MDEV-9069 extend AES_ENCRYPT() and AES_DECRYPT() to support IV and the algorithm

AES_ENCRYPT(str, key, [, iv [, mode ]]) AES_DECRYPT(str, key, [, iv [, mode ]]) mode is aes-{128,192,256}-{ecb,cbc,ctr} e.g. "aes-128-cbc". and a @@block_encryption_mode variable for the default value of mode change in behavior: AES_ENCRYPT(str, key) can no longer be used in persistent virtual columns (and alike)

MDEV-9069 extend AES_ENCRYPT() and AES_DECRYPT() to support IV and the algorithm
AES_ENCRYPT(str, key, [, iv [, mode ]]) AES_DECRYPT(str, key, [, iv [, mode ]]) mode is aes-{128,192,256}-{ecb,cbc,ctr} e.g. "aes-128-cbc". and a @@block_encryption_mode variable for the default value of mode change in behavior: AES_ENCRYPT(str, key) can no longer be used in persistent virtual columns (and alike)
5de39c5a · Sergei Golubchik · f94d467d · 5de39c5a · 5de39c5a · 5de39c5a
Commit 5de39c5a authored Jun 13, 2023 by Sergei Golubchik
13 changed files
--- a/mysql-test/main/func_str.result
+++ b/mysql-test/main/func_str.result
@@ -5448,3 +5448,69 @@ Warning	1292	Truncated incorrect BINARY(2) value: '...random bytes...'
 #
 # End of 10.10 tests
 #
+#
+# MDEV-9069 extend AES_ENCRYPT() and AES_DECRYPT() to support IV and the algorithm
+#
+select aes_encrypt('foo', 'bar', '1234') = aes_encrypt('foo', 'bar') `expected 1`;
+expected 1
+1
+select aes_encrypt('foo', 'bar', NULL, 'aes-128-ecb') = aes_encrypt('foo', 'bar') `expected 1`;
+expected 1
+1
+select aes_encrypt(1);
+ERROR 42000: Incorrect parameter count in the call to native function 'aes_encrypt'
+select aes_encrypt(1,2,3,4,5);
+ERROR 42000: Incorrect parameter count in the call to native function 'aes_encrypt'
+select aes_encrypt('foo', 'bar', '0123', 'something');
+aes_encrypt('foo', 'bar', '0123', 'something')
+NULL
+select aes_encrypt('foo', 'bar', '0123', 'aes-111-ecb');
+aes_encrypt('foo', 'bar', '0123', 'aes-111-ecb')
+NULL
+select aes_encrypt('foo', 'bar', '0123', 'aes-128-bar');
+aes_encrypt('foo', 'bar', '0123', 'aes-128-bar')
+NULL
+select aes_encrypt('foo', 'bar', '0123', 'aes-128-cbc');
+aes_encrypt('foo', 'bar', '0123', 'aes-128-cbc')
+NULL
+select hex(aes_encrypt('foo', 'bar', '0123456789abcdef', 'aes-256-cbc')) `x`;
+x
+42A3EB91E6DFC40A900D278F99E0726E
+select aes_decrypt(x'42A3EB91E6DFC40A900D278F99E0726E', 'bar', '0123456789abcdef###', 'AES-256-CBC') `expected foo`;
+expected foo
+foo
+select hex(aes_encrypt('foo', 'bar', '0123456789abcdef', 'aes-128-ctr')) `x`;
+x
+C57C4B
+select aes_decrypt(x'C57C4B', 'bar', '0123456789abcdef', 'aes-128-ctr') `expected foo`;
+expected foo
+foo
+set @@block_encryption_mode='aes-128-ctr';
+select aes_decrypt(x'C57C4B', 'bar', '0123456789abcdef');
+aes_decrypt(x'C57C4B', 'bar', '0123456789abcdef')
+foo
+set @@block_encryption_mode='aes-192-cbc';
+select hex(aes_encrypt('foo', 'bar'));
+hex(aes_encrypt('foo', 'bar'))
+NULL
+select hex(aes_encrypt('foo', 'bar', 'abcdefghabcdefgh'));
+hex(aes_encrypt('foo', 'bar', 'abcdefghabcdefgh'))
+9E6F76516B4DE68FED7A77632FC0913D
+select aes_decrypt(x'9E6F76516B4DE68FED7A77632FC0913D', 'bar', 'abcdefghabcdefgh') `expected foo`;
+expected foo
+foo
+select aes_decrypt(x'00000000000000011111111111111111', 'bar', 'abcdefghabcdefgh') `expected NULL`;
+expected NULL
+NULL
+select aes_decrypt(x'9E6F76516B4DE68FED7A77632FC0913D', 'bar', '0000000011111111') `expected NULL`;
+expected NULL
+NULL
+select aes_decrypt(x'9E6F76516B4DE68FED7A77632FC0913D', 'bar', 'abcdefghabcdefgh', 'aes-128-ecb') `expected NULL`;
