Bug #18295445: BACKPORT aes_encrypt/decrypt block mode and key length extensions to 5.6

This is a backport of WL#6781 to 5.6.

Author: gkodinov

client/mysql_config_editor.cc

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -776,7 +776,7 @@ static my_bool check_and_create_login_file(void)
   {
     verbose_msg("File exists.\n");
 
-    file_size= stat_info.st_size;
+    file_size= (size_t) stat_info.st_size;
 
 #ifdef _WIN32
     if (1)
@@ -943,7 +943,7 @@ static void mask_password_and_print(char *buf)
 static void remove_options(DYNAMIC_STRING *file_buf, const char *path_name)
 {
   /* If nope of the options are specified remove the entire path. */
-  if (!opt_remove_host && !opt_remove_pass && !opt_remove_user 
+  if (!opt_remove_host && !opt_remove_pass && !opt_remove_user
       && !opt_remove_socket && !opt_remove_port)
   {
     remove_login_path(file_buf, path_name);
@@ -1295,7 +1295,7 @@ static int read_and_decrypt_file(DYNAMIC_STRING *file_buf)
 
   @param plain     [in]   Plain text to be encrypted.
   @param plain_len [in]   Length of the plain text.
-  @param cipher    [in]   Encrypted cipher text.
+  @param cipher    [out]  Encrypted cipher text.
 
   @return                 -1 if error encountered,
                           length encrypted, otherwise.
@@ -1306,9 +1306,12 @@ static int encrypt_buffer(const char *plain, int plain_len, char cipher[])
   DBUG_ENTER("encrypt_buffer");
   int aes_len;
 
-  aes_len= my_aes_get_size(plain_len);
+  aes_len= my_aes_get_size(plain_len, my_aes_128_ecb);
 
-  if (my_aes_encrypt(plain, plain_len, cipher, my_key, LOGIN_KEY_LEN) == aes_len)
+  if (my_aes_encrypt((const unsigned char *) plain, plain_len,
+                     (unsigned char *) cipher,
+                     (const unsigned char *) my_key, LOGIN_KEY_LEN,
+                     my_aes_128_ecb, NULL) == aes_len)
     DBUG_RETURN(aes_len);
 
   verbose_msg("Error! Couldn't encrypt the buffer.\n");
@@ -1321,7 +1324,7 @@ static int encrypt_buffer(const char *plain, int plain_len, char cipher[])
 
   @param cipher     [in]  Cipher text to be decrypted.
   @param cipher_len [in]  Length of the cipher text.
-  @param plain      [in]  Decrypted plain text.
+  @param plain      [out] Decrypted plain text.
 
   @return                 -1 if error encountered,
                           length decrypted, otherwise.
@@ -1332,8 +1335,11 @@ static int decrypt_buffer(const char *cipher, int cipher_len, char plain[])
   DBUG_ENTER("decrypt_buffer");
   int aes_length;
 
-  if ((aes_length= my_aes_decrypt(cipher, cipher_len, (char *) plain,
-                                  my_key, LOGIN_KEY_LEN)) > 0)
+  if ((aes_length= my_aes_decrypt((const unsigned char *) cipher, cipher_len,
+                                  (unsigned char *) plain,
+                                  (const unsigned char *) my_key,
+                                  LOGIN_KEY_LEN,
+                                  my_aes_128_ecb, NULL)) > 0)
     DBUG_RETURN(aes_length);
 
   verbose_msg("Error! Couldn't decrypt the buffer.\n");

