diff --git a/components/keyrings/common/CMakeLists.txt b/components/keyrings/common/CMakeLists.txt index 1e3e73fd6f75..147aedbdbf0b 100644 --- a/components/keyrings/common/CMakeLists.txt +++ b/components/keyrings/common/CMakeLists.txt @@ -30,7 +30,6 @@ SET(KEYRING_COMMON_SOURCES # Data representation data/data.cc data/meta.cc - data/pfs_string.cpp # File reader/writer data_file/reader.cc data_file/writer.cc @@ -51,10 +50,6 @@ IF(COMPONENT_COMPILE_VISIBILITY) SET(COMPILE_OPTIONS_ARG COMPILE_OPTIONS "${COMPONENT_COMPILE_VISIBILITY}") ENDIF() -INCLUDE_DIRECTORIES(SYSTEM - ${BOOST_PATCHES_DIR} - ${BOOST_INCLUDE_DIR}) - ADD_CONVENIENCE_LIBRARY( keyring_common ${KEYRING_COMMON_SOURCES} diff --git a/components/keyrings/common/data/pfs_string.cpp b/components/keyrings/common/data/pfs_string.cpp deleted file mode 100644 index 38ff5376fa98..000000000000 --- a/components/keyrings/common/data/pfs_string.cpp +++ /dev/null @@ -1,4 +0,0 @@ - -#include "pfs_string.h" - -PSI_memory_key KEY_mem_keyring; diff --git a/components/keyrings/common/data/pfs_string.h b/components/keyrings/common/data/pfs_string.h index b2df4e7c5e6c..c4698451adc8 100644 --- a/components/keyrings/common/data/pfs_string.h +++ b/components/keyrings/common/data/pfs_string.h @@ -1,103 +1,8 @@ - #ifndef PFS_STRING_INCLUDED #define PFS_STRING_INCLUDED -#include -#include "my_sys.h" -#include "mysql/service_mysql_alloc.h" -#include "sql/psi_memory_key.h" - -extern PSI_memory_key KEY_mem_keyring; - -/** - Malloc_allocator is based on sql/malloc_allocator.h, but uses a fixed PSI key - instead -*/ -template -class Malloc_allocator { - // This cannot be const if we want to be able to swap. - PSI_memory_key m_key = KEY_mem_keyring; - - public: - typedef T value_type; - typedef size_t size_type; - typedef ptrdiff_t difference_type; - - typedef T *pointer; - typedef const T *const_pointer; - - typedef T &reference; - typedef const T &const_reference; - - pointer address(reference r) const { return &r; } - const_pointer address(const_reference r) const { return &r; } - - explicit Malloc_allocator() {} - - template - Malloc_allocator(const Malloc_allocator &other [[maybe_unused]]) - : m_key(other.psi_key()) {} - - template - Malloc_allocator &operator=(const Malloc_allocator &other - [[maybe_unused]]) { - assert(m_key == other.psi_key()); // Don't swap key. - } - - pointer allocate(size_type n, const_pointer hint [[maybe_unused]] = nullptr) { - if (n == 0) return nullptr; - if (n > max_size()) throw std::bad_alloc(); - - pointer p = static_cast( - my_malloc(m_key, n * sizeof(T), MYF(MY_WME | ME_FATALERROR))); - if (p == nullptr) throw std::bad_alloc(); - return p; - } - - void deallocate(pointer p, size_type) { my_free(p); } - - template - void construct(U *p, Args &&... args) { - assert(p != nullptr); - try { - ::new ((void *)p) U(std::forward(args)...); - } catch (...) { - assert(false); // Constructor should not throw an exception. - } - } - - void destroy(pointer p) { - assert(p != nullptr); - try { - p->~T(); - } catch (...) { - assert(false); // Destructor should not throw an exception - } - } - - size_type max_size() const { - return std::numeric_limits::max() / sizeof(T); - } - - template - struct rebind { - typedef Malloc_allocator other; - }; - - PSI_memory_key psi_key() const { return m_key; } -}; - -template -bool operator==(const Malloc_allocator &a1, const Malloc_allocator &a2) { - return a1.psi_key() == a2.psi_key(); -} - -template -bool operator!=(const Malloc_allocator &a1, const Malloc_allocator &a2) { - return a1.psi_key() != a2.psi_key(); -} +#include -using pfs_string = - std::basic_string, Malloc_allocator>; +using pfs_string = std::string; #endif // PFS_STRING_INCLUDED diff --git a/components/keyrings/keyring_file/CMakeLists.txt b/components/keyrings/keyring_file/CMakeLists.txt index cf835941a3ef..52144e1c75ec 100644 --- a/components/keyrings/keyring_file/CMakeLists.txt +++ b/components/keyrings/keyring_file/CMakeLists.txt @@ -84,6 +84,9 @@ MYSQL_ADD_COMPONENT(keyring_file LINK_LIBRARIES ${KEYRING_FILE_LIBRARIES} MODULE_ONLY ) + +MY_TARGET_LINK_OPTIONS(component_keyring_file "${LINK_FLAG_NO_UNDEFINED}") + IF(APPLE) SET_TARGET_PROPERTIES(component_keyring_file PROPERTIES LINK_FLAGS "-undefined dynamic_lookup") diff --git a/components/keyrings/keyring_kmip/CMakeLists.txt b/components/keyrings/keyring_kmip/CMakeLists.txt index fd41e25a1ed6..caa929388bc2 100644 --- a/components/keyrings/keyring_kmip/CMakeLists.txt +++ b/components/keyrings/keyring_kmip/CMakeLists.txt @@ -83,6 +83,9 @@ MYSQL_ADD_COMPONENT(keyring_kmip LINK_LIBRARIES ${KEYRING_KMIP_LIBRARIES} MODULE_ONLY ) + +MY_TARGET_LINK_OPTIONS(component_keyring_kmip "${LINK_FLAG_NO_UNDEFINED}") + IF(APPLE) SET_TARGET_PROPERTIES(component_keyring_kmip PROPERTIES LINK_FLAGS "-undefined dynamic_lookup") diff --git