/storage/xtradb/include/fil0crypt.h

/*****************************************************************************
Copyright (C) 2013, 2015, Google Inc. All Rights Reserved.
Copyright (c) 2015, 2016, MariaDB Corporation.

This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation; version 2 of the License.

This program is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with
this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Suite 500, Boston, MA 02110-1335 USA

*****************************************************************************/

/**************************************************//**
@file include/fil0crypt.h
The low-level file system encryption support functions

Created 04/01/2015 Jan Lindström
*******************************************************/

#ifndef fil0crypt_h
#define fil0crypt_h

/**
* Magic pattern in start of crypt data on page 0
*/
#define MAGIC_SZ 6

static const unsigned char CRYPT_MAGIC[MAGIC_SZ] = {
	's', 0xE, 0xC, 'R', 'E', 't' };

static const unsigned char EMPTY_PATTERN[MAGIC_SZ] = {
	0x0, 0x0, 0x0, 0x0, 0x0, 0x0 };

/* This key will be used if nothing else is given */
#define FIL_DEFAULT_ENCRYPTION_KEY ENCRYPTION_KEY_SYSTEM_DATA

/** Enum values for encryption table option */
typedef enum {
	FIL_SPACE_ENCRYPTION_DEFAULT = 0,	/* Tablespace encrypted if
						srv_encrypt_tables = ON */
	FIL_SPACE_ENCRYPTION_ON = 1,		/* Tablespace is encrypted always */
	FIL_SPACE_ENCRYPTION_OFF = 2		/* Tablespace is not encrypted */
} fil_encryption_t;

/**
 * CRYPT_SCHEME_UNENCRYPTED
 *
 * Used as intermediate state when convering a space from unencrypted
 * to encrypted
 */
/**
 * CRYPT_SCHEME_1
 *
 * xxx is AES_CTR or AES_CBC (or another block cypher with the same key and iv lengths)
 *  L = AES_ECB(KEY, IV)
 *  CRYPT(PAGE) = xxx(KEY=L, IV=C, PAGE)
 */

#define CRYPT_SCHEME_1 1
#define CRYPT_SCHEME_1_IV_LEN 16
#define CRYPT_SCHEME_UNENCRYPTED 0

/* Cached L or key for given key_version */
struct key_struct
{
	uint key_version;			/*!< Version of the key */
	uint key_length;			/*!< Key length */
	unsigned char key[MY_AES_MAX_KEY_LENGTH]; /*!< Cached key
                                                (that is L in CRYPT_SCHEME_1) */
};

struct fil_space_rotate_state_t
{
	time_t start_time;	/*!< time when rotation started */
	ulint active_threads;	/*!< active threads in space */
	ulint next_offset;	/*!< next "free" offset */
	ulint max_offset;	/*!< max offset needing to be rotated */
	uint  min_key_version_found; /*!< min key version found but not
				     rotated */
	lsn_t end_lsn;		/*!< max lsn created when rotating this
				space */
	bool starting;		/*!< initial write of IV */
	bool flushing;		/*!< space is being flushed at end of rotate */
	struct {
		bool is_active; /*!< is scrubbing active in this space */
		time_t last_scrub_completed; /*!< when was last scrub
					     completed */
	} scrubbing;
};

struct fil_space_crypt_struct : st_encryption_scheme
{
	uint min_key_version; // min key version for this space
	ulint page0_offset;   // byte offset on page 0 for crypt data
	fil_encryption_t encryption; // Encryption setup

	ib_mutex_t mutex;   // mutex protecting following variables
	bool closing;	    // is tablespace being closed
	bool inited;
	fil_space_rotate_state_t rotate_state;
};

/* structure containing encryption specification */
typedef struct fil_space_crypt_struct fil_space_crypt_t;

/*********************************************************************
Init global resources needed for tablespace encryption/decryption */
UNIV_INTERN
void
fil_space_crypt_init();

/*********************************************************************
Cleanup global resources needed for tablespace encryption/decryption */
UNIV_INTERN
void
fil_space_crypt_cleanup();

/*********************************************************************
Create crypt data, i.e data that is used for a single tablespace */
UNIV_INTERN
fil_space_crypt_t *
fil_space_create_crypt_data(
/*========================*/
	fil_encryption_t	encrypt_mode,	/*!< in: encryption mode */
	uint			key_id);	/*!< in: encryption key id */

/*********************************************************************
Destroy crypt data */
UNIV_INTERN
void
fil_space_destroy_crypt_data(
/*=========================*/
	fil_space_crypt_t **crypt_data); /*!< in/out: crypt data */

