hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Addition of password encryption and decryption for passwords stored in the configuration file

Browse Source
This commit is contained in:
Mark Riddoch
2013-07-24 14:01:01 +02:00
parent faf58a3038
commit 01441dba64
14 changed files with 444 additions and 106 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.bzrignore
View File

@ -1,3 +1,5 @@
core/tags core/tags
gateway gateway
core/maxscale core/maxscale
core/maxkeys
core/maxpasswd

16
core/Makefile
View File

@ -32,6 +32,7 @@
# are behind SS_DEBUG macros. # are behind SS_DEBUG macros.
# 29/06/13 Vilho Raatikka Reverted Query classifier changes because # 29/06/13 Vilho Raatikka Reverted Query classifier changes because
# gateway needs mysql client lib, not qc. # gateway needs mysql client lib, not qc.
# 24/07/13 Mark Ridoch Addition of encryption routines
include ../../build_gateway.inc include ../../build_gateway.inc
@ -54,7 +55,7 @@ LDFLAGS=-rdynamic -L$(LOGPATH) \
SRCS= atomic.c buffer.c spinlock.c gateway.c gateway_mysql_protocol.c \ SRCS= atomic.c buffer.c spinlock.c gateway.c gateway_mysql_protocol.c \
gw_utils.c utils.c dcb.c load_utils.c session.c service.c server.c \ gw_utils.c utils.c dcb.c load_utils.c session.c service.c server.c \
poll.c config.c users.c hashtable.c dbusers.c thread.c gwbitmask.c \ poll.c config.c users.c hashtable.c dbusers.c thread.c gwbitmask.c \
monitor.c adminusers.c monitor.c adminusers.c secrets.c
HDRS= ../include/atomic.h ../include/buffer.h ../include/dcb.h \ HDRS= ../include/atomic.h ../include/buffer.h ../include/dcb.h \
../include/gateway_mysql.h ../include/gw.h ../include/mysql_protocol.h \ ../include/gateway_mysql.h ../include/gw.h ../include/mysql_protocol.h \
@ -65,14 +66,25 @@ HDRS= ../include/atomic.h ../include/buffer.h ../include/dcb.h \
OBJ=$(SRCS:.c=.o) OBJ=$(SRCS:.c=.o)
KOBJS=maxkeys.o secrets.o utils.o
POBJS=maxpasswd.o secrets.o utils.o
LIBS=-L../inih/extra -linih -lssl -lstdc++ \ LIBS=-L../inih/extra -linih -lssl -lstdc++ \
-L$(MARIADB_SRC_PATH)/libmysqld \ -L$(MARIADB_SRC_PATH)/libmysqld \
-lz -lm -lcrypt -lcrypto -ldl -pthread -llog_manager \ -lz -lm -lcrypt -lcrypto -ldl -pthread -llog_manager \
-lmysqld -lmysqld
all: maxscale maxkeys maxpasswd
maxscale: $(OBJ) maxscale: $(OBJ)
$(CC) $(LDFLAGS) $(OBJ) $(UTILSPATH)/skygw_utils.o $(LIBS) -o $@ $(CC) $(LDFLAGS) $(OBJ) $(UTILSPATH)/skygw_utils.o $(LIBS) -o $@
maxkeys: $(KOBJS)
$(CC) $(LDFLAGS) $(KOBJS) $(UTILSPATH)/skygw_utils.o $(LIBS) -o $@
maxpasswd: $(POBJS)
$(CC) $(LDFLAGS) $(POBJS) $(UTILSPATH)/skygw_utils.o $(LIBS) -o $@
.c.o: .c.o:
$(CC) $(CFLAGS) $< -o $@ $(CC) $(CFLAGS) $< -o $@
@ -87,7 +99,7 @@ depend:
@rm -f depend.mk @rm -f depend.mk
cc -M $(CFLAGS) $(SRCS) > depend.mk cc -M $(CFLAGS) $(SRCS) > depend.mk
install: maxscale install: maxscale maxkeys maxpasswd
@mkdir -p $(DEST)/bin @mkdir -p $(DEST)/bin
install -D $< $(DEST)/bin install -D $< $(DEST)/bin

6
core/dbusers.c
View File

@ -36,6 +36,7 @@
#include <users.h> #include <users.h>
#include <skygw_utils.h> #include <skygw_utils.h>
#include <log_manager.h> #include <log_manager.h>
#include <secrets.h>
static int getUsers(SERVICE *service, struct users *users); static int getUsers(SERVICE *service, struct users *users);
@ -94,6 +95,7 @@ getUsers(SERVICE *service, struct users *users)
int num_fields = 0; int num_fields = 0;
char *service_user = NULL; char *service_user = NULL;
char *service_passwd = NULL; char *service_passwd = NULL;
char *dpwd;
int total_users = 0; int total_users = 0;
SERVER *server; SERVER *server;
@ -122,10 +124,11 @@ getUsers(SERVICE *service, struct users *users)
* to try * to try
*/ */
server = service->databases; server = service->databases;
dpwd = decryptPassword(service_passwd);
while (server && mysql_real_connect(con, while (server && mysql_real_connect(con,
server->name, server->name,
service_user, service_user,
service_passwd, dpwd,
NULL, NULL,
server->port, server->port,
NULL, NULL,
@ -133,6 +136,7 @@ getUsers(SERVICE *service, struct users *users)
{ {
server = server->nextdb; server = server->nextdb;
} }
free(dpwd);
if (server == NULL) if (server == NULL)
{ {
skygw_log_write(NULL, LOGFILE_ERROR, skygw_log_write(NULL, LOGFILE_ERROR,