+expected NULL
+NULL
+select hex(aes_decrypt(x'9E6F76516B4DE68FED7A77632FC0913D', 'bar', 'abcdefghabcdefgh', 'aes-128-ctr')) `expected garbage`;
+expected garbage
+98D7BC3151620F384B0A953686AF37C9
+#
+# End of 11.2 tests
+#
--- a/mysql-test/main/func_str.test
+++ b/mysql-test/main/func_str.test
@@ -2420,3 +2420,42 @@ select "a" in ("abc", (convert(random_bytes(8) ,binary(2))));
 --echo #
 --echo # End of 10.10 tests
 --echo #
+
+--echo #
+--echo # MDEV-9069 extend AES_ENCRYPT() and AES_DECRYPT() to support IV and the algorithm
+--echo #
+select aes_encrypt('foo', 'bar', '1234') = aes_encrypt('foo', 'bar') `expected 1`;
+select aes_encrypt('foo', 'bar', NULL, 'aes-128-ecb') = aes_encrypt('foo', 'bar') `expected 1`;
+
+--error ER_WRONG_PARAMCOUNT_TO_NATIVE_FCT
+select aes_encrypt(1);
+--error ER_WRONG_PARAMCOUNT_TO_NATIVE_FCT
+select aes_encrypt(1,2,3,4,5);
+select aes_encrypt('foo', 'bar', '0123', 'something');
+select aes_encrypt('foo', 'bar', '0123', 'aes-111-ecb');
+select aes_encrypt('foo', 'bar', '0123', 'aes-128-bar');
+select aes_encrypt('foo', 'bar', '0123', 'aes-128-cbc');
+select hex(aes_encrypt('foo', 'bar', '0123456789abcdef', 'aes-256-cbc')) `x`;
+select aes_decrypt(x'42A3EB91E6DFC40A900D278F99E0726E', 'bar', '0123456789abcdef###', 'AES-256-CBC') `expected foo`;
+select hex(aes_encrypt('foo', 'bar', '0123456789abcdef', 'aes-128-ctr')) `x`;
+select aes_decrypt(x'C57C4B', 'bar', '0123456789abcdef', 'aes-128-ctr') `expected foo`;
+
+set @@block_encryption_mode='aes-128-ctr';
+select aes_decrypt(x'C57C4B', 'bar', '0123456789abcdef');
+set @@block_encryption_mode='aes-192-cbc';
+select hex(aes_encrypt('foo', 'bar'));
+select hex(aes_encrypt('foo', 'bar', 'abcdefghabcdefgh'));
+select aes_decrypt(x'9E6F76516B4DE68FED7A77632FC0913D', 'bar', 'abcdefghabcdefgh') `expected foo`;
+
+# wrong key
+select aes_decrypt(x'00000000000000011111111111111111', 'bar', 'abcdefghabcdefgh') `expected NULL`;
+# wrong iv
+select aes_decrypt(x'9E6F76516B4DE68FED7A77632FC0913D', 'bar', '0000000011111111') `expected NULL`;
+# wrong alg
+select aes_decrypt(x'9E6F76516B4DE68FED7A77632FC0913D', 'bar', 'abcdefghabcdefgh', 'aes-128-ecb') `expected NULL`;
+# but ctr doesn't use padding, so:
+select hex(aes_decrypt(x'9E6F76516B4DE68FED7A77632FC0913D', 'bar', 'abcdefghabcdefgh', 'aes-128-ctr')) `expected garbage`;
+
+--echo #
+--echo # End of 11.2 tests
+--echo #
--- a/mysql-test/main/mysqld--help.result
+++ b/mysql-test/main/mysqld--help.result
@@ -136,6 +136,11 @@ The following specify which files/extra groups are read (specified before remain
 non-transactional engines for the binary log. If you
 often use statements updating a great number of rows, you
 can increase this to get more performance.
+ --block-encryption-mode=name 
+ Default block encryption mode for AES_ENCRYPT() and
+ AES_DECRYPT() functions. One of: aes-128-ecb, aes-192-ecb,
+ aes-256-ecb, aes-128-cbc, aes-192-cbc, aes-256-cbc, 
+ aes-128-ctr, aes-192-ctr, aes-256-ctr
 --bootstrap         Used by mysql installation scripts.
 --bulk-insert-buffer-size=# 
 Size of tree cache used in bulk insert optimisation. Note
@@ -1570,6 +1575,7 @@ binlog-row-event-max-size 8192
 binlog-row-image FULL
 binlog-row-metadata NO_LOG
 binlog-stmt-cache-size 32768
+block-encryption-mode aes-128-ecb
 bulk-insert-buffer-size 8388608
 character-set-client-handshake TRUE
 character-set-collations 

