/** * Decrypt a password that is stored inthe MaxScale configuration file. * If the password is not encrypted, ie is not a HEX string, then the * original is returned, this allows for backward compatibility with * unencrypted password. * * Note the return is always a malloc'd string that the caller must free * * @param crypt The encrypted password * @return The decrypted password */ char * decryptPassword(char *crypt) { MAXKEYS *keys; AES_KEY aeskey; unsigned char *plain; char *ptr; unsigned char encrypted[80]; int enlen; keys = secrets_readKeys(NULL); if (!keys) return strdup(crypt); /* ** If the input is not a HEX string return the input ** it probably was not encrypted */ for (ptr = crypt; *ptr; ptr++) { if (!isxdigit(*ptr)) { free(keys); return strdup(crypt); } } enlen = strlen(crypt) / 2; gw_hex2bin(encrypted, crypt, strlen(crypt)); if ((plain = (unsigned char *)malloc(80)) == NULL) { free(keys); return NULL; } AES_set_decrypt_key(keys->enckey, 8 * MAXSCALE_KEYLEN, &aeskey); AES_cbc_encrypt(encrypted, plain, enlen, &aeskey, keys->initvector, AES_DECRYPT); free(keys); return (char *)plain; }
int gw_find_mysql_user_password_sha1(char *username, uint8_t *gateway_password, DCB *dcb) { SERVICE *service = NULL; struct sockaddr_in *client; char *user_password = NULL; MYSQL_USER_HOST key; service = (SERVICE *) dcb->service; client = (struct sockaddr_in *) &dcb->ipv4; key.user = username; memcpy(&key.ipv4, client, sizeof(struct sockaddr_in)); LOGIF(LD, (skygw_log_write_flush( LOGFILE_DEBUG, "%lu [MySQL Client Auth], checking user [%s@%s]", pthread_self(), key.user, dcb->remote))); /* look for user@current_host now */ user_password = mysql_users_fetch(service->users, &key); if (!user_password) { /* The user is not authenticated @ current host */ /* 1) Check for localhost first. * The check for localhost is 127.0.0.1 (IPv4 only) */ if (key.ipv4.sin_addr.s_addr == 0x0100007F) { /* Skip the wildcard check and return 1 */ LOGIF(LD, (skygw_log_write_flush( LOGFILE_DEBUG, "%lu [MySQL Client Auth], user [%s@%s] not existent", pthread_self(), key.user, dcb->remote))); return 1; } /* 2) Continue and check for wildcard host, user@% * Return 1 if no match */ memset(&key.ipv4, 0, sizeof(struct sockaddr_in)); LOGIF(LD, (skygw_log_write_flush( LOGFILE_DEBUG, "%lu [MySQL Client Auth], checking user [%s@%s] with wildcard host [%%]", pthread_self(), key.user, dcb->remote))); user_password = mysql_users_fetch(service->users, &key); if (!user_password) { /* the user@% was not found. * Return 1 */ LOGIF(LD, (skygw_log_write_flush( LOGFILE_DEBUG, "%lu [MySQL Client Auth], user [%s@%s] not existent", pthread_self(), key.user, dcb->remote))); return 1; } } /* user@host found: now check the password * * Convert the hex data (40 bytes) to binary (20 bytes). * The gateway_password represents the SHA1(SHA1(real_password)). * Please note: the real_password is unknown and SHA1(real_password) is unknown as well */ if (strlen(user_password)) gw_hex2bin(gateway_password, user_password, SHA_DIGEST_LENGTH * 2); return 0; }