118
core/depend.mk
View File

@ -228,7 +228,16 @@ utils.o: utils.c ../include/gw.h /usr/include/stdio.h \
../include/session.h ../include/mysql_protocol.h \ ../include/session.h ../include/mysql_protocol.h \
/usr/include/openssl/sha.h /usr/include/openssl/e_os2.h \ /usr/include/openssl/sha.h /usr/include/openssl/e_os2.h \
/usr/include/openssl/opensslconf.h \ /usr/include/openssl/opensslconf.h \
/usr/include/openssl/opensslconf-x86_64.h ../include/poll.h /usr/include/openssl/opensslconf-x86_64.h ../include/poll.h \
/home/mriddoch/Repository/skygateway/utils/skygw_utils.h \
/home/mriddoch/Repository/skygateway/utils/skygw_types.h \
/usr/include/math.h /usr/include/bits/huge_val.h \
/usr/include/bits/huge_valf.h /usr/include/bits/huge_vall.h \
/usr/include/bits/inf.h /usr/include/bits/nan.h \
/usr/include/bits/mathdef.h /usr/include/bits/mathcalls.h \
/home/mriddoch/Repository/skygateway/utils/skygw_debug.h \
/usr/include/assert.h \
/home/mriddoch/Repository/skygateway/log_manager/log_manager.h
dcb.o: dcb.c /usr/include/stdio.h /usr/include/features.h \ dcb.o: dcb.c /usr/include/stdio.h /usr/include/features.h \
/usr/include/sys/cdefs.h /usr/include/bits/wordsize.h \ /usr/include/sys/cdefs.h /usr/include/bits/wordsize.h \
/usr/include/gnu/stubs.h /usr/include/gnu/stubs-64.h \ /usr/include/gnu/stubs.h /usr/include/gnu/stubs-64.h \
@ -277,7 +286,16 @@ dcb.o: dcb.c /usr/include/stdio.h /usr/include/features.h \
/usr/include/arpa/inet.h \ /usr/include/arpa/inet.h \
/usr/lib/gcc/x86_64-redhat-linux/4.4.6/include/stdbool.h \ /usr/lib/gcc/x86_64-redhat-linux/4.4.6/include/stdbool.h \
../include/gateway_mysql.h ../include/mysql_protocol.h ../include/dcb.h \ ../include/gateway_mysql.h ../include/mysql_protocol.h ../include/dcb.h \
../include/poll.h ../include/atomic.h ../include/poll.h ../include/atomic.h \
/home/mriddoch/Repository/skygateway/utils/skygw_utils.h \
/home/mriddoch/Repository/skygateway/utils/skygw_types.h \
/usr/include/math.h /usr/include/bits/huge_val.h \
/usr/include/bits/huge_valf.h /usr/include/bits/huge_vall.h \
/usr/include/bits/inf.h /usr/include/bits/nan.h \
/usr/include/bits/mathdef.h /usr/include/bits/mathcalls.h \
/home/mriddoch/Repository/skygateway/utils/skygw_debug.h \
/usr/include/assert.h \
/home/mriddoch/Repository/skygateway/log_manager/log_manager.h
load_utils.o: load_utils.c /usr/include/sys/param.h \ load_utils.o: load_utils.c /usr/include/sys/param.h \
/usr/lib/gcc/x86_64-redhat-linux/4.4.6/include/limits.h \ /usr/lib/gcc/x86_64-redhat-linux/4.4.6/include/limits.h \
/usr/lib/gcc/x86_64-redhat-linux/4.4.6/include/syslimits.h \ /usr/lib/gcc/x86_64-redhat-linux/4.4.6/include/syslimits.h \
@ -306,7 +324,16 @@ load_utils.o: load_utils.c /usr/include/sys/param.h \
/usr/include/dlfcn.h /usr/include/bits/dlfcn.h ../include/modules.h \ /usr/include/dlfcn.h /usr/include/bits/dlfcn.h ../include/modules.h \
../include/dcb.h ../include/spinlock.h ../include/thread.h \ ../include/dcb.h ../include/spinlock.h ../include/thread.h \
/usr/include/pthread.h /usr/include/sched.h /usr/include/bits/sched.h \ /usr/include/pthread.h /usr/include/sched.h /usr/include/bits/sched.h \
/usr/include/bits/setjmp.h ../include/buffer.h ../include/gwbitmask.h /usr/include/bits/setjmp.h ../include/buffer.h ../include/gwbitmask.h \
/home/mriddoch/Repository/skygateway/utils/skygw_utils.h \
/home/mriddoch/Repository/skygateway/utils/skygw_types.h \
/usr/include/math.h /usr/include/bits/huge_val.h \
/usr/include/bits/huge_valf.h /usr/include/bits/huge_vall.h \
/usr/include/bits/inf.h /usr/include/bits/nan.h \
/usr/include/bits/mathdef.h /usr/include/bits/mathcalls.h \
/home/mriddoch/Repository/skygateway/utils/skygw_debug.h \
/usr/include/assert.h \
/home/mriddoch/Repository/skygateway/log_manager/log_manager.h
session.o: session.c /usr/include/stdio.h /usr/include/features.h \ session.o: session.c /usr/include/stdio.h /usr/include/features.h \
/usr/include/sys/cdefs.h /usr/include/bits/wordsize.h \ /usr/include/sys/cdefs.h /usr/include/bits/wordsize.h \
/usr/include/gnu/stubs.h /usr/include/gnu/stubs-64.h \ /usr/include/gnu/stubs.h /usr/include/gnu/stubs-64.h \
@ -437,7 +464,18 @@ config.o: config.c /usr/include/stdio.h /usr/include/features.h \
/usr/include/pthread.h /usr/include/sched.h /usr/include/bits/sched.h \ /usr/include/pthread.h /usr/include/sched.h /usr/include/bits/sched.h \
/usr/include/bits/setjmp.h ../include/dcb.h ../include/buffer.h \ /usr/include/bits/setjmp.h ../include/dcb.h ../include/buffer.h \
../include/gwbitmask.h ../include/server.h ../include/users.h \ ../include/gwbitmask.h ../include/server.h ../include/users.h \
../include/hashtable.h ../include/atomic.h ../include/monitor.h ../include/hashtable.h ../include/atomic.h ../include/monitor.h \
/home/mriddoch/Repository/skygateway/utils/skygw_utils.h \
/home/mriddoch/Repository/skygateway/utils/skygw_types.h \
/usr/include/math.h /usr/include/bits/huge_val.h \
/usr/include/bits/huge_valf.h /usr/include/bits/huge_vall.h \
/usr/include/bits/inf.h /usr/include/bits/nan.h \
/usr/include/bits/mathdef.h /usr/include/bits/mathcalls.h \
/home/mriddoch/Repository/skygateway/utils/skygw_debug.h \
/usr/include/assert.h /usr/include/unistd.h \
/usr/include/bits/posix_opt.h /usr/include/bits/environments.h \
/usr/include/bits/confname.h /usr/include/getopt.h \
/home/mriddoch/Repository/skygateway/log_manager/log_manager.h
users.o: users.c /usr/include/stdio.h /usr/include/features.h \ users.o: users.c /usr/include/stdio.h /usr/include/features.h \
/usr/include/sys/cdefs.h /usr/include/bits/wordsize.h \ /usr/include/sys/cdefs.h /usr/include/bits/wordsize.h \
/usr/include/gnu/stubs.h /usr/include/gnu/stubs-64.h \ /usr/include/gnu/stubs.h /usr/include/gnu/stubs-64.h \
@ -510,7 +548,16 @@ dbusers.o: dbusers.c /usr/include/stdio.h /usr/include/features.h \
/usr/include/assert.h /usr/include/unistd.h \ /usr/include/assert.h /usr/include/unistd.h \