a/components/keyrings/keyring_kmip/backend/backend.cc b/components/keyrings/keyring_kmip/backend/backend.cc index d4143a31885b..46e6bc414cc8 100644 --- a/components/keyrings/keyring_kmip/backend/backend.cc +++ b/components/keyrings/keyring_kmip/backend/backend.cc @@ -25,7 +25,6 @@ #include #include "backend.h" -#include "my_dbug.h" #include @@ -47,7 +46,6 @@ using keyring_common::utils::get_random_data; Keyring_kmip_backend::Keyring_kmip_backend(config::Config_pod const &config) : valid_(false), config_(config) { - DBUG_TRACE; valid_ = true; } @@ -55,7 +53,6 @@ bool Keyring_kmip_backend::load_cache( keyring_common::operations::Keyring_operations< Keyring_kmip_backend, keyring_common::data::Data_extension> &operations) { - DBUG_TRACE; // We have to load keys and secrets with state==ACTIVE only //TODO: implement better logic with the new KMIP library try { @@ -126,9 +123,16 @@ bool Keyring_kmip_backend::load_cache( return true; } } - + } catch (const std::exception &e) { + std::string err_msg = std::string("std exception in function '") + + __func__ + "': " + e.what(); + LogComponentErr(ERROR_LEVEL, ER_LOG_PRINTF_MSG, err_msg.c_str()); + return true; } catch (...) { - mysql_components_handle_std_exception(__func__); + std::string err_msg = + std::string("Unknown exception in function '") + __func__ + '\''; + LogComponentErr(ERROR_LEVEL, ER_LOG_PRINTF_MSG, err_msg.c_str()); + return true; } return false; @@ -137,13 +141,11 @@ bool Keyring_kmip_backend::load_cache( bool Keyring_kmip_backend::get(const Metadata &, Data &) const { /* Shouldn't have reached here if we cache things. */ assert(0); - DBUG_TRACE; return false; } bool Keyring_kmip_backend::store(const Metadata &metadata, Data_extension &data) { - DBUG_TRACE; if (!metadata.valid() || !data.valid()) return true; kmippp::context::id_t id; try { @@ -184,8 +186,15 @@ bool Keyring_kmip_backend::store(const Metadata &metadata, return true; } data.set_extension({id}); + } catch (const std::exception &e) { + std::string err_msg = std::string("std exception in function '") + + __func__ + "': " + e.what(); + LogComponentErr(ERROR_LEVEL, ER_LOG_PRINTF_MSG, err_msg.c_str()); + return true; } catch (...) { - mysql_components_handle_std_exception(__func__); + std::string err_msg = + std::string("Unknown exception in function '") + __func__ + '\''; + LogComponentErr(ERROR_LEVEL, ER_LOG_PRINTF_MSG, err_msg.c_str()); return true; } return false; @@ -204,15 +213,21 @@ size_t Keyring_kmip_backend::size() const { return keys.size() + secrets.size(); //we may have deactivated keys counted, so we need to count active keys only //TODO: implement better logic with the new KMIP library + } catch (const std::exception &e) { + std::string err_msg = std::string("std exception in function '") + + __func__ + "': " + e.what(); + LogComponentErr(ERROR_LEVEL, ER_LOG_PRINTF_MSG, err_msg.c_str()); + return 0; } catch (...) { - mysql_components_handle_std_exception(__func__); + std::string err_msg = + std::string("Unknown exception in function '") + __func__ + '\''; + LogComponentErr(ERROR_LEVEL, ER_LOG_PRINTF_MSG, err_msg.c_str()); return 0; } } bool Keyring_kmip_backend::erase(const Metadata &metadata, Data_extension &data) { - DBUG_TRACE; if (!metadata.valid()) return true; auto ctx = kmip_ctx(); @@ -238,7 +253,6 @@ bool Keyring_kmip_backend::erase(const Metadata &metadata, bool Keyring_kmip_backend::generate(const Metadata &metadata, Data_extension &data, size_t length) { - DBUG_TRACE; if (!metadata.valid()) return true; std::unique_ptr key(new unsigned char[length]); diff --git a/components/keyrings/keyring_kmip/keyring_kmip.cc b/components/keyrings/keyring_kmip/keyring_kmip.cc index cbfa9e23e503..1f36dd8fd043 100644 --- a/components/keyrings/keyring_kmip/keyring_kmip.cc +++ b/components/keyrings/keyring_kmip/keyring_kmip.cc @@ -218,8 +218,6 @@ PROVIDES_SERVICE(component_keyring_kmip, keyring_aes), PROVIDES_SERVICE(component_keyring_kmip, log_builtins_string), END_COMPONENT_PROVIDES(); -PSI_memory_key KEY_mem_keyring_kmip; - /** List of dependencies */ BEGIN_COMPONENT_REQUIRES(component_keyring_kmip) REQUIRES_SERVICE(registry), REQUIRES_SERVICE(log_builtins), diff --git a/components/keyrings/keyring_kms/CMakeLists.txt b/components/keyrings/keyring_kms/CMakeLists.txt index 03de230e1e65..abc84b24b2f4 100644 --- a/components/keyrings/keyring_kms/CMakeLists.txt +++ b/components/keyrings/keyring_kms/CMakeLists.txt @@ -73,6 +73,8 @@ SET(KEYRING_KMS_LIBRARIES keyring_common ext::curl ${SSL_LIBRARIES}) MYSQL_ADD_COMPONENT(keyring_kms ${KEYRING_KMS_SOURCE} LINK_LIBRARIES ${KEYRING_KMS_LIBRARIES} MODULE_ONLY) +MY_TARGET_LINK_OPTIONS(component_keyring_kms "${LINK_FLAG_NO_UNDEFINED}") + MY_CHECK_CXX_COMPILER_WARNING("-Wno-suggest-override" HAS_FLAG) IF(HAS_FLAG) TARGET_COMPILE_OPTIONS(component_keyring_kms PUBLIC "-Wno-suggest-override") diff --git a/components/test/keyring_encryption_test/options.cc b/components/test/keyring_encryption_test/options.cc index c89e1c3abebd..c5ee80080f55 100644 --- a/components/test/keyring_encryption_test/options.cc +++ b/components/test/keyring_encryption_test/options.cc @@ -34,7 +34,6 @@ #include /* typedefs */ #include /* STRINGIFY_ARG */ #include /* MYSQL */ -#include /* my_strdup */ #include /* get_tty_password */ #include /* print_version */ #include /* find_type_or_exit */ diff --git a/include/my_sys.h b/include/my_sys.h index 6aae560b7d5c..fe1ce5d68b1a 100644 --- a/include/my_sys.h +++ b/include/my_sys.h @@ -612,9 +612,7 @@ extern size_t my_fwrite(FILE *stream, const uchar *Buffer, size_t Count, myf MyFlags); extern my_off_t my_fseek(FILE *stream, my_off_t pos, int whence); extern my_off_t my_ftell(FILE *stream); -#if !defined(HAVE_MEMSET_S) -void memset_s(void *dest, size_t dest_max, int c, size_t n); -#endif +void my_memset_s(void *dest, size_t dest_max, int c, size_t n); /* implemented in my_syslog.c */ diff --git a/mysql-test/include/have_keyring_file_plugin.inc b/mysql-test/include/have_keyring_file_plugin.inc new file mode 100644 index 000000000000..67c681c67022 --- /dev/null +++ b/mysql-test/include/have_keyring_file_plugin.inc @@ -0,0 +1,6 @@ +# +# Check if the variable KEYRING_PLUGIN is set +# +if (!$KEYRING_PLUGIN) { + --skip keyring_file not available. +} diff --git a/mysql-test/include/have_keyring_kmip_plugin.inc b/mysql-test/include/have_keyring_kmip_plugin.inc deleted file mode 100644 index e697b3dd415d..000000000000 --- a/mysql-test/include/have_keyring_kmip_plugin.inc +++ /dev/null @@ -1,6 +0,0 @@ -# -# Check if the variable KEYRING_KMIP_PLUGIN is set -# -if (!$KEYRING_KMIP_PLUGIN) { - --skip keyring_kmip not available. -} diff --git a/mysql-test/include/keyring_tests/mats/dynamic_loading.inc b/mysql-test/include/keyring_tests/mats/dynamic_loading.inc new file mode 100644 index 000000000000..ea2bdc6a6ef6 --- /dev/null +++ b/mysql-test/include/keyring_tests/mats/dynamic_loading.inc @@ -0,0 +1,27 @@ +# ==== Purpose ==== +# +# Check if the provided library ('.so') can be successfully loaded with 'dlopen(..., RTLD_NOW)' +# +# ==== Usage ==== +# +# --let $DLOPEN_CHECKER_LIBRARY_PATH = +# --source include/keyring_tests/mats/dynamic_loading.inc +# +# ==== Parameters ==== +# +# DLOPEN_CHECKER_LIBRARY_PATH +# Full path to the library that needs to be checked for unresolved symbols ('.so') +# + +--let $dlopen_checker_source = $MYSQL_TEST_DIR/std_data/dlopen_checker.cpp +--let $dlopen_checker_binary = $MYSQL_TMP_DIR/dlopen_checker + +--echo *** Building dlopen_checker utility +--exec g++ -std=c++17 -ldl -o $dlopen_checker_binary $dlopen_checker_source + +--echo *** Checking for unresolved symbols +--replace_result $DLOPEN_CHECKER_LIBRARY_PATH +--exec $dlopen_checker_binary $DLOPEN_CHECKER_LIBRARY_PATH + +--echo *** Deleting dlopen_checker utility +--remove_file $dlopen_checker_binary diff --git a/mysql-test/std_data/dlopen_checker.cpp b/mysql-test/std_data/dlopen_checker.cpp new file mode 100644 index 000000000000..b859af824516 --- /dev/null +++ b/mysql-test/std_data/dlopen_checker.cpp @@ -0,0 +1,27 @@ +#include +#include +#include +#include + +#include + +int main(int argc, char **argv) { + if (argc != 2) { + std::cerr << "Usage: " << argv[0] << " \n"; + return 1; + } + + const char *lib_path = argv[1]; + auto dl_closer{[](void *dl_handle) { + if (dl_handle != nullptr) dlclose(dl_handle); + }}; + using handle_guard = std::unique_ptr; + handle_guard handle{dlopen(lib_path, RTLD_NOW), std::move(dl_closer)}; + if (!handle) { + std::cerr << "dlopen() failed: " << dlerror() << '\n'; + return EXIT_FAILURE; + } + + std::cout << "dlopen() succeeded: " << lib_path << '\n'; + return EXIT_SUCCESS; +} diff --git a/mysql-test/suite/component_keyring_file/r/dynamic_loading.result b/mysql-test/suite/component_keyring_file/r/dynamic_loading.result new file mode 100644 index 000000000000..34abf3d2d8c1 --- /dev/null +++ b/mysql-test/suite/component_keyring_file/r/dynamic_loading.result @@ -0,0 +1,4 @@ +*** Building dlopen_checker utility +*** Checking for unresolved symbols +dlopen() succeeded: +*** Deleting dlopen_checker utility diff --git a/mysql-test/suite/component_keyring_file/t/dynamic_loading.test b/mysql-test/suite/component_keyring_file/t/dynamic_loading.test new file mode 100644 index 000000000000..0146f56eced8 --- /dev/null +++ b/mysql-test/suite/component_keyring_file/t/dynamic_loading.test @@ -0,0 +1,4 @@ +--source include/have_component_keyring_file.inc + +--let $DLOPEN_CHECKER_LIBRARY_PATH = $KEYRING_FILE_COMPONENT_DIR/$KEYRING_FILE_COMPONENT +--source include/keyring_tests/mats/dynamic_loading.inc diff --git a/mysql-test/suite/component_keyring_kmip/t/dynamic_loading.result