--- a/mysql-test/suite/sys_vars/r/sysvars_server_embedded,32bit.rdiff
+++ b/mysql-test/suite/sys_vars/r/sysvars_server_embedded,32bit.rdiff
--- a/mysql-test/suite/sys_vars/r/sysvars_server_embedded.result
+++ b/mysql-test/suite/sys_vars/r/sysvars_server_embedded.result
@@ -472,6 +472,16 @@ NUMERIC_BLOCK_SIZE	4096
 ENUM_VALUE_LIST	NULL
 READ_ONLY	NO
 COMMAND_LINE_ARGUMENT	REQUIRED
+VARIABLE_NAME	BLOCK_ENCRYPTION_MODE
+VARIABLE_SCOPE	SESSION
+VARIABLE_TYPE	ENUM
+VARIABLE_COMMENT	Default block encryption mode for AES_ENCRYPT() and AES_DECRYPT() functions
+NUMERIC_MIN_VALUE	NULL
+NUMERIC_MAX_VALUE	NULL
+NUMERIC_BLOCK_SIZE	NULL
+ENUM_VALUE_LIST	aes-128-ecb,aes-192-ecb,aes-256-ecb,aes-128-cbc,aes-192-cbc,aes-256-cbc,aes-128-ctr,aes-192-ctr,aes-256-ctr
+READ_ONLY	NO
+COMMAND_LINE_ARGUMENT	REQUIRED
 VARIABLE_NAME	BULK_INSERT_BUFFER_SIZE
 VARIABLE_SCOPE	SESSION
 VARIABLE_TYPE	BIGINT UNSIGNED

--- a/mysql-test/suite/sys_vars/r/sysvars_server_notembedded.result
+++ b/mysql-test/suite/sys_vars/r/sysvars_server_notembedded.result
@@ -512,6 +512,16 @@ NUMERIC_BLOCK_SIZE	4096
 ENUM_VALUE_LIST	NULL
 READ_ONLY	NO
 COMMAND_LINE_ARGUMENT	REQUIRED
+VARIABLE_NAME	BLOCK_ENCRYPTION_MODE
+VARIABLE_SCOPE	SESSION
+VARIABLE_TYPE	ENUM
+VARIABLE_COMMENT	Default block encryption mode for AES_ENCRYPT() and AES_DECRYPT() functions
+NUMERIC_MIN_VALUE	NULL
+NUMERIC_MAX_VALUE	NULL
+NUMERIC_BLOCK_SIZE	NULL
+ENUM_VALUE_LIST	aes-128-ecb,aes-192-ecb,aes-256-ecb,aes-128-cbc,aes-192-cbc,aes-256-cbc,aes-128-ctr,aes-192-ctr,aes-256-ctr
+READ_ONLY	NO
+COMMAND_LINE_ARGUMENT	REQUIRED
 VARIABLE_NAME	BULK_INSERT_BUFFER_SIZE
 VARIABLE_SCOPE	SESSION
 VARIABLE_TYPE	BIGINT UNSIGNED

