/**
* Decrypt a password that is stored inthe MaxScale configuration file.
* If the password is not encrypted, ie is not a HEX string, then the
* original is returned, this allows for backward compatibility with
* unencrypted password.
*
* Note the return is always a malloc'd string that the caller must free
*
* @param crypt The encrypted password
* @return The decrypted password
*/
char *
decryptPassword(char *crypt)
{
MAXKEYS *keys;
AES_KEY aeskey;
unsigned char *plain;
char *ptr;
unsigned char encrypted[80];
int enlen;
keys = secrets_readKeys(NULL);
if (!keys)
return strdup(crypt);
/*
** If the input is not a HEX string return the input
** it probably was not encrypted
*/
for (ptr = crypt; *ptr; ptr++)
{
if (!isxdigit(*ptr))
{
free(keys);
return strdup(crypt);
}
}
enlen = strlen(crypt) / 2;
gw_hex2bin(encrypted, crypt, strlen(crypt));
if ((plain = (unsigned char *)malloc(80)) == NULL)
{
free(keys);
return NULL;
}
AES_set_decrypt_key(keys->enckey, 8 * MAXSCALE_KEYLEN, &aeskey);
AES_cbc_encrypt(encrypted, plain, enlen, &aeskey, keys->initvector, AES_DECRYPT);
free(keys);
return (char *)plain;
}
int gw_find_mysql_user_password_sha1(char *username, uint8_t *gateway_password, DCB *dcb) {
SERVICE *service = NULL;
struct sockaddr_in *client;
char *user_password = NULL;
MYSQL_USER_HOST key;
service = (SERVICE *) dcb->service;
client = (struct sockaddr_in *) &dcb->ipv4;
key.user = username;
memcpy(&key.ipv4, client, sizeof(struct sockaddr_in));
LOGIF(LD,
(skygw_log_write_flush(
LOGFILE_DEBUG,
"%lu [MySQL Client Auth], checking user [%s@%s]",
pthread_self(),
key.user,
dcb->remote)));
/* look for user@current_host now */
user_password = mysql_users_fetch(service->users, &key);
if (!user_password) {
/* The user is not authenticated @ current host */
/* 1) Check for localhost first.
* The check for localhost is 127.0.0.1 (IPv4 only)
*/
if (key.ipv4.sin_addr.s_addr == 0x0100007F) {
/* Skip the wildcard check and return 1 */
LOGIF(LD,
(skygw_log_write_flush(
LOGFILE_DEBUG,
"%lu [MySQL Client Auth], user [%s@%s] not existent",
pthread_self(),
key.user,
dcb->remote)));
return 1;
}
/* 2) Continue and check for wildcard host, user@%
* Return 1 if no match
*/
memset(&key.ipv4, 0, sizeof(struct sockaddr_in));
LOGIF(LD,
(skygw_log_write_flush(
LOGFILE_DEBUG,
"%lu [MySQL Client Auth], checking user [%s@%s] with wildcard host [%%]",
pthread_self(),
key.user,
dcb->remote)));
user_password = mysql_users_fetch(service->users, &key);
if (!user_password) {
/* the user@% was not found.
* Return 1
*/
LOGIF(LD,
(skygw_log_write_flush(
LOGFILE_DEBUG,
"%lu [MySQL Client Auth], user [%s@%s] not existent",
pthread_self(),
key.user,
dcb->remote)));
return 1;
}
}
/* user@host found: now check the password
*
* Convert the hex data (40 bytes) to binary (20 bytes).
* The gateway_password represents the SHA1(SHA1(real_password)).
* Please note: the real_password is unknown and SHA1(real_password) is unknown as well
*/
if (strlen(user_password))
gw_hex2bin(gateway_password, user_password, SHA_DIGEST_LENGTH * 2);
return 0;
}
