CUBRID Engine  latest
tde.h
Go to the documentation of this file.
1 /*
2  *
3  * Copyright 2016 CUBRID Corporation
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18 
19 /*
20  * tde.hpp - TDE (Transparent Data Encryption) Module
21  */
22 
23 #ifndef _TDE_HPP_
24 #define _TDE_HPP_
25 
26 #ident "$Id$"
27 
28 #include "storage_common.h"
29 
30 #if defined (SA_MODE)
31 #include "boot_sr.h"
32 #endif
33 
34 /* forward declarations */
35 struct fileio_page;
36 typedef fileio_page FILEIO_PAGE;
37 struct log_page;
38 typedef log_page LOG_PAGE;
39 
40 #define TDE_DK_ALGORITHM TDE_ALGORITHM_AES
41 
42 /* ENCRYPTION AREA */
43 #define TDE_DATA_PAGE_ENC_OFFSET sizeof (FILEIO_PAGE_RESERVED)
44 #define TDE_DATA_PAGE_ENC_LENGTH DB_PAGESIZE
45 #define TDE_LOG_PAGE_ENC_OFFSET sizeof (LOG_HDRPAGE)
46 #define TDE_LOG_PAGE_ENC_LENGTH ((LOG_PAGESIZE) - (TDE_LOG_PAGE_ENC_OFFSET))
47 
48 /* 128 bit nonce */
49 #define TDE_DATA_PAGE_NONCE_LENGTH 16
50 #define TDE_LOG_PAGE_NONCE_LENGTH 16
51 #define TDE_DK_NONCE_LENGTH 16
52 
53 /* TDE Keys - 256 bit */
54 #define TDE_MASTER_KEY_LENGTH 32
55 #define TDE_DATA_KEY_LENGTH 32
56 
57 /* TDE Key file item locations */
58 #define TDE_MK_FILE_CONTENTS_START CUBRID_MAGIC_MAX_LENGTH
59 #define TDE_MK_FILE_ITEM_SIZE (sizeof (TDE_MK_FILE_ITEM))
60 #define TDE_MK_FILE_ITEM_OFFSET(index) \
61  (TDE_MK_FILE_CONTENTS_START + TDE_MK_FILE_ITEM_SIZE * (index))
62 #define TDE_MK_FILE_ITEM_INDEX(offset) \
63  (((offset) - TDE_MK_FILE_CONTENTS_START) / TDE_MK_FILE_ITEM_SIZE)
64 
65 #define TDE_MK_FILE_ITEM_COUNT_MAX 128
66 
67 /*
68  * Each value is also used to be index of tde_Algorithm_str[].
69  * These must be changed togeter
70  */
71 typedef enum
72 {
73  TDE_ALGORITHM_NONE = 0,
74  TDE_ALGORITHM_AES = 1, /* AES 256 */
75  TDE_ALGORITHM_ARIA = 2, /* ARIA 256 */
76 } TDE_ALGORITHM;
77 
78 typedef enum tde_data_key_type
79 {
80  TDE_DATA_KEY_TYPE_PERM,
81  TDE_DATA_KEY_TYPE_TEMP,
82  TDE_DATA_KEY_TYPE_LOG
83 } TDE_DATA_KEY_TYPE;
84 
85 typedef struct tde_data_key_set
86 {
87  unsigned char perm_key[TDE_DATA_KEY_LENGTH];
88  unsigned char temp_key[TDE_DATA_KEY_LENGTH];
89  unsigned char log_key[TDE_DATA_KEY_LENGTH];
90 } TDE_DATA_KEY_SET;
91 
92 typedef struct tde_mk_file_item
93 {
94  time_t created_time; /* If it is -1, it is invalid and avaliable for a new key */
95  unsigned char master_key[TDE_MASTER_KEY_LENGTH];
96 } TDE_MK_FILE_ITEM;
97 