--- a/mysql-test/suite/vcol/r/vcol_blocked_sql_funcs.result
+++ b/mysql-test/suite/vcol/r/vcol_blocked_sql_funcs.result
 SET @@session.default_storage_engine = 'MyISAM';
+# AES_ENCRYPT() without the mode (4th argument)
+create or replace table t1 (b blob as (aes_encrypt('abc', 'bcd')) PERSISTENT);
+ERROR HY000: Function or expression 'aes_encrypt()' cannot be used in the GENERATED ALWAYS AS clause of `b`
+create or replace table t1 (b blob as (aes_encrypt('abc', 'bcd','def')) PERSISTENT);
+ERROR HY000: Function or expression 'aes_encrypt()' cannot be used in the GENERATED ALWAYS AS clause of `b`
+create or replace table t1 (b blob as (aes_decrypt('abc', 'bcd')) PERSISTENT);
+ERROR HY000: Function or expression 'aes_decrypt()' cannot be used in the GENERATED ALWAYS AS clause of `b`
+create or replace table t1 (b blob as (aes_decrypt('abc', 'bcd','def')) PERSISTENT);
+ERROR HY000: Function or expression 'aes_decrypt()' cannot be used in the GENERATED ALWAYS AS clause of `b`
 # RAND()
 create or replace table t1 (b double as (rand()));
 create or replace table t1 (b double as (rand()) PERSISTENT);

--- a/mysql-test/suite/vcol/t/vcol_blocked_sql_funcs_main.inc
+++ b/mysql-test/suite/vcol/t/vcol_blocked_sql_funcs_main.inc
@@ -19,6 +19,16 @@
 # to check for things that should not work for either VIRTUAL or PERSISTENT
 #

+--echo # AES_ENCRYPT() without the mode (4th argument)
+-- error ER_GENERATED_COLUMN_FUNCTION_IS_NOT_ALLOWED
+create or replace table t1 (b blob as (aes_encrypt('abc', 'bcd')) PERSISTENT);
+-- error ER_GENERATED_COLUMN_FUNCTION_IS_NOT_ALLOWED
+create or replace table t1 (b blob as (aes_encrypt('abc', 'bcd','def')) PERSISTENT);
+-- error ER_GENERATED_COLUMN_FUNCTION_IS_NOT_ALLOWED
+create or replace table t1 (b blob as (aes_decrypt('abc', 'bcd')) PERSISTENT);
+-- error ER_GENERATED_COLUMN_FUNCTION_IS_NOT_ALLOWED
+create or replace table t1 (b blob as (aes_decrypt('abc', 'bcd','def')) PERSISTENT);
+
 --echo # RAND()
 create or replace table t1 (b double as (rand()));
 -- error ER_GENERATED_COLUMN_FUNCTION_IS_NOT_ALLOWED

--- a/sql/item_create.cc
+++ b/sql/item_create.cc
@@ -141,10 +141,11 @@ class Create_func_addtime : public Create_func_arg2
 };


-class Create_func_aes_encrypt : public Create_func_arg2
+class Create_func_aes_encrypt : public Create_native_func
 {
 public:
-  virtual Item *create_2_arg(THD *thd, Item *arg1, Item *arg2);
+  virtual Item *create_native(THD *thd, const LEX_CSTRING *name,
+                              List<Item> *item_list);

  static Create_func_aes_encrypt s_singleton;

@@ -154,10 +155,11 @@ class Create_func_aes_encrypt : public Create_func_arg2
 };


-class Create_func_aes_decrypt : public Create_func_arg2
+class Create_func_aes_decrypt : public Create_native_func
 {
 public:
-  virtual Item *create_2_arg(THD *thd, Item *arg1, Item *arg2);
+  virtual Item *create_native(THD *thd, const LEX_CSTRING *name,
+                              List<Item> *item_list);

  static Create_func_aes_decrypt s_singleton;

@@ -2953,18 +2955,48 @@ Create_func_addtime::create_2_arg(THD *thd, Item *arg1, Item *arg2)
 Create_func_aes_encrypt Create_func_aes_encrypt::s_singleton;

 Item*
-Create_func_aes_encrypt::create_2_arg(THD *thd, Item *arg1, Item *arg2)
+Create_func_aes_encrypt::create_native(THD *thd, const LEX_CSTRING *name,
+                                       List<Item> *item_list)
 {
-  return new (thd->mem_root) Item_func_aes_encrypt(thd, arg1, arg2);
+  uint arg_count= item_list->elements;
+  Item *a[4];
+  for (uint i=0; i < MY_MIN(array_elements(a), arg_count); i++)
+    a[i]= item_list->pop();
+  switch (arg_count)
+  {
+  case 2:
+    return new (thd->mem_root) Item_func_aes_encrypt(thd, a[0], a[1]);
+  case 3:
+    return new (thd->mem_root) Item_func_aes_encrypt(thd, a[0], a[1], a[2]);
+  case 4:
+    return new (thd->mem_root) Item_func_aes_encrypt(thd, a[0], a[1], a[2], a[3]);
+  }
+  my_error(ER_WRONG_PARAMCOUNT_TO_NATIVE_FCT, MYF(0), name->str);
+  return NULL;
 }


