of plugin types   */
+#define MYSQL_KEYRING_PLUGIN         10  /* The Keyring plugin type   */
+#define MYSQL_MAX_PLUGIN_TYPE_NUM    11  /* The number of plugin types   */
 
 /* We use the following strings to define licenses for plugins */
 #define PLUGIN_LICENSE_PROPRIETARY 0

include/mysql/plugin_audit.h.pp

@@ -302,6 +302,7 @@
   SQLCOM_EXPLAIN_OTHER,
   SQLCOM_SHOW_CREATE_USER,
   SQLCOM_SHUTDOWN,
+  SQLCOM_ALTER_INSTANCE,
   SQLCOM_END
 };
 typedef enum