98 #ifdef UNSTABLE_TDE_FOR_REPLICATION_LOG
99 #if defined(CS_MODE)
100 #define TDE_HA_SOCK_NAME ".ha_sock"
101 #endif /* CS_MODE */
102 #endif /* UNSTABLE_TDE_FOR_REPLICATION_LOG */
103 
104 #if !defined(CS_MODE)
105 
106 /* Is log record contains User Data */
107 #define LOG_MAY_CONTAIN_USER_DATA(rcvindex) \
108  ((rcvindex) == RVHF_INSERT \
109  || (rcvindex) == RVHF_DELETE \
110  || (rcvindex) == RVHF_UPDATE \
111  || (rcvindex) == RVHF_MVCC_INSERT \
112  || (rcvindex) == RVHF_MVCC_DELETE_MODIFY_HOME \
113  || (rcvindex) == RVHF_UPDATE_NOTIFY_VACUUM \
114  || (rcvindex) == RVHF_INSERT_NEWHOME \
115  || (rcvindex) == RVHF_MVCC_REDISTRIBUTE \
116  || (rcvindex) == RVHF_MVCC_UPDATE_OVERFLOW \
117  || (rcvindex) == RVOVF_NEWPAGE_INSERT \
118  || (rcvindex) == RVOVF_PAGE_UPDATE \
119  || (rcvindex) == RVBT_INS_PGRECORDS \
120  || (rcvindex) == RVBT_NDRECORD_UPD \
121  || (rcvindex) == RVBT_NDRECORD_INS \
122  || (rcvindex) == RVBT_NDRECORD_DEL \
123  || (rcvindex) == RVBT_COPYPAGE \
124  || (rcvindex) == RVBT_DELETE_OBJECT_PHYSICAL \
125  || (rcvindex) == RVBT_NON_MVCC_INSERT_OBJECT \
126  || (rcvindex) == RVBT_MVCC_INSERT_OBJECT \
127  || (rcvindex) == RVBT_MVCC_INSERT_OBJECT_UNQ \
128  || (rcvindex) == RVBT_RECORD_MODIFY_UNDOREDO \
129  || (rcvindex) == RVBT_RECORD_MODIFY_NO_UNDO \
130  || (rcvindex) == RVBT_RECORD_MODIFY_COMPENSATE \
131  || (rcvindex) == RVREPL_DATA_INSERT \
132  || (rcvindex) == RVREPL_DATA_UPDATE \
133  || (rcvindex) == RVREPL_DATA_DELETE \
134  || (rcvindex) == RVREPL_DATA_UPDATE_START \
135  || (rcvindex) == RVREPL_DATA_UPDATE_END \
136  || (rcvindex) == RVBT_ONLINE_INDEX_UNDO_TRAN_INSERT \
137  || (rcvindex) == RVBT_ONLINE_INDEX_UNDO_TRAN_DELETE)
138 
139 /*
140  * TDE Cipher, the core object on memory, which is loaded at restart
141  * and used everywhere encryption or decription is requested.
142  *
143  * Note: Now TDE for replication log is disabled,
144  * so CS_MODE version tde_cipher is not needed.
145  */
146 typedef struct tde_cipher
147 {
148  bool is_loaded;
149  TDE_DATA_KEY_SET data_keys; /* data keys decrypted from tde keyinfo heap, which is constant */
150  int64_t temp_write_counter; /* used as nonce for temp file page, it has to be dealt atomically */
151 } TDE_CIPHER;
152 
153 extern TDE_CIPHER tde_Cipher; /* global var for TDE Module */
154 
155 /*
156  * TDE module stores key information with all the data keys encrypted and master key hashed.