b/mysql-test/suite/component_keyring_kmip/t/dynamic_loading.result new file mode 100644 index 000000000000..34abf3d2d8c1 --- /dev/null +++ b/mysql-test/suite/component_keyring_kmip/t/dynamic_loading.result @@ -0,0 +1,4 @@ +*** Building dlopen_checker utility +*** Checking for unresolved symbols +dlopen() succeeded: +*** Deleting dlopen_checker utility diff --git a/mysql-test/suite/component_keyring_kmip/t/dynamic_loading.test b/mysql-test/suite/component_keyring_kmip/t/dynamic_loading.test new file mode 100644 index 000000000000..7704119eddaa --- /dev/null +++ b/mysql-test/suite/component_keyring_kmip/t/dynamic_loading.test @@ -0,0 +1,4 @@ +--source include/have_component_keyring_file.inc + +--let $DLOPEN_CHECKER_LIBRARY_PATH = $KEYRING_KMIP_COMPONENT_DIR/$KEYRING_KMIP_COMPONENT +--source include/keyring_tests/mats/dynamic_loading.inc diff --git a/mysql-test/suite/component_keyring_kms/r/dynamic_loading.result b/mysql-test/suite/component_keyring_kms/r/dynamic_loading.result new file mode 100644 index 000000000000..34abf3d2d8c1 --- /dev/null +++ b/mysql-test/suite/component_keyring_kms/r/dynamic_loading.result @@ -0,0 +1,4 @@ +*** Building dlopen_checker utility +*** Checking for unresolved symbols +dlopen() succeeded: +*** Deleting dlopen_checker utility diff --git a/mysql-test/suite/component_keyring_kms/t/dynamic_loading.test b/mysql-test/suite/component_keyring_kms/t/dynamic_loading.test new file mode 100644 index 000000000000..463bc208913e --- /dev/null +++ b/mysql-test/suite/component_keyring_kms/t/dynamic_loading.test @@ -0,0 +1,4 @@ +--source include/have_component_keyring_file.inc + +--let $DLOPEN_CHECKER_LIBRARY_PATH = $KEYRING_KMS_COMPONENT_DIR/$KEYRING_KMS_COMPONENT +--source include/keyring_tests/mats/dynamic_loading.inc diff --git a/mysys/my_malloc.cc b/mysys/my_malloc.cc index 5d55bb4f41f2..1150fa4fce4d 100644 --- a/mysys/my_malloc.cc +++ b/mysys/my_malloc.cc @@ -563,8 +563,10 @@ char *my_strndup(PSI_memory_key key, const char *from, size_t length, return ptr; } -#if !defined(HAVE_MEMSET_S) -void memset_s(void *dest, size_t dest_max, int c, size_t n) { +void my_memset_s(void *dest, size_t dest_max, int c, size_t n) { +#if defined(HAVE_MEMSET_S) + memset_s(dest, dest_max, c, n); +#else #if defined(WIN32) SecureZeroMemory(dest, n); #else @@ -573,5 +575,5 @@ void memset_s(void *dest, size_t dest_max, int c, size_t n) { *p++ = c; } #endif -} #endif +} diff --git a/plugin/keyring/CMakeLists.txt b/plugin/keyring/CMakeLists.txt index ba86a6b06a45..983ee8e0eb74 100644 --- a/plugin/keyring/CMakeLists.txt +++ b/plugin/keyring/CMakeLists.txt @@ -25,8 +25,6 @@ ADD_DEFINITIONS(-DLOG_COMPONENT_TAG="keyring_file") DISABLE_MISSING_PROFILE_WARNING() -INCLUDE_DIRECTORIES(SYSTEM ${BOOST_PATCHES_DIR} ${BOOST_INCLUDE_DIR}) - MYSQL_ADD_PLUGIN(keyring_file buffer.cc buffered_file_io.cc @@ -43,7 +41,7 @@ MYSQL_ADD_PLUGIN(keyring_file file_io.cc hash_to_buffer_serializer.cc keyring.cc - LINK_LIBRARIES ${SSL_LIBRARIES} + LINK_LIBRARIES OpenSSL::Crypto OpenSSL::SSL MODULE_ONLY MODULE_OUTPUT_NAME "keyring_file" ) diff --git a/plugin/keyring/common/keyring_memory.h b/plugin/keyring/common/keyring_memory.h index 6e34b33f0c16..763d626874a9 100644 --- a/plugin/keyring/common/keyring_memory.h +++ b/plugin/keyring/common/keyring_memory.h @@ -24,12 +24,12 @@ #ifndef MYSQL_KEYRING_MEMORY_H #define MYSQL_KEYRING_MEMORY_H -#include #include #include +#include -#include "my_sys.h" -#include "mysql/service_mysql_alloc.h" +#include +#include namespace keyring { @@ -78,7 +78,7 @@ class Secure_allocator { } void deallocate(T *p, size_t n) noexcept { - memset_s(p, n, 0, n); + my_memset_s(p, n, 0, n); my_free(p); } diff --git a/plugin/keyring/keyring_file.version b/plugin/keyring/keyring_file.version deleted file mode 100644 index 023b6b555b21..000000000000 --- a/plugin/keyring/keyring_file.version +++ /dev/null @@ -1,8 +0,0 @@ -KEYRING_FILE_VERSION_1.0 { - global: - _mysql_*; - mysql_malloc_service; - my_plugin_log_service; - security_context_service; - local: *; -}; diff --git a/plugin/keyring_vault/CMakeLists.txt b/plugin/keyring_vault/CMakeLists.txt index 6bcc12bd40b1..263d96a37ea5 100644 --- a/plugin/keyring_vault/CMakeLists.txt +++ b/plugin/keyring_vault/CMakeLists.txt @@ -50,13 +50,6 @@ MYSQL_ADD_PLUGIN(keyring_vault vault_credentials_parser.cc vault_credentials.cc vault_keyring.cc - LINK_LIBRARIES ext::curl ${SSL_LIBRARIES} MODULE_ONLY MODULE_OUTPUT_NAME "keyring_vault" - LINK_LIBRARIES extra::rapidjson) - -# We limit symbols exported on Linux to only those required by server. -IF(LINK_FLAG_NO_UNDEFINED) - GET_PROPERTY(keyring_vault_link_flags TARGET keyring_vault PROPERTY LINK_FLAGS) - SET_PROPERTY(TARGET keyring_vault PROPERTY LINK_FLAGS "${keyring_vault_link_flags} -Wl,--version-script=${CMAKE_SOURCE_DIR}/plugin/keyring_vault/keyring_vault.version") -ENDIF() + LINK_LIBRARIES