/*********************************************************************
Get crypt data for a space*/
UNIV_INTERN
fil_space_crypt_t *
fil_space_get_crypt_data(
/*=====================*/
	ulint space); /*!< in: tablespace id */

/*********************************************************************
Set crypt data for a space*/
UNIV_INTERN
fil_space_crypt_t*
fil_space_set_crypt_data(
/*=====================*/
	ulint space,                    /*!< in: tablespace id */
	fil_space_crypt_t* crypt_data); /*!< in: crypt data to set */

/*********************************************************************
Merge crypt data */
UNIV_INTERN
void
fil_space_merge_crypt_data(
/*=======================*/
	fil_space_crypt_t* dst_crypt_data,  /*!< in: crypt_data */
	const fil_space_crypt_t* src_crypt_data); /*!< in: crypt data */

/*********************************************************************
Read crypt data from buffer page */
UNIV_INTERN
fil_space_crypt_t *
fil_space_read_crypt_data(
/*======================*/
	ulint space,      /*!< in: tablespace id */
	const byte* page, /*!< in: buffer page */
	ulint offset);    /*!< in: offset where crypt data is stored */

/*********************************************************************
Write crypt data to buffer page */
UNIV_INTERN
void
fil_space_write_crypt_data(
/*=======================*/
	ulint space,   /*!< in: tablespace id */
	byte* page,    /*!< in: buffer page */
	ulint offset,  /*!< in: offset where to store data */
	ulint maxsize, /*!< in: max space available to store crypt data in */
	mtr_t * mtr);  /*!< in: mini-transaction */

/*********************************************************************
Clear crypt data from page 0 (used for import tablespace) */
UNIV_INTERN
void
fil_space_clear_crypt_data(
/*=======================*/
	byte* page,    /*!< in: buffer page */
	ulint offset); /*!< in: offset where crypt data is stored */

/*********************************************************************
Parse crypt data log record */
UNIV_INTERN
byte*
fil_parse_write_crypt_data(
/*=======================*/
	byte* ptr,     /*!< in: start of log record */
	byte* end_ptr, /*!< in: end of log record */
	buf_block_t*); /*!< in: buffer page to apply record to */

/*********************************************************************
Check if extra buffer shall be allocated for decrypting after read */
UNIV_INTERN
bool
fil_space_check_encryption_read(
/*============================*/
	ulint space);          /*!< in: tablespace id */

/******************************************************************
Decrypt a page
@return true if page is decrypted, false if not. */
UNIV_INTERN
bool
fil_space_decrypt(
/*==============*/
	fil_space_crypt_t*	crypt_data,	/*!< in: crypt data */
	byte*			tmp_frame,	/*!< in: temporary buffer */
	ulint			page_size,	/*!< in: page size */
	byte*			src_frame,	/*!< in:out: page buffer */
	dberr_t*		err);		/*!< in: out: DB_SUCCESS or
						error code */

/*********************************************************************
Encrypt buffer page
@return encrypted page, or original not encrypted page if encrypt
is not needed. */
UNIV_INTERN
byte*
fil_space_encrypt(
/*==============*/
	ulint	space,		/*!< in: tablespace id */
	ulint	offset,		/*!< in: page no */
	lsn_t	lsn,		/*!< in: page lsn */
	byte*	src_frame,	/*!< in: page frame */
	ulint	size,		/*!< in: size of data to encrypt */
	byte*	dst_frame);	/*!< in: where to encrypt to */

/*********************************************************************
Decrypt buffer page
@return decrypted page, or original not encrypted page if decrypt is
not needed.*/
UNIV_INTERN
byte*
fil_space_decrypt(
/*==============*/
	ulint	space,		/*!< in: tablespace id */
	byte*	src_frame,	/*!< in: page frame */
	ulint	page_size,	/*!< in: size of data to encrypt */
	byte*	dst_frame)	/*!< in: where to decrypt to */
	__attribute__((warn_unused_result));

/*********************************************************************
fil_space_verify_crypt_checksum
NOTE: currently this function can only be run in single threaded mode
as it modifies srv_checksum_algorithm (temporarily)
@return true if page is encrypted AND OK, false otherwise */
UNIV_INTERN
bool
fil_space_verify_crypt_checksum(
/*============================*/
	const byte* src_frame,/*!< in: page frame */
	ulint zip_size);      /*!< in: size of data to encrypt */

/*********************************************************************
Init threads for key rotation */
UNIV_INTERN
void
fil_crypt_threads_init();

/*********************************************************************
Set thread count (e.g start or stops threads) used for key rotation */
UNIV_INTERN
void
fil_crypt_set_thread_cnt(
/*=====================*/
	uint new_cnt); /*!< in: requested #threads */