157  */
158 typedef struct tde_keyinfo
159 {
160  int mk_index;
161  time_t created_time;
162  time_t set_time;
163  unsigned char mk_hash[TDE_MASTER_KEY_LENGTH];
164  unsigned char dk_perm[TDE_DATA_KEY_LENGTH];
165  unsigned char dk_temp[TDE_DATA_KEY_LENGTH];
166  unsigned char dk_log[TDE_DATA_KEY_LENGTH];
167 } TDE_KEYINFO;
168 
169 extern int tde_initialize (THREAD_ENTRY * thread_p, HFID * keyinfo_hfid);
170 extern int tde_cipher_initialize (THREAD_ENTRY * thread_p, const HFID * keyinfo_hfid, const char *mk_path_given);
171 extern int tde_get_keyinfo (THREAD_ENTRY * thread_p, TDE_KEYINFO * keyinfo);
172 
173 /*
174  * tde functions for the master key management
175  */
176 extern void tde_make_keys_file_fullname (char *keys_vol_fullname, const char *db_full_name, bool ignore_parm);
177 extern bool tde_validate_keys_file (int vdes);
178 extern int tde_copy_keys_file (THREAD_ENTRY * thread_p, const char *dest_fullname, const char *src_fullname,
179  bool keep_dest_mount, bool keep_src_mount);
180 extern int tde_load_mk (int vdes, const TDE_KEYINFO * keyinfo, unsigned char *master_key);
181 extern int tde_change_mk (THREAD_ENTRY * thread_p, const int mk_index, const unsigned char *master_key,
182  const time_t created_time);
183 
184 /*
185  * TDE functions for encrpytion and decryption
186  */
187 extern int tde_encrypt_data_page (const FILEIO_PAGE * iopage_plain, TDE_ALGORITHM tde_algo, bool is_temp,
188  FILEIO_PAGE * iopage_cipher);
189 extern int tde_decrypt_data_page (const FILEIO_PAGE * iopage_cipher, TDE_ALGORITHM tde_algo, bool is_temp,
190  FILEIO_PAGE * iopage_plain);
191 /*
192  * Encryption/Decryption functions for logpage are also needed for applylogdb, copylogdb (CS_MODE),
193  * but TDE for replication log is disabled now
194  */
195 extern int tde_encrypt_log_page (const LOG_PAGE * logpage_plain, TDE_ALGORITHM tde_algo, LOG_PAGE * logpage_cipher);
196 extern int tde_decrypt_log_page (const LOG_PAGE * logpage_cipher, TDE_ALGORITHM tde_algo, LOG_PAGE * logpage_plain);
197 
198 #endif /* !CS_MODE */
199 
200 /*
201  * tde functions for the master key management
202  */
203 extern int tde_create_mk (unsigned char *master_key, time_t * created_time);
204 extern int tde_add_mk (int vdes, const unsigned char *master_key, time_t created_time, int *mk_index);
205 extern int tde_find_mk (int vdes, int mk_index, unsigned char *master_key, time_t * created_time);
206 extern int tde_find_first_mk (int vdes, int *mk_index, unsigned char *master_key, time_t * created_time);
207 extern int tde_delete_mk (int vdes, const int mk_index);
208 extern void tde_print_mk (const unsigned char *master_key);
209 extern int tde_dump_mks (int vdes, bool print_value);
210 extern const char *tde_get_algorithm_name (TDE_ALGORITHM tde_algo);
211 #endif /* _TDE_HPP_ */
tde_keyinfo::set_time
time_t set_time
Definition: tde.h:162
tde_keyinfo::mk_index
int mk_index
Definition: tde.h:160
tde_make_keys_file_fullname
void tde_make_keys_file_fullname(char *keys_vol_fullname, const char *db_full_name, bool ignore_parm)
Definition: tde.c:492
tde_cipher_initialize
int tde_cipher_initialize(THREAD_ENTRY *thread_p, const HFID *keyinfo_hfid, const char *mk_path_given)
Definition: tde.c:232
tde_find_mk
int tde_find_mk(int vdes, int mk_index, unsigned char *master_key, time_t *created_time)
Definition: tde.c:1437
tde_encrypt_log_page
int tde_encrypt_log_page(const LOG_PAGE *logpage_plain, TDE_ALGORITHM tde_algo, LOG_PAGE *logpage_cipher)
Definition: tde.c:997
boot_sr.h
TDE_DATA_KEY_SET
struct tde_data_key_set TDE_DATA_KEY_SET
TDE_KEYINFO