/usr/include/bits/posix_opt.h /usr/include/bits/environments.h \ /usr/include/bits/posix_opt.h /usr/include/bits/environments.h \
/usr/include/bits/confname.h /usr/include/getopt.h \ /usr/include/bits/confname.h /usr/include/getopt.h \
/home/mriddoch/Repository/skygateway/log_manager/log_manager.h /home/mriddoch/Repository/skygateway/log_manager/log_manager.h \
../include/secrets.h /usr/include/string.h /usr/include/stdlib.h \
/usr/include/bits/waitflags.h /usr/include/bits/waitstatus.h \
/usr/include/alloca.h /usr/include/sys/stat.h /usr/include/bits/stat.h \
/usr/include/fcntl.h /usr/include/bits/fcntl.h /usr/include/errno.h \
/usr/include/bits/errno.h /usr/include/linux/errno.h \
/usr/include/asm/errno.h /usr/include/asm-generic/errno.h \
/usr/include/asm-generic/errno-base.h /usr/include/openssl/aes.h \
/usr/include/openssl/opensslconf.h \
/usr/include/openssl/opensslconf-x86_64.h
thread.o: thread.c ../include/thread.h /usr/include/pthread.h \ thread.o: thread.c ../include/thread.h /usr/include/pthread.h \
/usr/include/features.h /usr/include/sys/cdefs.h \ /usr/include/features.h /usr/include/sys/cdefs.h \
/usr/include/bits/wordsize.h /usr/include/gnu/stubs.h \ /usr/include/bits/wordsize.h /usr/include/gnu/stubs.h \
@ -556,7 +603,18 @@ monitor.o: monitor.c /usr/include/stdio.h /usr/include/features.h \
../include/server.h ../include/dcb.h ../include/spinlock.h \ ../include/server.h ../include/dcb.h ../include/spinlock.h \
../include/thread.h /usr/include/pthread.h /usr/include/sched.h \ ../include/thread.h /usr/include/pthread.h /usr/include/sched.h \
/usr/include/bits/sched.h /usr/include/bits/setjmp.h ../include/buffer.h \ /usr/include/bits/sched.h /usr/include/bits/setjmp.h ../include/buffer.h \
../include/gwbitmask.h ../include/modules.h ../include/gwbitmask.h ../include/modules.h \
/home/mriddoch/Repository/skygateway/utils/skygw_utils.h \
/home/mriddoch/Repository/skygateway/utils/skygw_types.h \
/usr/include/math.h /usr/include/bits/huge_val.h \
/usr/include/bits/huge_valf.h /usr/include/bits/huge_vall.h \
/usr/include/bits/inf.h /usr/include/bits/nan.h \
/usr/include/bits/mathdef.h /usr/include/bits/mathcalls.h \
/home/mriddoch/Repository/skygateway/utils/skygw_debug.h \
/usr/include/assert.h /usr/include/unistd.h \
/usr/include/bits/posix_opt.h /usr/include/bits/environments.h \
/usr/include/bits/confname.h /usr/include/getopt.h \
/home/mriddoch/Repository/skygateway/log_manager/log_manager.h
adminusers.o: adminusers.c /usr/include/stdio.h /usr/include/features.h \ adminusers.o: adminusers.c /usr/include/stdio.h /usr/include/features.h \
/usr/include/sys/cdefs.h /usr/include/bits/wordsize.h \ /usr/include/sys/cdefs.h /usr/include/bits/wordsize.h \
/usr/include/gnu/stubs.h /usr/include/gnu/stubs-64.h \ /usr/include/gnu/stubs.h /usr/include/gnu/stubs-64.h \
@ -579,4 +637,50 @@ adminusers.o: adminusers.c /usr/include/stdio.h /usr/include/features.h \
../include/thread.h /usr/include/pthread.h /usr/include/sched.h \ ../include/thread.h /usr/include/pthread.h /usr/include/sched.h \
/usr/include/bits/sched.h /usr/include/bits/setjmp.h ../include/atomic.h \ /usr/include/bits/sched.h /usr/include/bits/setjmp.h ../include/atomic.h \
../include/dcb.h ../include/buffer.h ../include/gwbitmask.h \ ../include/dcb.h ../include/buffer.h ../include/gwbitmask.h \
../include/adminusers.h ../include/adminusers.h \
/home/mriddoch/Repository/skygateway/utils/skygw_utils.h \
/home/mriddoch/Repository/skygateway/utils/skygw_types.h \
/usr/include/math.h /usr/include/bits/huge_val.h \
/usr/include/bits/huge_valf.h /usr/include/bits/huge_vall.h \
/usr/include/bits/inf.h /usr/include/bits/nan.h \
/usr/include/bits/mathdef.h /usr/include/bits/mathcalls.h \
/home/mriddoch/Repository/skygateway/utils/skygw_debug.h \
/usr/include/assert.h \
/home/mriddoch/Repository/skygateway/log_manager/log_manager.h
secrets.o: secrets.c ../include/secrets.h /usr/include/stdio.h \
/usr/include/features.h /usr/include/sys/cdefs.h \
/usr/include/bits/wordsize.h /usr/include/gnu/stubs.h \
/usr/include/gnu/stubs-64.h \
/usr/lib/gcc/x86_64-redhat-linux/4.4.6/include/stddef.h \
/usr/include/bits/types.h /usr/include/bits/typesizes.h \
/usr/include/libio.h /usr/include/_G_config.h /usr/include/wchar.h \
/usr/lib/gcc/x86_64-redhat-linux/4.4.6/include/stdarg.h \
/usr/include/bits/stdio_lim.h /usr/include/bits/sys_errlist.h \
/usr/include/string.h /usr/include/xlocale.h /usr/include/stdlib.h \
/usr/include/bits/waitflags.h /usr/include/bits/waitstatus.h \
/usr/include/endian.h /usr/include/bits/endian.h \
/usr/include/bits/byteswap.h /usr/include/sys/types.h \
/usr/include/time.h /usr/include/sys/select.h /usr/include/bits/select.h \
/usr/include/bits/sigset.h /usr/include/bits/time.h \
/usr/include/sys/sysmacros.h /usr/include/bits/pthreadtypes.h \
/usr/include/alloca.h /usr/include/sys/stat.h /usr/include/bits/stat.h \
/usr/include/fcntl.h /usr/include/bits/fcntl.h /usr/include/errno.h \
/usr/include/bits/errno.h /usr/include/linux/errno.h \
/usr/include/asm/errno.h /usr/include/asm-generic/errno.h \
/usr/include/asm-generic/errno-base.h /usr/include/openssl/aes.h \
/usr/include/openssl/opensslconf.h \
/usr/include/openssl/opensslconf-x86_64.h \
/home/mriddoch/Repository/skygateway/utils/skygw_utils.h \
/home/mriddoch/Repository/skygateway/utils/skygw_types.h \
/usr/include/math.h /usr/include/bits/huge_val.h \
/usr/include/bits/huge_valf.h /usr/include/bits/huge_vall.h \
/usr/include/bits/inf.h /usr/include/bits/nan.h \
/usr/include/bits/mathdef.h /usr/include/bits/mathcalls.h \
/home/mriddoch/Repository/skygateway/utils/skygw_debug.h \
/usr/include/assert.h /usr/include/pthread.h /usr/include/sched.h \
/usr/include/bits/sched.h /usr/include/bits/setjmp.h \
/usr/include/unistd.h /usr/include/bits/posix_opt.h \
/usr/include/bits/environments.h /usr/include/bits/confname.h \
/usr/include/getopt.h \
/home/mriddoch/Repository/skygateway/log_manager/log_manager.h \
/usr/include/ctype.h