 Create_func_aes_decrypt Create_func_aes_decrypt::s_singleton;

 Item*
-Create_func_aes_decrypt::create_2_arg(THD *thd, Item *arg1, Item *arg2)
+Create_func_aes_decrypt::create_native(THD *thd, const LEX_CSTRING *name,
+                                       List<Item> *item_list)
 {
-  return new (thd->mem_root) Item_func_aes_decrypt(thd, arg1, arg2);
+  uint arg_count= item_list->elements;
+  Item *a[4];
+  for (uint i=0; i < MY_MIN(array_elements(a), arg_count); i++)
+    a[i]= item_list->pop();
+  switch (arg_count)
+  {
+  case 2:
+    return new (thd->mem_root) Item_func_aes_decrypt(thd, a[0], a[1]);
+  case 3:
+    return new (thd->mem_root) Item_func_aes_decrypt(thd, a[0], a[1], a[2]);
+  case 4:
+    return new (thd->mem_root) Item_func_aes_decrypt(thd, a[0], a[1], a[2], a[3]);
+  }
+  my_error(ER_WRONG_PARAMCOUNT_TO_NATIVE_FCT, MYF(0), name->str);
+  return NULL;
 }



--- a/sql/item_strfunc.cc
+++ b/sql/item_strfunc.cc
@@ -54,6 +54,7 @@ C_MODE_END
 #include "sql_show.h"                           // append_identifier
 #include <sql_repl.h>
 #include "sql_statistics.h"
+#include "strfunc.h"

 /* fmtlib include (https://fmt.dev/). */
 #define FMT_STATIC_THOUSANDS_SEPARATOR ','
@@ -309,24 +310,54 @@ bool Item_func_sha2::fix_length_and_dec(THD *thd)
    break;
  default:
    THD *thd= current_thd;
-    push_warning_printf(thd,
-                        Sql_condition::WARN_LEVEL_WARN,
+    push_warning_printf(thd, Sql_condition::WARN_LEVEL_WARN,
                        ER_WRONG_PARAMETERS_TO_NATIVE_FCT,
-                        ER_THD(thd, ER_WRONG_PARAMETERS_TO_NATIVE_FCT),
-                        "sha2");
+                        ER_THD(thd, ER_WRONG_PARAMETERS_TO_NATIVE_FCT), "sha2");
  }
  return FALSE;
 }

+const char *block_encryption_mode_values[]= {
+  "aes-128-ecb", "aes-192-ecb", "aes-256-ecb",
+  "aes-128-cbc", "aes-192-cbc", "aes-256-cbc",
+  "aes-128-ctr", "aes-192-ctr", "aes-256-ctr",
+  NullS };
+TYPELIB block_encryption_mode_typelib= {9, 0, block_encryption_mode_values, 0};
+static inline uint block_encryption_mode_to_key_length(ulong bem)
+{ return (bem % 3 + 2) * 64; }
+static inline my_aes_mode block_encryption_mode_to_aes_mode(ulong bem)
+{ return (my_aes_mode)(bem / 3); }
+
 /* Implementation of AES encryption routines */
+int Item_aes_crypt::parse_mode()
+{
+  StringBuffer<80> buf;
+  String *ptr= args[3]->val_str_ascii(&buf);
+  ulong bem;
+
+  if (ptr == NULL)
+    goto err;
+
+  bem= find_type(&block_encryption_mode_typelib, ptr->ptr(), ptr->length(), 0);
+  if (!bem)
+    goto err;
+
+  aes_key_length= block_encryption_mode_to_key_length(bem - 1);
+  aes_mode= block_encryption_mode_to_aes_mode(bem - 1);
+  return 0;
+err:
+  return 1;
+}
+
+
 void Item_aes_crypt::create_key(String *user_key, uchar *real_key)
 {
-  uchar *real_key_end= real_key + AES_KEY_LENGTH / 8;
+  uchar *real_key_end= real_key + aes_key_length / 8;
  uchar *ptr;
  const char *sptr= user_key->ptr();
  const char *key_end= sptr + user_key->length();