include/my_aes.h

@@ -1,7 +1,7 @@
 #ifndef MY_AES_INCLUDED
 #define MY_AES_INCLUDED
 
-/* Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
 
  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@@ -22,46 +22,108 @@
 
 C_MODE_START
 
-#define AES_KEY_LENGTH 128		/* Must be 128 192 or 256 */
-
-/*
-  my_aes_encrypt	- Crypt buffer with AES encryption algorithm.
-  source		- Pointer to data for encryption
-  source_length		- size of encryption data
-  dest			- buffer to place encrypted data (must be large enough)
-  key			- Key to be used for encryption
-  kel_length		- Length of the key. Will handle keys of any length
+/** AES IV size is 16 bytes for all supported ciphers except ECB */
+#define MY_AES_IV_SIZE 16
+
+
+/** Supported AES cipher/block mode combos */
+enum my_aes_opmode
+{
+   my_aes_128_ecb,
+   my_aes_192_ecb,
+   my_aes_256_ecb,
+   my_aes_128_cbc,
+   my_aes_192_cbc,
+   my_aes_256_cbc,
+#ifndef HAVE_YASSL
+   my_aes_128_cfb1,
+   my_aes_192_cfb1,
+   my_aes_256_cfb1,
+   my_aes_128_cfb8,
+   my_aes_192_cfb8,
+   my_aes_256_cfb8,
+   my_aes_128_cfb128,
+   my_aes_192_cfb128,
+   my_aes_256_cfb128,
+   my_aes_128_ofb,
+   my_aes_192_ofb,
+   my_aes_256_ofb,
+#endif
+};
+
+#define MY_AES_BEGIN my_aes_128_ecb
+#ifdef HAVE_YASSL
+#define MY_AES_END my_aes_256_cbc
+#else
+#define MY_AES_END my_aes_256_ofb
+#endif
+
+/* If bad data discovered during decoding */
+#define MY_AES_BAD_DATA  -1
+
+/** String representations of the supported AES modes. Keep in sync with my_aes_opmode */
+extern const char *my_aes_opmode_names[];
+
+/**
+  Encrypt a buffer using AES
+
+  @param source         [in]  Pointer to data for encryption
+  @param source_length  [in]  Size of encryption data
+  @param dest           [out] Buffer to place encrypted data (must be large enough)
+  @param key            [in]  Key to be used for encryption
+  @param key_length     [in]  Length of the key. Will handle keys of any length
+  @param mode           [in]  encryption mode
+  @param iv             [in]  16 bytes initialization vector if needed. Otherwise NULL
+  @return              size of encrypted data, or negative in case of error
+*/
 
-  returns  - size of encrypted data, or negative in case of error.
+int my_aes_encrypt(const unsigned char *source, uint32 source_length,
+                   unsigned char *dest,
+		   const unsigned char *key, uint32 key_length,
+                   enum my_aes_opmode mode, const unsigned char *iv);
+
+/**
+  Decrypt an AES encrypted buffer
+
+  @param source         Pointer to data for decryption
+  @param source_length  size of encrypted data
+  @param dest           buffer to place decrypted data (must be large enough)
+  @param key            Key to be used for decryption
+  @param key_length     Length of the key. Will handle keys of any length
+  @param mode           encryption mode
+  @param iv             16 bytes initialization vector if needed. Otherwise NULL
+  @return size of original data.
 */
 
-int my_aes_encrypt(const char *source, int source_length, char *dest,
-		   const char *key, int key_length);
 
-/*
-  my_aes_decrypt	- DeCrypt buffer with AES encryption algorithm.
-  source		- Pointer to data for decryption
-  source_length		- size of encrypted data
-  dest			- buffer to place decrypted data (must be large enough)
-  key			- Key to be used for decryption
-  kel_length		- Length of the key. Will handle keys of any length
+int my_aes_decrypt(const unsigned char *source, uint32 source_length,
+                   unsigned char *dest,
+ 		   const unsigned char *key, uint32 key_length,
+                   enum my_aes_opmode mode, const unsigned char *iv);
 
-  returns  - size of original data, or negative in case of error.
+/**
+  Calculate the size of a buffer large enough for encrypted data
+
+  @param source_length  length of data to be encrypted
+  @param mode           encryption mode
+  @return               size of buffer required to store encrypted data
 */
 