struct tde_keyinfo TDE_KEYINFO
tde_encrypt_data_page
int tde_encrypt_data_page(const FILEIO_PAGE *iopage_plain, TDE_ALGORITHM tde_algo, bool is_temp, FILEIO_PAGE *iopage_cipher)
Definition: tde.c:896
tde_data_key_type
tde_data_key_type
Definition: tde.h:78
fileio_page
Definition: file_io.h:192
storage_common.h
tde_decrypt_data_page
int tde_decrypt_data_page(const FILEIO_PAGE *iopage_cipher, TDE_ALGORITHM tde_algo, bool is_temp, FILEIO_PAGE *iopage_plain)
Definition: tde.c:949
tde_cipher::temp_write_counter
int64_t temp_write_counter
Definition: tde.h:150
tde_keyinfo::created_time
time_t created_time
Definition: tde.h:161
THREAD_ENTRY
void THREAD_ENTRY
Definition: thread_compat.hpp:43
tde_load_mk
int tde_load_mk(int vdes, const TDE_KEYINFO *keyinfo, unsigned char *master_key)
Definition: tde.c:693
tde_keyinfo
Definition: tde.h:158
FILEIO_PAGE
fileio_page FILEIO_PAGE
Definition: tde.h:35
TDE_ALGORITHM
TDE_ALGORITHM
Definition: tde.h:71
tde_change_mk
int tde_change_mk(THREAD_ENTRY *thread_p, const int mk_index, const unsigned char *master_key, const time_t created_time)
Definition: tde.c:649
tde_mk_file_item
Definition: tde.h:92
tde_create_mk
int tde_create_mk(unsigned char *master_key, time_t *created_time)
Definition: tde.c:1311
TDE_DATA_KEY_LENGTH
#define TDE_DATA_KEY_LENGTH
Definition: tde.h:55
tde_data_key_set::perm_key
unsigned char perm_key[TDE_DATA_KEY_LENGTH]
Definition: tde.h:87
tde_mk_file_item::created_time
time_t created_time
Definition: tde.h:94
tde_Cipher
TDE_CIPHER tde_Cipher
Definition: tde.c:69
tde_copy_keys_file
int tde_copy_keys_file(THREAD_ENTRY *thread_p, const char *dest_fullname, const char *src_fullname, bool keep_dest_mount, bool keep_src_mount)
Definition: tde.c:398
tde_get_algorithm_name
const char * tde_get_algorithm_name(TDE_ALGORITHM tde_algo)
Definition: tde.c:1694
tde_data_key_set
Definition: tde.h:85
tde_validate_keys_file
bool tde_validate_keys_file(int vdes)
Definition: tde.c:358
log_page
Definition: log_storage.hpp:81
tde_data_key_set::temp_key
unsigned char temp_key[TDE_DATA_KEY_LENGTH]
Definition: tde.h:88
print_value
static void print_value(FIELD_NAME name, const void *value, FIELD_TYPE type)
Definition: broker_monitor.c:2586
tde_find_first_mk
int tde_find_first_mk(int vdes, int *mk_index, unsigned char *master_key, time_t *created_time)
Definition: tde.c:1504
TDE_CIPHER
struct tde_cipher TDE_CIPHER
tde_delete_mk
int tde_delete_mk(int vdes, const int mk_index)
Definition: tde.c:1569
tde_cipher::is_loaded
bool is_loaded
Definition: tde.h:148
tde_cipher
Definition: tde.h:146
TDE_DATA_KEY_TYPE
enum tde_data_key_type TDE_DATA_KEY_TYPE
tde_initialize
int tde_initialize(THREAD_ENTRY *thread_p, HFID *keyinfo_hfid)
Definition: tde.c:106
tde_cipher::data_keys
TDE_DATA_KEY_SET data_keys
Definition: tde.h:149
tde_decrypt_log_page
int tde_decrypt_log_page(const LOG_PAGE *logpage_cipher, TDE_ALGORITHM tde_algo, LOG_PAGE *logpage_plain)
Definition: tde.c:1027
tde_data_key_set::log_key
unsigned char log_key[TDE_DATA_KEY_LENGTH]
Definition: tde.h:89
TDE_MK_FILE_ITEM
struct tde_mk_file_item TDE_MK_FILE_ITEM
tde_get_keyinfo
int tde_get_keyinfo(THREAD_ENTRY *thread_p, TDE_KEYINFO *keyinfo)
Definition: tde.c:557
TDE_MASTER_KEY_LENGTH
#define TDE_MASTER_KEY_LENGTH
Definition: tde.h:54
tde_print_mk
void tde_print_mk(const unsigned char *master_key)
Definition: tde.c:1332
tde_dump_mks
int tde_dump_mks(int vdes, bool print_value)
Definition: tde.c:1629
tde_add_mk
int tde_add_mk(int vdes, const unsigned char *master_key, time_t created_time, int *mk_index)
Definition: tde.c:1351
LOG_PAGE
log_page LOG_PAGE
Definition: tde.h:37