/*********************************************************************
End threads for key rotation */
UNIV_INTERN
void
fil_crypt_threads_end();

/*********************************************************************
Cleanup resources for threads for key rotation */
UNIV_INTERN
void
fil_crypt_threads_cleanup();

/*********************************************************************
Set rotate key age */
UNIV_INTERN
void
fil_crypt_set_rotate_key_age(
/*=========================*/
	uint rotate_age); /*!< in: requested rotate age */

/*********************************************************************
Set rotation threads iops */
UNIV_INTERN
void
fil_crypt_set_rotation_iops(
/*========================*/
	uint iops); /*!< in: requested iops */

/*********************************************************************
Mark a space as closing */
UNIV_INTERN
void
fil_space_crypt_mark_space_closing(
/*===============================*/
	ulint space);          /*!< in: tablespace id */

/*********************************************************************
Wait for crypt threads to stop accessing space */
UNIV_INTERN
void
fil_space_crypt_close_tablespace(
/*=============================*/
	ulint space);          /*!< in: tablespace id */

/** Struct for retreiving info about encryption */
struct fil_space_crypt_status_t {
	ulint space;             /*!< tablespace id */
	ulint scheme;            /*!< encryption scheme */
	uint  min_key_version;   /*!< min key version */
	uint  current_key_version;/*!< current key version */
	uint  keyserver_requests;/*!< no of key requests to key server */
	ulint key_id;            /*!< current key_id */
	bool rotating;           /*!< is key rotation ongoing */
	bool flushing;           /*!< is flush at end of rotation ongoing */
	ulint rotate_next_page_number; /*!< next page if key rotating */
	ulint rotate_max_page_number;  /*!< max page if key rotating */
};

/*********************************************************************
Get crypt status for a space
@return 0 if crypt data found */
UNIV_INTERN
int
fil_space_crypt_get_status(
/*=======================*/
	ulint id,	                           /*!< in: space id */
	struct fil_space_crypt_status_t * status); /*!< out: status  */

/** Struct for retreiving statistics about encryption key rotation */
struct fil_crypt_stat_t {
	ulint pages_read_from_cache;
	ulint pages_read_from_disk;
	ulint pages_modified;
	ulint pages_flushed;
	ulint estimated_iops;
};

/*********************************************************************
Get crypt rotation statistics */
UNIV_INTERN
void
fil_crypt_total_stat(
/*==================*/
	fil_crypt_stat_t* stat); /*!< out: crypt stat */

/** Struct for retreiving info about scrubbing */
struct fil_space_scrub_status_t {
	ulint space;             /*!< tablespace id */
	bool compressed;        /*!< is space compressed  */
	time_t last_scrub_completed;  /*!< when was last scrub completed */
	bool scrubbing;               /*!< is scrubbing ongoing */
	time_t current_scrub_started; /*!< when started current scrubbing */
	ulint current_scrub_active_threads; /*!< current scrub active threads */
	ulint current_scrub_page_number; /*!< current scrub page no */
	ulint current_scrub_max_page_number; /*!< current scrub max page no */
};

/*********************************************************************
Get scrub status for a space
@return 0 if no scrub info found */
UNIV_INTERN
int
fil_space_get_scrub_status(
/*=======================*/
	ulint id,	                           /*!< in: space id */
	struct fil_space_scrub_status_t * status); /*!< out: status  */

/*********************************************************************
Adjust encrypt tables */
UNIV_INTERN
void
fil_crypt_set_encrypt_tables(
/*=========================*/
	uint val);      /*!< in: New srv_encrypt_tables setting */

/******************************************************************
Encrypt a buffer */
UNIV_INTERN
byte*
fil_encrypt_buf(
/*============*/
	fil_space_crypt_t* crypt_data,	/*!< in: crypt data */
	ulint		space,		/*!< in: Space id */
	ulint		offset,		/*!< in: Page offset */
	lsn_t		lsn,		/*!< in: lsn */
	byte*		src_frame,	/*!< in: Source page to be encrypted */
	ulint		zip_size,	/*!< in: compressed size if
					row_format compressed */
	byte*		dst_frame);	/*!< in: outbut buffer */

/******************************************************************
Calculate post encryption checksum
@return page checksum or BUF_NO_CHECKSUM_MAGIC
not needed. */
UNIV_INTERN
ulint
fil_crypt_calculate_checksum(
/*=========================*/
	ulint	zip_size,	/*!< in: zip_size or 0 */
	byte*	dst_frame);	/*!< in: page where to calculate */


#ifndef UNIV_NONINL
#include "fil0crypt.ic"
#endif

#endif /* fil0crypt_h */