ext::curl OpenSSL::Crypto OpenSSL::SSL extra::rapidjson) diff --git a/plugin/keyring_vault/keyring_vault.version b/plugin/keyring_vault/keyring_vault.version deleted file mode 100644 index 46c03f3b8438..000000000000 --- a/plugin/keyring_vault/keyring_vault.version +++ /dev/null @@ -1,9 +0,0 @@ -KEYRING_VAULT_VERSION_1.0 { - global: - _mysql_*; - mysql_malloc_service; - my_plugin_log_service; - security_context_service; - plugin_registry_service; - local: *; -}; diff --git a/plugin/keyring_vault/tests/mtr/migrate_keyring.result b/plugin/keyring_vault/tests/mtr/migrate_keyring.result new file mode 100644 index 000000000000..e3c1e2013401 --- /dev/null +++ b/plugin/keyring_vault/tests/mtr/migrate_keyring.result @@ -0,0 +1,74 @@ +*** Creating a Hashicorp Vault mount point +*** Creating keyring_vault plugin config +*** Determining keyring plugin names +*** Restarting the server with keyring_vault plugin enabled +# restart: +*** Asserting that keyring_vault plugin is installed and active +*** Creating an encrypted table and filling it with some data +CREATE TABLE t1( +id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT, +PRIMARY KEY(id) +) ENCRYPTION="Y" ENGINE=InnoDB; +INSERT INTO t1 VALUES(DEFAULT); +*** Extracting InnoDB master key name +SELECT KEY_ID INTO @t1_key_id FROM performance_schema.keyring_keys; +*** Rotating InnoDB master key +ALTER INSTANCE ROTATE INNODB MASTER KEY; +*** Creating another enrypted table and filling it with some data +CREATE TABLE t2( +id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT, +PRIMARY KEY(id) +) ENCRYPTION="Y" ENGINE=InnoDB; +INSERT INTO t2 VALUES(42); +*** Extracting InnoDB master key name after rotation +SELECT KEY_ID INTO @t2_key_id FROM performance_schema.keyring_keys WHERE KEY_ID != @t1_key_id; +*** Installing keyring UDF plugin +*** Manually generating a AES key in the keyring plugin via keyring_key_generate() UDF +SELECT keyring_key_generate ('CustomKey', 'AES', 32); +keyring_key_generate ('CustomKey', 'AES', 32) +1 +*** Extracting custom key name +SELECT KEY_ID INTO @custom_key_id FROM performance_schema.keyring_keys WHERE KEY_ID != @t1_key_id AND KEY_ID != @t2_key_id; +*** Uninstalling keyring UDF plugin + +********************************************************************** +*** Checking keyring_vault plugin -> keyring_file plugin migration *** +********************************************************************** + +*** Stopping the server (original, with keyring_vault plugin) +include/stop_mysqld.inc [server 1] +*** Executing keyring data migration via mysqld (keyring_vault plugin -> keyring_file plugin) +*** Deleting the Hashicorp Vault mount point created previously +*** Starting the server (with keyring_file plugin) +# restart: +*** Asserting that keyring_file plugin is installed and active +*** Installing keyring UDF plugin once again after keyring plugin switch +*** Asserting that keys stored in keyring_vault plugin successfully migrated to keyring_file plugin +*** Uninstalling keyring UDF plugin once again after keyring plugin switch +*** Asserting that data can be read from the sample tables +*** Generating an UUID for another Hashicorp Vault mount point (for importing) + +********************************************************************** +*** Checking keyring_file plugin -> keyring_vault plugin migration *** +********************************************************************** + +*** Stopping the server (with keyring_file plugin) +include/stop_mysqld.inc [server 1] +*** Creating a Hashicorp Vault mount point with another UUID +*** Re-generating keyring_vault plugin configuration file content after mount point UUID update +*** Executing keyring data migration via mysqld (keyring_file plugin -> keyring_vault plugin) +*** Removing keyring_file plugin data file +*** Starting the server (with keyring_vault plugin) +# restart: +*** Asserting that keyring_vault plugin is installed and active again +*** Installing keyring UDF plugin once again after keyring plugin switch back +*** Asserting that keys stored in keyring_file plugin successfully migrated to keyring_vault_plugin +*** Uninstalling keyring UDF plugin once again after keyring plugin switch back +*** Asserting that data can be read from the sample tables +*** Dropping the sample tables +DROP TABLE t2; +DROP TABLE t1; +*** Restarting the server with no keyring enableds +# restart +*** Deleting the Hashicorp Vault mount point re-created previously +*** Deleting keyring_vault plugin config diff --git a/plugin/keyring_vault/tests/mtr/migrate_keyring.test b/plugin/keyring_vault/tests/mtr/migrate_keyring.test new file mode 100644 index 000000000000..0e4d3c2752a9 --- /dev/null +++ b/plugin/keyring_vault/tests/mtr/migrate_keyring.test @@ -0,0 +1,232 @@ +--source include/have_keyring_vault_plugin.inc +--source include/have_keyring_file_plugin.inc + +--disable_query_log +call mtr.add_suppression("for being a mount point unsuccessful - skipped."); +call mtr.add_suppression("for being a mount point successful - identified kv-v2 secret engine."); +--enable_query_log + +--let $vault_conf_mount_point_uuid = `SELECT UUID()` +--source parse_combination.inc + +--echo *** Creating a Hashicorp Vault mount point +--let $vault_conf_mount_point_suffix = +--let $mount_point_service_op = CREATE +--source mount_point_service.inc + +--echo *** Creating keyring_vault plugin config +--let $vault_conf_file = $MYSQLTEST_VARDIR/keyring_vault.conf +--let $vault_conf_mount_point_suffix = +--source generate_conf_file.inc + +--echo *** Determining keyring plugin names +--let $MYSQLD_DATADIR = `SELECT @@datadir` + +--let $KEYRING_VAULT_PLUGIN_LIBRARY = `SELECT SUBSTRING_INDEX('$KEYRING_VAULT_PLUGIN_LOAD', '=', -1)` +--let $KEYRING_VAULT_PLUGIN_NAME = `SELECT SUBSTRING_INDEX('$KEYRING_VAULT_PLUGIN_LIBRARY', '.', 1)` + +--let $KEYRING_FILE_PLUGIN_LIBRARY = `SELECT SUBSTRING_INDEX('$KEYRING_PLUGIN_LOAD', '=', -1)` +--let $KEYRING_FILE_PLUGIN_NAME = `SELECT SUBSTRING_INDEX('$KEYRING_FILE_PLUGIN_LIBRARY', '.', 1)` + +--echo *** Restarting the server with keyring_vault plugin enabled +--let $restart_parameters = restart: $KEYRING_VAULT_PLUGIN_OPT $KEYRING_VAULT_PLUGIN_EARLY_LOAD --loose-keyring-vault-config=$vault_conf_file +--let $do_not_echo_parameters = 1 +--source include/restart_mysqld.inc + +--echo *** Asserting that keyring_vault plugin is installed and active +--assert (`SELECT PLUGIN_STATUS = 'ACTIVE' FROM information_schema.plugins WHERE PLUGIN_NAME = '$KEYRING_VAULT_PLUGIN_NAME'`) + +--echo *** Creating an encrypted table and filling it with some data +CREATE TABLE t1( + id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT, + PRIMARY KEY(id) +) ENCRYPTION="Y" ENGINE=InnoDB; +INSERT INTO t1 VALUES(DEFAULT); +--let $t1_checksum = query_get_value(CHECKSUM TABLE t1, Checksum, 1) + +--echo *** Extracting InnoDB master key name +SELECT KEY_ID INTO @t1_key_id FROM performance_schema.keyring_keys; +--let $stored_t1_key_id = `SELECT @t1_key_id` + +--echo *** Rotating InnoDB master key +ALTER INSTANCE ROTATE INNODB MASTER KEY; + +--echo *** Creating another enrypted table and filling it with some data +CREATE TABLE t2( + id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT, + PRIMARY KEY(id) +) ENCRYPTION="Y" ENGINE=InnoDB; +INSERT INTO t2 VALUES(42); +--let $t2_checksum = query_get_value(CHECKSUM TABLE t2, Checksum, 1) + +--echo *** Extracting InnoDB master key name after rotation +SELECT KEY_ID INTO @t2_key_id FROM performance_schema.keyring_keys WHERE KEY_ID != @t1_key_id; +--let $stored_t2_key_id = `SELECT @t2_key_id` + +--echo *** Installing keyring UDF plugin +--disable_query_log +eval INSTALL PLUGIN keyring_udf SONAME '$KEYRING_UDF'; +eval CREATE FUNCTION keyring_key_generate RETURNS INTEGER SONAME '$KEYRING_UDF'; +eval CREATE FUNCTION keyring_key_type_fetch RETURNS STRING SONAME '$KEYRING_UDF'; +eval CREATE FUNCTION keyring_key_length_fetch RETURNS INTEGER SONAME '$KEYRING_UDF'; +eval CREATE FUNCTION keyring_key_fetch RETURNS STRING SONAME '$KEYRING_UDF'; +--enable_query_log + +--echo *** Manually generating a AES key in the keyring plugin via keyring_key_generate() UDF +--let $stored_custom_key_id = CustomKey +--let $stored_custom_key_type = AES +--let $stored_custom_key_length = 32 +eval SELECT keyring_key_generate ('$stored_custom_key_id', '$stored_custom_key_type', $stored_custom_key_length); + +--echo *** Extracting custom key name +SELECT KEY_ID INTO @custom_key_id FROM performance_schema.keyring_keys WHERE KEY_ID != @t1_key_id AND KEY_ID != @t2_key_id; +--assert (`SELECT @custom_key_id = '$stored_custom_key_id'`) +--assert (`SELECT keyring_key_type_fetch(@custom_key_id) = '$stored_custom_key_type'`) +--assert (`SELECT keyring_key_length_fetch(@custom_key_id) = '$stored_custom_key_length'`) +--let $stored_custom_key_data_hex = `SELECT HEX(keyring_key_fetch(@custom_key_id))` + +--echo *** Uninstalling keyring UDF plugin +--disable_query_log +DROP FUNCTION keyring_key_fetch; +DROP FUNCTION keyring_key_length_fetch; +DROP FUNCTION keyring_key_type_fetch; +DROP FUNCTION keyring_key_generate; +UNINSTALL PLUGIN keyring_udf; +--enable_query_log + +--echo +--echo ********************************************************************** +--echo *** Checking keyring_vault plugin -> keyring_file plugin migration *** +--echo ********************************************************************** +--echo + +--echo *** Stopping the server (original, with keyring_vault plugin) +--source include/stop_mysqld.inc + +--echo *** Executing keyring data migration via mysqld (keyring_vault plugin -> keyring_file plugin) +--let $KEYRING_FILE_PLUGIN_DATA_FILE_PATH = $MYSQLTEST_VARDIR/keyring_file_plugin +--exec $MYSQLD --no-defaults $KEYRING_VAULT_PLUGIN_OPT --keyring-migration-source=$KEYRING_VAULT_PLUGIN_LIBRARY --loose-keyring-vault-config=$vault_conf_file --keyring-migration-destination=$KEYRING_FILE_PLUGIN_LIBRARY --loose-keyring-file-data=$KEYRING_FILE_PLUGIN_DATA_FILE_PATH >/dev/null 2>&1 + +--echo *** Deleting the Hashicorp Vault mount point created previously +--let $mount_point_service_op = DELETE +--source mount_point_service.inc + +--echo *** Starting the server (with keyring_file plugin) +--let $restart_parameters = restart: $KEYRING_PLUGIN_OPT $KEYRING_PLUGIN_EARLY_LOAD --loose-keyring-file-data=$KEYRING_FILE_PLUGIN_DATA_FILE_PATH +--let $do_not_echo_parameters = 1 +--source include/start_mysqld.inc + +--echo *** Asserting that keyring_file plugin is installed and active +--assert (`SELECT PLUGIN_STATUS = 'ACTIVE' FROM information_schema.plugins WHERE PLUGIN_NAME = '$KEYRING_FILE_PLUGIN_NAME'`) + +--echo *** Installing keyring UDF plugin once again after keyring plugin switch +--disable_query_log +eval INSTALL PLUGIN keyring_udf SONAME '$KEYRING_UDF'; +eval CREATE FUNCTION keyring_key_type_fetch RETURNS STRING SONAME '$KEYRING_UDF'; +eval CREATE FUNCTION keyring_key_length_fetch RETURNS INTEGER SONAME '$KEYRING_UDF'; +eval CREATE FUNCTION keyring_key_fetch RETURNS STRING SONAME '$KEYRING_UDF'; +--enable_query_log + +--echo *** Asserting that keys stored in keyring_vault plugin successfully migrated to keyring_file plugin +--assert (`SELECT COUNT(*) = 1 FROM performance_schema.keyring_keys WHERE KEY_ID = '$stored_t1_key_id'`) +--assert (`SELECT COUNT(*) = 1 FROM performance_schema.keyring_keys WHERE KEY_ID = '$stored_t2_key_id'`) +--assert (`SELECT COUNT(*) = 1 FROM performance_schema.keyring_keys WHERE KEY_ID = '$stored_custom_key_id'`) + +--assert (`SELECT keyring_key_type_fetch('$stored_custom_key_id') = '$stored_custom_key_type'`) +--assert (`SELECT keyring_key_length_fetch('$stored_custom_key_id') = '$stored_custom_key_length'`) +--assert (`SELECT HEX(keyring_key_fetch('$stored_custom_key_id')) = '$stored_custom_key_data_hex'`) + +--echo *** Uninstalling keyring UDF plugin once again after keyring plugin switch +--disable_query_log +DROP FUNCTION keyring_key_fetch; +DROP FUNCTION keyring_key_length_fetch; +DROP FUNCTION keyring_key_type_fetch; +UNINSTALL PLUGIN keyring_udf; +--enable_query_log + +--echo *** Asserting that data can be read from the sample tables +--let $t1_checksum_after_switch = query_get_value(CHECKSUM TABLE t1, Checksum, 1) +--assert (`SELECT $t1_checksum_after_switch = $t1_checksum`) +--let $t2_checksum_after_switch = query_get_value(CHECKSUM TABLE t2, Checksum, 1) +--assert (`SELECT $t2_checksum_after_switch = $t2_checksum`) + +--echo *** Generating an UUID for another Hashicorp Vault mount point (for importing) +--let $vault_conf_mount_point_uuid = `SELECT UUID()` + + +--echo +--echo ********************************************************************** +--echo *** Checking keyring_file plugin -> keyring_vault plugin migration *** +--echo ********************************************************************** +--echo + +--echo *** Stopping the server (with keyring_file plugin) +--source include/stop_mysqld.inc + +--echo *** Creating a Hashicorp Vault mount point with another UUID +--let $vault_conf_mount_point_suffix = +--let $mount_point_service_op = CREATE +--source mount_point_service.inc + +--echo *** Re-generating keyring_vault plugin configuration file content after mount point UUID update +--source generate_conf_file.inc + +--echo *** Executing keyring data migration via mysqld (keyring_file plugin -> keyring_vault plugin) +--exec $MYSQLD --no-defaults $KEYRING_PLUGIN_OPT --keyring-migration-source=$KEYRING_FILE_PLUGIN_LIBRARY --loose-keyring-file-data=$KEYRING_FILE_PLUGIN_DATA_FILE_PATH --keyring-migration-destination=$KEYRING_VAULT_PLUGIN_LIBRARY --loose-keyring-vault-config=$vault_conf_file >/dev/null 2>&1 + +--echo *** Removing keyring_file plugin data file +--remove_file $KEYRING_FILE_PLUGIN_DATA_FILE_PATH + +--echo *** Starting the server (with keyring_vault plugin) +--let $restart_parameters = restart: $KEYRING_VAULT_PLUGIN_OPT $KEYRING_VAULT_PLUGIN_EARLY_LOAD --loose-keyring-vault-config=$vault_conf_file +--let $do_not_echo_parameters = 1 +--source include/start_mysqld.inc + +--echo *** Asserting that keyring_vault plugin is installed and active again +--assert (`SELECT PLUGIN_STATUS = 'ACTIVE' FROM information_schema.plugins WHERE PLUGIN_NAME = '$KEYRING_VAULT_PLUGIN_NAME'`) + +--echo *** Installing keyring UDF plugin once again after keyring plugin switch back +--disable_query_log +eval INSTALL PLUGIN keyring_udf SONAME '$KEYRING_UDF'; +eval CREATE FUNCTION keyring_key_type_fetch RETURNS STRING SONAME '$KEYRING_UDF'; +eval