database/mariadb-columnstore-engine
1
0
Fork 0
mirror of https://github.com/mariadb-corporation/mariadb-columnstore-engine.git synced 2025-04-18 21:44:02 +03:00
Code
mariadb-columnstore-engine/tools/passwd/secrets.cpp

711 lines
20 KiB
C++
Raw Permalink Blame History

/*
* Copyright (c) 2016 MariaDB Corporation Ab
*
* Use of this software is governed by the Business Source License included
* in the LICENSE.TXT file and at www.mariadb.com/bsl11.
*
* Change Date: 2025-05-25
*
* On the date above, in accordance with the Business Source License, use
* of this software will be governed by version 2 or later of the General
* Public License.
*/
#include "secrets.h"
#include <array>
#include <cstdint>
#include <cctype>
#include <fstream>
#include <pwd.h>
#include <sys/stat.h>
#include <openssl/aes.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/ossl_typ.h>
#include <openssl/rand.h>
#include <openssl/opensslv.h>
#include "utils/json/json.hpp"
#include "idberrorinfo.h"
#include "logger.h"
#include "mcsconfig.h"
#include "exceptclasses.h"
#include "columnstoreversion.h"
#include "vlarray.h"
using std::string;
#ifdef OPENSSL_VERSION_PREREQ
#if OPENSSL_VERSION_PREREQ(3, 0)
#define EVP_CIPHER_key_length EVP_CIPHER_get_key_length
#define EVP_CIPHER_iv_length EVP_CIPHER_get_iv_length
#define EVP_CIPHER_blocksize EVP_CIPHER_get_blocksize
#endif
#endif
const char* const SECRETS_FILENAME = ".secrets";
namespace
{
CSPasswdLogging* passwdLog = NULL;
boost::mutex m;
} // namespace
CSPasswdLogging::CSPasswdLogging()
{
// TODO: make this configurable
setlogmask(LOG_UPTO(LOG_DEBUG));
openlog("CSPasswd", LOG_PID | LOG_NDELAY | LOG_PERROR | LOG_CONS, LOG_LOCAL1);
}
CSPasswdLogging::~CSPasswdLogging()
{
syslog(LOG_INFO, "CloseLog");
closelog();
}
CSPasswdLogging* CSPasswdLogging::get()
{
if (passwdLog)
return passwdLog;
boost::mutex::scoped_lock s(m);
if (passwdLog)
return passwdLog;
passwdLog = new CSPasswdLogging();
return passwdLog;
}
void CSPasswdLogging::log(int priority, const char* format, ...)
{
va_list args;
va_start(args, format);
#ifdef DEBUG
va_list args2;
va_copy(args2, args);
vfprintf(stderr, format, args2);
fprintf(stderr, "\n");
va_end(args2);
#endif
vsyslog(priority, format, args);
va_end(args);
}
namespace
{
using HexLookupTable = std::array<uint8_t, 256>;
/* used in the bin2hex function */
const char hex_upper[] = "0123456789ABCDEF";
HexLookupTable init_hex_lookup_table() noexcept
{
auto char_val = [](char c) -> uint8_t
{
if (c >= '0' && c <= '9')
{
return c - '0';
}
else if (c >= 'A' && c <= 'F')
{
return c - 'A' + 10;
}
else if (c >= 'a' && c <= 'f')
{
return c - 'a' + 10;
}
else
{
return '\177';
}
};
HexLookupTable rval;
for (size_t i = 0; i < rval.size(); i++)
{
rval[i] = char_val(i);
}
return rval;
}
// Hex char -> byte val lookup table.
const HexLookupTable hex_lookup_table = init_hex_lookup_table();
bool hex2bin(const char* in, unsigned int in_len, uint8_t* out)
{
// Input length must be multiple of two.
if (!in || in_len == 0 || in_len % 2 != 0)
{
return false;
}
const char* in_end = in + in_len;
while (in < in_end)
{
// One byte is formed from two hex chars, with the first char forming the high bits.
uint8_t high_half = hex_lookup_table[*in++];
uint8_t low_half = hex_lookup_table[*in++];
uint8_t total = (high_half << 4) | low_half;
*out++ = total;
}
return true;
}
char* bin2hex(const uint8_t* in, unsigned int len, char* out)
{
const uint8_t* in_end = in + len;
if (len == 0 || in == NULL)
{
return NULL;
}
for (; in != in_end; ++in)
{
*out++ = hex_upper[((uint8_t)*in) >> 4];
*out++ = hex_upper[((uint8_t)*in) & 0x0F];
}
*out = '\0';
return out;
}
struct ThisUnit
{
ByteVec key; /**< Password decryption key, assigned at startup */
ByteVec iv; /**< Decryption init vector, assigned at startup. Only used with old-format keys */
};
ThisUnit this_unit;
enum class ProcessingMode
{
ENCRYPT,
DECRYPT,
DECRYPT_IGNORE_ERRORS
};
const char field_desc[] = "description";
const char field_version[] = "columnstore_version";
const char field_cipher[] = "encryption_cipher";
const char field_key[] = "encryption_key";
const char desc[] = "Columnstore encryption/decryption key";
#define SECRETS_CIPHER EVP_aes_256_cbc
#define STRINGIFY(X) #X
#define STRINGIFY2(X) STRINGIFY(X)
const char CIPHER_NAME[] = STRINGIFY2(SECRETS_CIPHER);
void print_openSSL_errors(const char* operation);
/**
* Encrypt or decrypt the input buffer to output buffer.