-  bzero(real_key, AES_KEY_LENGTH / 8);
+  bzero(real_key, aes_key_length / 8);

  for (ptr= real_key; sptr < key_end; ptr++, sptr++)
  {
@@ -340,24 +371,36 @@ void Item_aes_crypt::create_key(String *user_key, uchar *real_key)
 String *Item_aes_crypt::val_str(String *str2)
 {
  DBUG_ASSERT(fixed());
-  StringBuffer<80> user_key_buf;
+  StringBuffer<80> user_key_buf, iv_buf;
  String *sptr= args[0]->val_str(&tmp_value);
-  String *user_key=  args[1]->val_str(&user_key_buf);
+  String *user_key= args[1]->val_str(&user_key_buf);
+  String *iv= NULL;
  uint32 aes_length;

  if (sptr && user_key) // we need both arguments to be not NULL
  {
-    null_value=0;
-    aes_length=my_aes_get_size(MY_AES_ECB, sptr->length());
+    if (arg_count > 3 && (null_value= parse_mode()))
+      return 0;
+
+    if (aes_mode != MY_AES_ECB)
+    {
+      if (arg_count > 2)
+        iv= args[2]->val_str(&iv_buf);
+      if ((null_value= (!iv || iv->length() < MY_AES_BLOCK_SIZE)))
+        return 0;
+    }
+
+    aes_length=my_aes_get_size(aes_mode, sptr->length());

    if (!str2->alloc(aes_length))		// Ensure that memory is free
    {
-      uchar rkey[AES_KEY_LENGTH / 8];
+      uchar *rkey= (uchar*)alloca(aes_key_length / 8);
      create_key(user_key, rkey);

-      if (!my_aes_crypt(MY_AES_ECB, what, (uchar*)sptr->ptr(), sptr->length(),
+      if (!my_aes_crypt(aes_mode, what, (uchar*)sptr->ptr(), sptr->length(),
                 (uchar*)str2->ptr(), &aes_length,
-                 rkey, AES_KEY_LENGTH / 8, 0, 0))
+                 rkey, aes_key_length / 8,
+                 iv ? (uchar*)iv->ptr() : 0, iv ? iv->length() : 0))
      {
        str2->length((uint) aes_length);
        DBUG_ASSERT(collation.collation == &my_charset_bin);
@@ -370,20 +413,23 @@ String *Item_aes_crypt::val_str(String *str2)
  return 0;
 }

+bool Item_aes_crypt::fix_fields(THD *thd, Item **ref)
+{
+  aes_key_length= block_encryption_mode_to_key_length(thd->variables.block_encryption_mode);
+  aes_mode= block_encryption_mode_to_aes_mode(thd->variables.block_encryption_mode);
+  return  Item_str_binary_checksum_func::fix_fields(thd, ref);
+}
+
 bool Item_func_aes_encrypt::fix_length_and_dec(THD *thd)
 {
  max_length=my_aes_get_size(MY_AES_ECB, args[0]->max_length);
-  what= ENCRYPTION_FLAG_ENCRYPT;
  return FALSE;
 }

-
-
 bool Item_func_aes_decrypt::fix_length_and_dec(THD *thd)
 {
  max_length=args[0]->max_length;
  set_maybe_null();
-  what= ENCRYPTION_FLAG_DECRYPT;
  return FALSE;
 }


--- a/sql/item_strfunc.h
+++ b/sql/item_strfunc.h
@@ -129,6 +129,10 @@ class Item_str_binary_checksum_func: public Item_str_func
   :Item_str_func(thd, a) { }
  Item_str_binary_checksum_func(THD *thd, Item *a, Item *b)
   :Item_str_func(thd, a, b) { }
+  Item_str_binary_checksum_func(THD *thd, Item *a, Item *b, Item *c)
+   :Item_str_func(thd, a, b, c) { }
+  Item_str_binary_checksum_func(THD *thd, Item *a, Item *b, Item *c, Item *d)
+   :Item_str_func(thd, a, b, c, d) { }
  bool eq(const Item *item, bool binary_cmp) const
  {
    /*
@@ -229,23 +233,39 @@ class Item_func_from_base64 :public Item_str_binary_checksum_func