+int my_aes_get_size(uint32 source_length, enum my_aes_opmode mode);
 
-int my_aes_decrypt(const char *source, int source_length, char *dest,
-		   const char *key, int key_length);
+/**
+  Return true if the AES cipher and block mode requires an IV
 
-/*
-  my_aes_get_size - get size of buffer which will be large enough for encrypted
-		    data
-  source_length   -  length of data to be encrypted
+  SYNOPSIS
+  my_aes_needs_iv()
+  @param mode           encryption mode
 
-  returns  - size of buffer required to store encrypted data
+  @retval TRUE   IV needed
+  @retval FALSE  IV not needed
 */
 
-int my_aes_get_size(int source_length);
+my_bool my_aes_needs_iv(my_aes_opmode opmode);
+
 
 C_MODE_END
 

include/my_rnd.h

@@ -30,6 +30,7 @@ extern "C" {
 #endif
 
 double my_rnd_ssl(struct rand_struct *rand_st);
+int my_rand_buffer(unsigned char *buffer, size_t buffer_size);
 
 #ifdef __cplusplus
 }

mysql-test/include/func_aes_block.inc

@@ -0,0 +1,129 @@
+#
+# Parameters:
+#
+# $block_mode
+
+
+--echo #### $block_mode
+
+SET @IVA=REPEAT('a', 16);
+SET @IVB=REPEAT('b', 16);
+SET @KEY1=REPEAT('c', 16); 
+SET @KEY2=REPEAT('d', 16); 
+
+
+--echo #### 128-$block_mode
+
+eval SET SESSION block_encryption_mode="aes-128-$block_mode";
+
+--echo # must throw an error without an IV
+--error ER_WRONG_PARAMCOUNT_TO_NATIVE_FCT
+SELECT AES_ENCRYPT('a', @KEY1);
+
+--echo block mode dependent. Must be non-0 and non-null
+SELECT LENGTH(AES_ENCRYPT('a', @KEY1, @IVA));
+
+--echo block mode dependent
+SELECT TO_BASE64(AES_ENCRYPT('a', @KEY1, @IVA));
+
+--echo # must be equal
+SELECT 'a' = AES_DECRYPT(AES_ENCRYPT('a', @KEY1, @IVA), @KEY1, @IVA);
+
+--echo # must not be equal
+SELECT 'a' = AES_DECRYPT(AES_ENCRYPT('a',@KEY1, @IVA), @KEY1, @IVB);
+SELECT 'a' = AES_DECRYPT(AES_ENCRYPT('a',@KEY1, @IVA), @KEY2, @IVA);
+SELECT 'a' = AES_DECRYPT(AES_ENCRYPT('b',@KEY1, @IVA), @KEY1, @IVA);
+
+
+--echo #### 192-$block_mode
+
+eval SET SESSION block_encryption_mode="aes-192-$block_mode";
+
+--echo # must throw an error without an IV
+--error ER_WRONG_PARAMCOUNT_TO_NATIVE_FCT
+SELECT AES_ENCRYPT('a', @KEY1);
+
+--echo # must be equal
+SELECT 'a' = AES_DECRYPT(AES_ENCRYPT('a',@KEY1, @IVA), @KEY1, @IVA);
+
+--echo # must not be equal
+SELECT 'a' = AES_DECRYPT(AES_ENCRYPT('a',@KEY1, @IVA), @KEY1, @IVB);
+SELECT 'a' = AES_DECRYPT(AES_ENCRYPT('a',@KEY1, @IVA), @KEY2, @IVA);
+SELECT 'a' = AES_DECRYPT(AES_ENCRYPT('b',@KEY1, @IVA), @KEY1, @IVA);
+
+
+--echo #### 256-$block_mode
+
+eval SET SESSION block_encryption_mode="aes-256-$block_mode";
+