47
core/maxkeys.c Normal file
View File

@ -0,0 +1,47 @@
/*
* This file is distributed as part of the SkySQL Gateway. It is free
* software: you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation,
* version 2.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 51
* Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Copyright SkySQL Ab 2013
*/
/**
* @file maxkeys.c - Create the random encryption keys for maxscale
*
* @verbatim
* Revision History
*
* Date Who Description
* 24/07/13 Mark Riddoch Initial implementation
*
* @endverbatim
*/
#include <stdio.h>
#include <secrets.h>
main(int argc, char **argv)
{
if (argc != 2)
{
fprintf(stderr, "Usage: %s <filename>\n", argv[0]);
exit(1);
}
if (secrets_writeKeys(argv[1]))
{
fprintf(stderr, "Failed to encode the password\n");
exit(1);
}
exit(0);
}

55
core/maxpasswd.c Normal file
View File

@ -0,0 +1,55 @@
/*
* This file is distributed as part of the SkySQL Gateway. It is free
* software: you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation,
* version 2.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 51
* Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Copyright SkySQL Ab 2013
*/
/**
* @file maxpasswd.c - Implementation of pasword encoding
*
* @verbatim
* Revision History
*
* Date Who Description
* 24/07/13 Mark Riddoch Initial implementation
*
* @endverbatim
*/
#include <stdio.h>
#include <secrets.h>
/**
* Encrypt a password for storing in the MaxScale.cnf file
*
* @param argc Argument count
* @param arv Argument vector
*/
int
main(int argc, char **argv)
{
char *enc;
if (argc != 2)
{
fprintf(stderr, "Usage: %s <password>\n", argv[0]);
exit(1);
}
if ((enc = encryptPassword(argv[1])) != NULL)
printf("%s\n", enc);
else
fprintf(stderr, "Failed to encode the password\n");
return 0;
}