*
* @param key Encryption key
* @param mode Encrypting or decrypting
* @param input Input buffer
* @param input_len Input length
* @param output Output buffer
* @param output_len Produced output length is written here
* @return True on success
*/
bool encrypt_or_decrypt(const uint8_t* key, const uint8_t* iv, ProcessingMode mode, const uint8_t* input,
int input_len, uint8_t* output, int* output_len)
{
auto ctx = EVP_CIPHER_CTX_new();
int enc = (mode == ProcessingMode::ENCRYPT) ? AES_ENCRYPT : AES_DECRYPT;
bool ignore_errors = (mode == ProcessingMode::DECRYPT_IGNORE_ERRORS);
bool ok = false;
if (EVP_CipherInit_ex(ctx, secrets_cipher(), nullptr, key, iv, enc) == 1 || ignore_errors)
{
int output_written = 0;
if (EVP_CipherUpdate(ctx, output, &output_written, input, input_len) == 1 || ignore_errors)
{
int total_output_len = output_written;
if (EVP_CipherFinal_ex(ctx, output + total_output_len, &output_written) == 1 || ignore_errors)
{
total_output_len += output_written;
*output_len = total_output_len;
ok = true;
}
}
}
EVP_CIPHER_CTX_free(ctx);
if (!ok)
{
const char* operation =
(mode == ProcessingMode::ENCRYPT) ? "when encrypting password" : "when decrypting password";
print_openSSL_errors(operation);
}
return ok;
}
void print_openSSL_errors(const char* operation)
{
// It's unclear how thread(unsafe) OpenSSL error functions are. Minimize such possibilities by
// using a local buffer.
constexpr size_t bufsize = 256; // Should be enough according to some googling.
char buf[bufsize];
buf[0] = '\0';
auto errornum = ERR_get_error();
auto errornum2 = ERR_get_error();
ERR_error_string_n(errornum, buf, bufsize);
if (errornum2 == 0)
{
// One error.
CSPasswdLogging::get()->log(LOG_ERR, "OpenSSL error %s. %s", operation, buf);
}
else
{
// Multiple errors, print all as separate messages.
CSPasswdLogging::get()->log(LOG_ERR, "Multiple OpenSSL errors %s. Detailed messages below.", operation);
CSPasswdLogging::get()->log(LOG_ERR, "%s", buf);
while (errornum2 != 0)
{
ERR_error_string_n(errornum2, buf, bufsize);
CSPasswdLogging::get()->log(LOG_ERR, "%s", buf);
errornum2 = ERR_get_error();
}
}
}
} // namespace
const EVP_CIPHER* secrets_cipher()
{
return SECRETS_CIPHER();
}
int secrets_keylen()
{
return EVP_CIPHER_key_length(secrets_cipher());
}
int secrets_ivlen()
{
return EVP_CIPHER_iv_length(secrets_cipher());
}
/**
* Reads binary or text data from file and extracts the encryption key and, if old key format is used,
* the init vector. The source file needs to have expected permissions. If the source file does not exist,
* returns empty results.
*
* @param filepath Path to key file.
* @return Result structure. Ok if file was loaded successfully or if file did not exist. False on error.
*/
ReadKeyResult secrets_readkeys(const string& filepath)
{
ReadKeyResult rval;
auto filepathc = filepath.c_str();
const int binary_key_len = secrets_keylen();
const int binary_iv_len = secrets_ivlen();
const int binary_total_len = binary_key_len + binary_iv_len;
// Before opening the file, check its size and permissions.
struct stat filestats;
bool stat_error = false;
bool old_format = false;
errno = 0;
if (stat(filepathc, &filestats) == 0)
{
auto filesize = filestats.st_size;
if (filesize == binary_total_len)
{
old_format = true;
CSPasswdLogging::get()->log(
LOG_WARNING,
"File format of '%s' is deprecated. Please generate a new encryption key ('maxkeys') "
"and re-encrypt passwords ('maxpasswd').",
filepathc);
}
auto filemode = filestats.st_mode;
if (!S_ISREG(filemode))
{
CSPasswdLogging::get()->log(LOG_ERR, "Secrets file '%s' is not a regular file.", filepathc);
stat_error = true;
}
else if ((filemode & (S_IRWXU | S_IRWXG | S_IRWXO)) != S_IRUSR)
{
CSPasswdLogging::get()->log(
LOG_ERR,
"Secrets file '%s' permissions are wrong. The only permission on the file should be "
"owner:read.",
filepathc);
stat_error = true;
}
}
else if (errno == ENOENT)
{
// The file does not exist. This is ok. Return empty result.