CREATE FUNCTION keyring_key_length_fetch RETURNS INTEGER SONAME '$KEYRING_UDF'; +eval CREATE FUNCTION keyring_key_fetch RETURNS STRING SONAME '$KEYRING_UDF'; +--enable_query_log + +--echo *** Asserting that keys stored in keyring_file plugin successfully migrated to keyring_vault_plugin +--assert (`SELECT COUNT(*) = 1 FROM performance_schema.keyring_keys WHERE KEY_ID = '$stored_t1_key_id'`) +--assert (`SELECT COUNT(*) = 1 FROM performance_schema.keyring_keys WHERE KEY_ID = '$stored_t2_key_id'`) +--assert (`SELECT COUNT(*) = 1 FROM performance_schema.keyring_keys WHERE KEY_ID = '$stored_custom_key_id'`) + +--assert (`SELECT keyring_key_type_fetch('$stored_custom_key_id') = '$stored_custom_key_type'`) +--assert (`SELECT keyring_key_length_fetch('$stored_custom_key_id') = '$stored_custom_key_length'`) +--assert (`SELECT HEX(keyring_key_fetch('$stored_custom_key_id')) = '$stored_custom_key_data_hex'`) + +--echo *** Uninstalling keyring UDF plugin once again after keyring plugin switch back +--disable_query_log +DROP FUNCTION keyring_key_fetch; +DROP FUNCTION keyring_key_length_fetch; +DROP FUNCTION keyring_key_type_fetch; +UNINSTALL PLUGIN keyring_udf; +--enable_query_log + +--echo *** Asserting that data can be read from the sample tables +--let $t1_checksum_after_switch = query_get_value(CHECKSUM TABLE t1, Checksum, 1) +--assert (`SELECT $t1_checksum_after_switch = $t1_checksum`) +--let $t2_checksum_after_switch = query_get_value(CHECKSUM TABLE t2, Checksum, 1) +--assert (`SELECT $t2_checksum_after_switch = $t2_checksum`) + +--echo *** Dropping the sample tables +DROP TABLE t2; +DROP TABLE t1; + +--echo *** Restarting the server with no keyring enableds +--let $restart_parameters = +--source include/restart_mysqld.inc + +--echo *** Deleting the Hashicorp Vault mount point re-created previously +--let $mount_point_service_op = DELETE +--source mount_point_service.inc + +--echo *** Deleting keyring_vault plugin config +--remove_file $MYSQLTEST_VARDIR/keyring_vault.conf diff --git a/plugin/keyring_vault/vault_base64.cc b/plugin/keyring_vault/vault_base64.cc index 104e517c6157..36972a369d5d 100644 --- a/plugin/keyring_vault/vault_base64.cc +++ b/plugin/keyring_vault/vault_base64.cc @@ -30,7 +30,7 @@ bool Vault_base64::encode(const void *src, size_t src_len, // provide access to underlying data when they are empty. Calling reserve on // those containers does not help. if (::base64_encode(src, src_len, base64_encoded_text.get()) != 0) { - memset_s(base64_encoded_text.get(), memory_needed, 0, memory_needed); + my_memset_s(base64_encoded_text.get(), memory_needed, 0, memory_needed); return true; } if (format == Format::SINGLE_LINE) { @@ -42,7 +42,7 @@ bool Vault_base64::encode(const void *src, size_t src_len, // base64 encode below returns data with NULL terminating string - which we do // not care about encoded->assign(base64_encoded_text.get(), memory_needed - 1); - memset_s(base64_encoded_text.get(), memory_needed, 0, memory_needed); + my_memset_s(base64_encoded_text.get(), memory_needed, 0, memory_needed); return false; } @@ -52,7 +52,7 @@ bool Vault_base64::decode(const Secure_string &src, Secure_string *dst) { uint64 data_length; if (decode(src, &data, &data_length)) return true; dst->assign(data, data_length); - memset_s(data, data_length, 0, data_length); + my_memset_s(data, data_length, 0, data_length); delete[] data; return false; } @@ -67,8 +67,8 @@ bool Vault_base64::decode(const Secure_string &src, char **dst, int64 decoded_length = ::base64_decode(src.c_str(), src.length(), data.get(), NULL, 0); if (decoded_length <= 0) { - memset_s(data.get(), base64_length_of_memory_needed_for_decode, 0, - base64_length_of_memory_needed_for_decode); + my_memset_s(data.get(), base64_length_of_memory_needed_for_decode, 0, + base64_length_of_memory_needed_for_decode); return true; } *dst = data.release(); diff --git a/sql/binlog_crypt_data.cc b/sql/binlog_crypt_data.cc index 766647745dc6..0e8728f4c880 100644 --- a/sql/binlog_crypt_data.cc +++ b/sql/binlog_crypt_data.cc @@ -53,7 +53,7 @@ Binlog_crypt_data::Binlog_crypt_data(const Binlog_crypt_data &b) void Binlog_crypt_data::free_key(uchar *&key, size_t &key_length) noexcept { if (key != nullptr) { assert(key_length == 16); - memset_s(key, 512, 0, key_length); + my_memset_s(key, 512, 0, key_length); my_free(key); key = nullptr; key_length = 0; diff --git a/sql/binlog_reader.cc b/sql/binlog_reader.cc index 257e6aae2000..da982217f5c5 100644 --- a/sql/binlog_reader.cc +++ b/sql/binlog_reader.cc @@ -91,7 +91,7 @@ Binlog_event_data_istream::Decryption_buffer::~Decryption_buffer() { } bool Binlog_event_data_istream::Decryption_buffer::resize(size_t new_size) { - memset_s(m_buffer, m_size, 0, m_size); + my_memset_s(m_buffer, m_size, 0, m_size); delete[] m_buffer; m_size = 0; m_buffer = nullptr;