230
core/secrets.c
View File

@ -16,83 +16,104 @@
* Copyright SkySQL Ab 2013 * Copyright SkySQL Ab 2013
*/ */
#include <secrets.h>
#include <time.h>
#include <skygw_utils.h>
#include <log_manager.h>
#include <ctype.h>
#include "secrets.h" static MAXKEYS *maxkeys = NULL;
static char secrets_randomchar() { /**
return (char)((rand() % 78) + 30); * Generate a random printable character
*
* @return A random printable character
*/
static unsigned char
secrets_randomchar()
{
return (char)((rand() % ('~' - ' ')) + ' ');
} }
static int secrets_random_str(char *output, int len) { static int
secrets_random_str(unsigned char *output, int len)
{
int i; int i;
srand(time(0L)); srand(time(0L));
for ( i = 0; i < len; ++i ) { for ( i = 0; i < len; ++i )
{
output[i] = secrets_randomchar(); output[i] = secrets_randomchar();
} }
output[len]='\0';
return 0; return 0;
} }
/** /**
* secrets_readKeys * secrets_readKeys
* *
* This routine reads data from a binary file and exracts the AES encryption key * This routine reads data from a binary file and extracts the AES encryption key
* and the AES Init Vector * and the AES Init Vector
*
* Input parameters must be preallocated
* @param enc_key Will contain the encryption key found in file
* @param iv Will contain the Init vector found in file
* @param secret_file The file with secret keys
* @return 0 on success and 1 on failure
*/ */
static void
int secrets_readKeys(char *enc_key, char *iv, char *secret_file) { secrets_readKeys()
{
char secret_file[180];
char *home;
MAXKEYS *keys;
struct stat secret_stats; struct stat secret_stats;
char read_buffer[1 + AES_BLOCK_SIZE * 2 + AES_BLOCK_SIZE + 3]=""; int fd;
int fd =0;
int secret_file_size = 0; if ((home = getenv("MAXSCALE_HOME")) == NULL)
home = "/usr/local/skysql/MaxScale";
sprintf(secret_file, "%s/etc/.secrets", home);
/* open secret file */ /* open secret file */
fd = open(secret_file, O_RDONLY); if ((fd = open(secret_file, O_RDONLY)) < 0)
{
if (fd < 0) { skygw_log_write(NULL, LOGFILE_ERROR, "secrets_readKeys, failed opening secret file [%s]. Error %i, %s\n", secret_file, errno, strerror(errno));
fprintf(stderr, "secrets_readKeys, failed opening secret file [%s]. Error %i, %s\n", secret_file, errno, strerror(errno)); return;
return 1;
} }
/* accessing file details */ /* accessing file details */
if (fstat(fd, &secret_stats) < 0) { if (fstat(fd, &secret_stats) < 0) {
fprintf(stderr, "secrets_readKeys, failed accessing secret file details [%s]. Error %i, %s\n", secret_file, errno, strerror(errno)); skygw_log_write(NULL, LOGFILE_ERROR, "secrets_readKeys, failed accessing secret file details [%s]. Error %i, %s\n", secret_file, errno, strerror(errno));
return 1; return;
} }
secret_file_size = secret_stats.st_size; if (secret_stats.st_size != sizeof(MAXKEYS))
{
skygw_log_write(NULL, LOGFILE_ERROR, "Secrets file %s is incorrect size\n", secret_file);
return;
}
if (secret_stats.st_mode != (S_IRUSR|S_IFREG))
{
skygw_log_write(NULL, LOGFILE_ERROR, "Ignoring secrets file, permissions must be read only fo rthe owner\n");
return;
}
fprintf(stderr, "The secret file has %i bytes\n", secret_file_size); if ((keys = (MAXKEYS *)malloc(sizeof(MAXKEYS))) == NULL)
{
skygw_log_write(NULL, LOGFILE_ERROR,
"Insufficient memory to create the keys structure.\n");
return;
}
/* read all data from file */ /* read all data from file */
if (read(fd, read_buffer, sizeof(read_buffer)-1) < 0) { if (read(fd, keys, sizeof(MAXKEYS)) != sizeof(MAXKEYS))
fprintf(stderr, "secrets_readKeys, failed reading from secret file [%s]. Error %i, %s\n", secret_file, errno, strerror(errno)); {
return 1; skygw_log_write(NULL, LOGFILE_ERROR, "secrets_readKeys, failed reading from secret file [%s]. Error %i, %s\n", secret_file, errno, strerror(errno));
return;
} }
/* Now filling input parameters */
memcpy(enc_key, read_buffer+1, MAXSCALE_SECRETS_ONE);
memcpy(iv, read_buffer+1+MAXSCALE_SECRETS_ONE, MAXSCALE_SECRETS_INIT_VAL_ONE);
memcpy(enc_key+ MAXSCALE_SECRETS_ONE, read_buffer+1+MAXSCALE_SECRETS_ONE+MAXSCALE_SECRETS_INIT_VAL_ONE, MAXSCALE_SECRETS_TWO);
memcpy(iv+MAXSCALE_SECRETS_INIT_VAL_ONE, read_buffer+1+MAXSCALE_SECRETS_ONE+MAXSCALE_SECRETS_INIT_VAL_ONE+MAXSCALE_SECRETS_TWO, MAXSCALE_SECRETS_INIT_VAL_TWO);
/* Close the file */ /* Close the file */
if (close(fd) < 0) { if (close(fd) < 0) {
fprintf(stderr, "secrets_readKeys, failed closing the secret file [%s]. Error %i, %s\n", secret_file, errno, strerror(errno)); skygw_log_write(NULL, LOGFILE_ERROR, "secrets_readKeys, failed closing the secret file [%s]. Error %i, %s\n", secret_file, errno, strerror(errno));
return 1; return;
} }
return 0; maxkeys = keys;
return;
} }
/** /**
@ -106,54 +127,111 @@ int secrets_readKeys(char *enc_key, char *iv, char *secret_file) {
*/ */
int secrets_writeKeys(char *secret_file) int secrets_writeKeys(char *secret_file)
{ {
char enc_key[1 + AES_BLOCK_SIZE * 2]=""; int fd;