 class Item_aes_crypt :public Item_str_binary_checksum_func
 {
-  enum { AES_KEY_LENGTH = 128 };
  void create_key(String *user_key, uchar* key);
-
-protected:
-  int what;
+  int parse_mode();
  String tmp_value;
+  const int what;
+  uint aes_key_length;
+  enum my_aes_mode aes_mode;
+
 public:
-  Item_aes_crypt(THD *thd, Item *a, Item *b)
-   :Item_str_binary_checksum_func(thd, a, b) {}
-  String *val_str(String *);
+  Item_aes_crypt(THD *thd, int what, Item *a, Item *b)
+   : Item_str_binary_checksum_func(thd, a, b), what(what) {}
+  Item_aes_crypt(THD *thd, int what, Item *a, Item *b, Item *c)
+   : Item_str_binary_checksum_func(thd, a, b, c), what(what) {}
+  Item_aes_crypt(THD *thd, int what, Item *a, Item *b, Item *c, Item *d)
+   : Item_str_binary_checksum_func(thd, a, b, c, d), what(what) {}
+  bool fix_fields(THD *thd, Item **ref) override;
+  String *val_str(String *) override;
+  bool check_vcol_func_processor(void *arg) override
+  {
+    if (arg_count > 3)
+      return FALSE;
+    return mark_unsupported_function(func_name(), "()", arg, VCOL_SESSION_FUNC);
+  }
 };

 class Item_func_aes_encrypt :public Item_aes_crypt
 {
 public:
  Item_func_aes_encrypt(THD *thd, Item *a, Item *b)
-   :Item_aes_crypt(thd, a, b) {}
+   :Item_aes_crypt(thd, ENCRYPTION_FLAG_ENCRYPT, a, b) {}
+  Item_func_aes_encrypt(THD *thd, Item *a, Item *b, Item *c)
+   :Item_aes_crypt(thd, ENCRYPTION_FLAG_ENCRYPT, a, b, c) {}
+  Item_func_aes_encrypt(THD *thd, Item *a, Item *b, Item *c, Item *d)
+   :Item_aes_crypt(thd, ENCRYPTION_FLAG_ENCRYPT, a, b, c, d) {}
  bool fix_length_and_dec(THD *thd) override;
  LEX_CSTRING func_name_cstring() const override
  {
@@ -260,7 +280,11 @@ class Item_func_aes_decrypt :public Item_aes_crypt
 {
 public:
  Item_func_aes_decrypt(THD *thd, Item *a, Item *b):
-    Item_aes_crypt(thd, a, b) {}
+    Item_aes_crypt(thd, ENCRYPTION_FLAG_DECRYPT, a, b) {}
+  Item_func_aes_decrypt(THD *thd, Item *a, Item *b, Item *c):
+    Item_aes_crypt(thd, ENCRYPTION_FLAG_DECRYPT, a, b, c) {}
+  Item_func_aes_decrypt(THD *thd, Item *a, Item *b, Item *c, Item *d):
+    Item_aes_crypt(thd, ENCRYPTION_FLAG_DECRYPT, a, b, c, d) {}
  bool fix_length_and_dec(THD *thd) override;
  LEX_CSTRING func_name_cstring() const override
  {

--- a/sql/sql_class.h
+++ b/sql/sql_class.h
@@ -781,6 +781,7 @@ typedef struct system_variables
  ulong trans_alloc_block_size;
  ulong trans_prealloc_size;
  ulong log_warnings;
+  ulong block_encryption_mode;
  /* Flags for slow log filtering */
  ulong log_slow_rate_limit; 
  ulong binlog_format; ///< binlog format for this thd (see enum_binlog_format)

--- a/sql/sys_vars.cc
+++ b/sql/sys_vars.cc
@@ -7174,3 +7174,10 @@ static Sys_var_optimizer_cost Sys_optimizer_scan_cost(
  CMD_LINE(REQUIRED_ARG),
  VALID_RANGE(0, 100000000), DEFAULT(DEFAULT_TABLE_SCAN_SETUP_COST),
  COST_ADJUST(1000));
+
+extern const char *block_encryption_mode_values[];
+static Sys_var_enum Sys_block_encryption_mode(
+  "block_encryption_mode", "Default block encryption mode for "
+  "AES_ENCRYPT() and AES_DECRYPT() functions",
+  SESSION_VAR(block_encryption_mode), CMD_LINE(REQUIRED_ARG),
+  block_encryption_mode_values, DEFAULT(0));