+--echo # must throw an error without an IV
+--error ER_WRONG_PARAMCOUNT_TO_NATIVE_FCT
+SELECT AES_ENCRYPT('a', @KEY1);
+
+--echo # must be equal
+SELECT 'a' = AES_DECRYPT(AES_ENCRYPT('a',@KEY1, @IVA), @KEY1, @IVA);
+
+--echo # must not be equal
+SELECT 'a' = AES_DECRYPT(AES_ENCRYPT('a',@KEY1, @IVA), @KEY1, @IVB);
+SELECT 'a' = AES_DECRYPT(AES_ENCRYPT('a',@KEY1, @IVA), @KEY2, @IVA);
+SELECT 'a' = AES_DECRYPT(AES_ENCRYPT('b',@KEY1, @IVA), @KEY1, @IVA);
+
+SET SESSION block_encryption_mode=DEFAULT;
+
+
+--echo #### 128, 192 and 256 bit $block_mode
+
+
+eval CREATE TABLE aes_$block_mode(a VARCHAR(128), b128 VARCHAR(144),
+  b192 VARCHAR(144), b256 CHAR(144));
+eval INSERT INTO aes_$block_mode (a) VALUES (REPEAT('a', 128));
+eval INSERT INTO aes_$block_mode (a) VALUES (REPEAT(0x00313233, 32));
+
+eval SET SESSION block_encryption_mode="aes-128-$block_mode";
+eval UPDATE aes_$block_mode SET b128 = AES_ENCRYPT(a, @KEY1, @IVA);
+
+eval SET SESSION block_encryption_mode="aes-192-$block_mode";
+eval UPDATE aes_$block_mode SET b192 = AES_ENCRYPT(a, @KEY1, @IVA);
+
+eval SET SESSION block_encryption_mode="aes-256-$block_mode";
+eval UPDATE aes_$block_mode SET b256 = AES_ENCRYPT(a, @KEY1, @IVA);
+
+--echo # must return 0
+eval SELECT COUNT(*) FROM aes_$block_mode WHERE b128 = b192 OR B192 = b256 OR b128=b256;
+
+eval SET SESSION block_encryption_mode="aes-256-$block_mode";
+
+--echo # must return 2
+eval SELECT COUNT(*) FROM aes_$block_mode WHERE a = AES_DECRYPT(b256, @KEY1, @IVA);
+
+--echo # must return 0
+eval SELECT COUNT(*) FROM aes_$block_mode WHERE a = AES_DECRYPT(b256, 'b', @IVA);
+
+--echo # must return 0
+eval SELECT COUNT(*) FROM aes_$block_mode WHERE a = AES_DECRYPT(b256, @KEY1, @IVB);
+
+eval SET SESSION block_encryption_mode="aes-192-$block_mode";
+
+--echo # must return 2
+eval SELECT COUNT(*) FROM aes_$block_mode WHERE a = AES_DECRYPT(b192, @KEY1, @IVA);
+
+--echo # must return 0
+eval SELECT COUNT(*) FROM aes_$block_mode WHERE a = AES_DECRYPT(b192, @KEY2, @IVA);
+
+--echo # must return 0
+eval SELECT COUNT(*) FROM aes_$block_mode WHERE a = AES_DECRYPT(b256, @KEY1, @IVB);
+
+eval SET SESSION block_encryption_mode="aes-128-$block_mode";
+
+--echo # must return 2
+eval SELECT COUNT(*) FROM aes_$block_mode WHERE a = AES_DECRYPT(b128, @KEY1, @IVA);
+
+--echo # must return 0
+eval SELECT COUNT(*) FROM aes_$block_mode WHERE a = AES_DECRYPT(b128, @KEY2, @IVA);
+
+--echo # must return 0
+eval SELECT COUNT(*) FROM aes_$block_mode WHERE a = AES_DECRYPT(b256, @KEY2, @IVB);
+
+
+SET SESSION block_encryption_mode=DEFAULT;
+eval DROP TABLE aes_$block_mode;