char iv[1 + AES_BLOCK_SIZE]=""; MAXKEYS key;
char secret_buffer[1 + AES_BLOCK_SIZE * 3 + 3] = "";
char scramble_secret[1 + AES_BLOCK_SIZE * 3 + 3] = "";
char one_byte[1 + 1]="";
char two_bytes[1 + 2]="";
int fd =0;
/* Open for writing | Create | Truncate the file for writing */ /* Open for writing | Create | Truncate the file for writing */
fd = open(secret_file, O_CREAT | O_WRONLY | O_TRUNC); if ((fd = open(secret_file, O_CREAT | O_WRONLY | O_TRUNC), S_IRUSR) < 0)
{
if (fd < 0) { skygw_log_write(NULL, LOGFILE_ERROR, "secrets_createKeys, failed opening secret file [%s]. Error %i, %s\n", secret_file, errno, strerror(errno));
fprintf(stderr, "secrets_createKeys, failed opening secret file [%s]. Error %i, %s\n", secret_file, errno, strerror(errno));
return 1; return 1;
} }
srand(time(NULL)); srand(time(NULL));
secrets_random_str(secret_buffer, AES_BLOCK_SIZE * 3 + 3); secrets_random_str(key.enckey, MAXSCALE_KEYLEN);
secrets_random_str(key.initvector, MAXSCALE_IV_LEN);
/* assign key and iv from random buffer */
memcpy(one_byte, secret_buffer, 1);
memcpy(enc_key, secret_buffer + 1, AES_BLOCK_SIZE * 2);
memcpy(iv, secret_buffer + 1 + AES_BLOCK_SIZE * 2, AES_BLOCK_SIZE);
memcpy(two_bytes, secret_buffer + 1 + AES_BLOCK_SIZE * 2 + AES_BLOCK_SIZE + 1, 2);
//fprintf(stderr, "<<< Key32 is [%s]\n", enc_key);
//fprintf(stderr, "<<< IV16 is [%s]\n", iv);
/* prepare data */
memcpy(scramble_secret, one_byte, 1);
memcpy(scramble_secret + 1, enc_key, MAXSCALE_SECRETS_ONE);
memcpy(scramble_secret + 1 + MAXSCALE_SECRETS_ONE, iv, MAXSCALE_SECRETS_INIT_VAL_ONE);
memcpy(scramble_secret + 1 + MAXSCALE_SECRETS_ONE + MAXSCALE_SECRETS_INIT_VAL_ONE, enc_key + MAXSCALE_SECRETS_ONE, MAXSCALE_SECRETS_TWO);
memcpy(scramble_secret + 1 + MAXSCALE_SECRETS_ONE + MAXSCALE_SECRETS_INIT_VAL_ONE + MAXSCALE_SECRETS_TWO, iv + MAXSCALE_SECRETS_INIT_VAL_ONE, MAXSCALE_SECRETS_INIT_VAL_TWO);
memcpy(scramble_secret + 1 + MAXSCALE_SECRETS_ONE + MAXSCALE_SECRETS_INIT_VAL_ONE + MAXSCALE_SECRETS_TWO + MAXSCALE_SECRETS_INIT_VAL_TWO, two_bytes, 2);
/* Write data */ /* Write data */
if(write(fd, scramble_secret, sizeof(scramble_secret)-1) < 0) { if (write(fd, &key, sizeof(key)) < 0)
fprintf(stderr, "secrets_createKeys, failed writing into secret file [%s]. Error %i, %s\n", secret_file, errno, strerror(errno)); {
skygw_log_write(NULL, LOGFILE_ERROR, "secrets_createKeys, failed writing into secret file [%s]. Error %i, %s\n", secret_file, errno, strerror(errno));
return 1; return 1;
} }
/* close file */ /* close file */
if (close(fd) < 0) { if (close(fd) < 0)
fprintf(stderr, "secrets_createKeys, failed closing the secret file [%s]. Error %i, %s\n", secret_file, errno, strerror(errno)); {
skygw_log_write(NULL, LOGFILE_ERROR, "secrets_createKeys, failed closing the secret file [%s]. Error %i, %s\n", secret_file, errno, strerror(errno));
} }
chmod(secret_file, S_IRUSR);
return 0; return 0;
} }
/**
* Decrypt a password that is stored inthe MaxScale configuration file.
* If the password is not encrypted, ie is not a HEX string, then the
* original is returned, this allows for backward compatibility with
* unencrypted password.
*
* Note the return is always a malloc'd string that the caller must free
*
* @param crypt The encrypted password
* @return The decrypted password
*/
char *
decryptPassword(char *crypt)
{
AES_KEY aeskey;
unsigned char *plain;
char *ptr;
unsigned char encrypted[80];
int enlen;
if (!maxkeys)
secrets_readKeys();
if (!maxkeys)
return strdup(crypt);
/* If the input is not a HEX string return the input - it probably was not encrypted */
for (ptr = crypt; *ptr; ptr++)
if (!isxdigit(*ptr))
return strdup(crypt);
enlen = strlen(crypt) / 2;
gw_hex2bin(encrypted, crypt, strlen(crypt));
if ((plain = (unsigned char *)malloc(80)) == NULL)
return NULL;
AES_set_decrypt_key(maxkeys->enckey, 8 * MAXSCALE_KEYLEN, &aeskey);
AES_cbc_encrypt(encrypted, plain, enlen, &aeskey, maxkeys->initvector, AES_DECRYPT);
return (char *)plain;
}
/**
* Encrypt a password that can be stored in the MaxScale configuration file.
*
* Note the return is always a malloc'd string that the caller must free
*
* @param password The password to encrypt
* @return The encrypted password
*/
char *
encryptPassword(char *password)
{
AES_KEY aeskey;
int padded_len;
char *hex_output;
unsigned char padded_passwd[80];
unsigned char encrypted[80];
if (!maxkeys)
secrets_readKeys();
if (!maxkeys)
return NULL;
memset(padded_passwd, 0, 80);
strcpy((char *)padded_passwd, password);
padded_len = ((strlen(password) / AES_BLOCK_SIZE) + 1) * AES_BLOCK_SIZE;
AES_set_encrypt_key(maxkeys->enckey, 8 * MAXSCALE_KEYLEN, &aeskey);
AES_cbc_encrypt(padded_passwd, encrypted, padded_len, &aeskey, maxkeys->initvector, AES_ENCRYPT);
hex_output = (char *)malloc(padded_len * 2);
gw_bin2hex(hex_output, encrypted, padded_len * 2);
return hex_output;
}

17
include/secrets.h
View File

@ -40,9 +40,18 @@
#include <openssl/aes.h> #include <openssl/aes.h>
#define MAXSCALE_SECRETS_ONE 4 #define MAXSCALE_KEYLEN 32
#define MAXSCALE_SECRETS_TWO 28 #define MAXSCALE_IV_LEN 16
#define MAXSCALE_SECRETS_INIT_VAL_ONE 11
#define MAXSCALE_SECRETS_INIT_VAL_TWO 5
/**
* The key structure held in the secrets file
*/
typedef struct maxkeys {
unsigned char enckey[MAXSCALE_KEYLEN];
unsigned char initvector[MAXSCALE_IV_LEN];
} MAXKEYS;
extern int secrets_writeKeys(char *filename);
extern char *decryptPassword(char *);
extern char *encryptPassword(char *);
#endif #endif

9
modules/monitor/depend.mk
View File

@ -32,4 +32,11 @@ mysql_mon.o: mysql_mon.c /usr/include/stdio.h /usr/include/features.h \
/usr/include/assert.h /usr/include/unistd.h \ /usr/include/assert.h /usr/include/unistd.h \
/usr/include/bits/posix_opt.h /usr/include/bits/environments.h \ /usr/include/bits/posix_opt.h /usr/include/bits/environments.h \
/usr/include/bits/confname.h /usr/include/getopt.h \ /usr/include/bits/confname.h /usr/include/getopt.h \
/home/mriddoch/Repository/skygateway/log_manager/log_manager.h /home/mriddoch/Repository/skygateway/log_manager/log_manager.h \
../../include/secrets.h /usr/include/sys/stat.h /usr/include/bits/stat.h \
/usr/include/fcntl.h /usr/include/bits/fcntl.h /usr/include/errno.h \
/usr/include/bits/errno.h /usr/include/linux/errno.h \
/usr/include/asm/errno.h /usr/include/asm-generic/errno.h \
/usr/include/asm-generic/errno-base.h /usr/include/openssl/aes.h \
/usr/include/openssl/opensslconf.h \
/usr/include/openssl/opensslconf-x86_64.h

9
modules/monitor/galera_mon.c
View File

@ -38,6 +38,7 @@
#include <mysqld_error.h> #include <mysqld_error.h>
#include <skygw_utils.h> #include <skygw_utils.h>
#include <log_manager.h> #include <log_manager.h>
#include <secrets.h>
static void monitorMain(void *); static void monitorMain(void *);
@ -69,7 +70,8 @@ version()
void void
ModuleInit() ModuleInit()
{ {
fprintf(stderr, "Initialise the MySQL Galera Monitor module.\n"); skygw_log_write(NULL, LOGFILE_MESSAGE, "Initialise the MySQL Galera Monitor module %s.\n",
version_str);
} }
/** /**
@ -237,13 +239,16 @@ char *uname = defaultUser, *passwd = defaultPasswd;
if (database->con == NULL || mysql_ping(database->con) != 0) if (database->con == NULL || mysql_ping(database->con) != 0)
{ {
char *dpwd = decryptPassword(passwd);
database->con = mysql_init(NULL); database->con = mysql_init(NULL);
if (mysql_real_connect(database->con, database->server->name, if (mysql_real_connect(database->con, database->server->name,
uname, passwd, NULL, database->server->port, NULL, 0) == NULL) uname, dpwd, NULL, database->server->port, NULL, 0) == NULL)
{ {
server_clear_status(database->server, SERVER_RUNNING); server_clear_status(database->server, SERVER_RUNNING);
free(dpwd);
return; return;
} }
free(dpwd);
} }
/* If we get this far then we have a working connection */ /* If we get this far then we have a working connection */

9
modules/monitor/mysql_mon.c
View File

@ -40,6 +40,7 @@
#include <mysqld_error.h> #include <mysqld_error.h>
#include <skygw_utils.h> #include <skygw_utils.h>
#include <log_manager.h> #include <log_manager.h>
#include <secrets.h>
static void monitorMain(void *); static void monitorMain(void *);
@ -71,7 +72,8 @@ version()
void void
ModuleInit() ModuleInit()
{ {
fprintf(stderr, "Initialise the MySQL Monitor module.\n"); skygw_log_write(NULL, LOGFILE_MESSAGE, "Initialise the MySQL Monitor module %s.\n",
version_str);
} }
/** /**
@ -240,13 +242,16 @@ char *uname = defaultUser, *passwd = defaultPasswd;
return; return;
if (database->con == NULL || mysql_ping(database->con) != 0) if (database->con == NULL || mysql_ping(database->con) != 0)
{ {
char *dpwd = decryptPassword(passwd);
database->con = mysql_init(NULL); database->con = mysql_init(NULL);
if (mysql_real_connect(database->con, database->server->name, if (mysql_real_connect(database->con, database->server->name,
uname, passwd, NULL, database->server->port, NULL, 0) == NULL) uname, dpwd, NULL, database->server->port, NULL, 0) == NULL)
{ {
free(dpwd);
server_clear_status(database->server, SERVER_RUNNING); server_clear_status(database->server, SERVER_RUNNING);
return; return;
} }
free(dpwd);
} }
/* If we get this far then we have a working connection */ /* If we get this far then we have a working connection */

5
modules/routing/debugcli.c
View File

@ -40,6 +40,8 @@
#include <dcb.h> #include <dcb.h>
#include <poll.h> #include <poll.h>
#include <debugcli.h> #include <debugcli.h>
#include <skygw_utils.h>
#include <log_manager.h>
static char *version_str = "V1.0.1"; static char *version_str = "V1.0.1";
@ -76,7 +78,7 @@ version()
void void
ModuleInit() ModuleInit()
{ {
fprintf(stderr, "Initial debug router module.\n"); skygw_log_write(NULL, LOGFILE_MESSAGE, "Initialise debug CLI router module %s.\n", version_str);
spinlock_init(&instlock); spinlock_init(&instlock);
instances = NULL; instances = NULL;
} }
@ -92,7 +94,6 @@ ModuleInit()
ROUTER_OBJECT * ROUTER_OBJECT *
GetModuleObject() GetModuleObject()
{ {
fprintf(stderr, "Returing debug router module object.\n");
return &MyObject; return &MyObject;
} }

13
modules/routing/depend.mk
View File

@ -90,7 +90,18 @@ debugcli.o: debugcli.c /usr/include/stdio.h /usr/include/features.h \
/usr/include/bits/setjmp.h ../../include/dcb.h ../../include/buffer.h \ /usr/include/bits/setjmp.h ../../include/dcb.h ../../include/buffer.h \
../../include/gwbitmask.h ../../include/server.h ../../include/session.h \ ../../include/gwbitmask.h ../../include/server.h ../../include/session.h \
../../include/router.h ../../include/modules.h ../../include/atomic.h \ ../../include/router.h ../../include/modules.h ../../include/atomic.h \
../../include/poll.h ../include/debugcli.h ../../include/poll.h ../include/debugcli.h \
/home/mriddoch/Repository/skygateway/utils/skygw_utils.h \
/home/mriddoch/Repository/skygateway/utils/skygw_types.h \
/usr/include/math.h /usr/include/bits/huge_val.h \
/usr/include/bits/huge_valf.h /usr/include/bits/huge_vall.h \
/usr/include/bits/inf.h /usr/include/bits/nan.h \
/usr/include/bits/mathdef.h /usr/include/bits/mathcalls.h \
/home/mriddoch/Repository/skygateway/utils/skygw_debug.h \
/usr/include/assert.h /usr/include/unistd.h \
/usr/include/bits/posix_opt.h /usr/include/bits/environments.h \
/usr/include/bits/confname.h /usr/include/getopt.h \
/home/mriddoch/Repository/skygateway/log_manager/log_manager.h
debugcmd.o: debugcmd.c /usr/include/stdio.h /usr/include/features.h \ debugcmd.o: debugcmd.c /usr/include/stdio.h /usr/include/features.h \
/usr/include/sys/cdefs.h /usr/include/bits/wordsize.h \ /usr/include/sys/cdefs.h /usr/include/bits/wordsize.h \
/usr/include/gnu/stubs.h /usr/include/gnu/stubs-64.h \ /usr/include/gnu/stubs.h /usr/include/gnu/stubs-64.h \

4
modules/routing/readconnroute.c
View File

@ -115,8 +115,7 @@ ModuleInit()
{ {
skygw_log_write(NULL, skygw_log_write(NULL,
LOGFILE_MESSAGE, LOGFILE_MESSAGE,
strdup("Initial test router module.\n")); "Initialise readconnroute router module %s.\n", version_str);
fprintf(stderr, "Initial test router module.\n");
spinlock_init(&instlock); spinlock_init(&instlock);
instances = NULL; instances = NULL;
} }
@ -132,7 +131,6 @@ ModuleInit()
ROUTER_OBJECT * ROUTER_OBJECT *
GetModuleObject() GetModuleObject()
{ {
fprintf(stderr, "Returning test router module object.\n");
return &MyObject; return &MyObject;
} }