rval.ok = true;
return rval;
}
else
{
CSPasswdLogging::get()->log(LOG_ERR, "stat() for secrets file '%s' failed. Error %d, %s.", filepathc,
errno, strerror(errno));
stat_error = true;
}
if (stat_error)
{
return rval;
}
if (old_format)
{
errno = 0;
std::ifstream file(filepath, std::ios_base::binary);
if (file.is_open())
{
// Read all data from file.
utils::VLArray<char> readbuf(binary_total_len);
// char readbuf[binary_total_len];
file.read(readbuf.data(), binary_total_len);
if (file.good())
{
// Success, copy contents to key structure.
rval.key.assign(readbuf.data(), readbuf.data() + binary_key_len);
rval.iv.assign(readbuf.data() + binary_key_len, readbuf.data() + binary_total_len);
rval.ok = true;
}
else
{
CSPasswdLogging::get()->log(
LOG_ERR, "Read from secrets file %s failed. Read %li, expected %i bytes. Error %d, %s.",
filepathc, file.gcount(), binary_total_len, errno, strerror(errno));
}
}
else
{
CSPasswdLogging::get()->log(LOG_ERR, "Could not open secrets file '%s'. Error %d, %s.", filepathc,
errno, strerror(errno));
}
}
else
{
// File contents should be json.
// json_error_t err;
nlohmann::json jsontree;
try
{
std::ifstream i(filepath);
jsontree = nlohmann::json::parse(i);
}
catch (const nlohmann::json::exception& je)
{
std::cout << "Error reading JSON from secrets file: " << filepath << std::endl;
std::cout << je.what() << std::endl;
}
catch (...)
{
printf("Error reading JSON from secrets file '%s' failed. Error %d, %s.\n", filepathc, errno,
strerror(errno));
}
// json_t* obj = json_load_file(filepathc, 0, &err);
string enc_cipher = jsontree[field_cipher];
string enc_key = jsontree[field_key];
// const char* enc_cipher = json_string_value(json_object_get(obj, field_cipher));
// const char* enc_key = json_string_value(json_object_get(obj, field_key));
bool cipher_ok = !enc_cipher.empty() && (enc_cipher == CIPHER_NAME);
if (cipher_ok && !enc_key.empty())
{
int read_hex_key_len = enc_key.length();
int expected_hex_key_len = 2 * binary_key_len;
if (read_hex_key_len == expected_hex_key_len)
{
rval.key.resize(binary_key_len);
hex2bin(enc_key.c_str(), read_hex_key_len, rval.key.data());
rval.ok = true;
}
else
{
CSPasswdLogging::get()->log(
LOG_ERR, "Wrong encryption key length in secrets file '%s': found %i, expected %i.", filepathc,
read_hex_key_len, expected_hex_key_len);
}
}
else
{
CSPasswdLogging::get()->log(LOG_ERR,
"Secrets file '%s' does not contain expected string fields '%s' and '%s', "
"or '%s' is not '%s'.",
filepathc, field_cipher, field_key, field_cipher, CIPHER_NAME);
}
jsontree.clear();
}
return rval;
}
string decrypt_password(const string& input)
{
const auto& key = this_unit.key;
string rval;
if (key.empty())
{
// Password encryption is not used, return original.
rval = input;
}
else
{
// If the input is not a HEX string, return the input as is.
auto is_hex = std::all_of(input.begin(), input.end(), isxdigit);
if (is_hex)
{
const auto& iv = this_unit.iv;
rval = iv.empty() ? ::decrypt_password(key, input) : decrypt_password_old(key, iv, input);
}
else
{
rval = input;
}
}
return rval;
}
/**
* Decrypt passwords encrypted with an old (pre 2.5) .secrets-file. The decryption also depends on whether
* the password was encrypted using maxpasswd 2.4 or 2.5.
*
* @param key Encryption key
* @param iv Init vector
* @param input Encrypted password in hex form
* @return Decrypted password or empty on error
*/
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
string decrypt_password_old(const ByteVec& key, const ByteVec& iv, const std::string& input)
{
string rval;
// Convert to binary.
size_t hex_len = input.length();
auto bin_len = hex_len / 2;
utils::VLArray<unsigned char> encrypted_bin(bin_len);
hex2bin(input.c_str(), hex_len, encrypted_bin.data());
utils::VLArray<unsigned char> plain(bin_len);
int decrypted_len = 0;
if (encrypt_or_decrypt(key.data(), iv.data(), ProcessingMode::DECRYPT_IGNORE_ERRORS, encrypted_bin.data(),
bin_len, plain.data(), &decrypted_len))
{
if (decrypted_len > 0)
{
// Success, password was encrypted using 2.5. Decrypted data should be text.
auto output_data = reinterpret_cast<const char*>(plain.data());
rval.assign(output_data, decrypted_len);
}
else
{
// Failure, password was likely encrypted in 2.4. Try to decrypt using 2.4 code.
AES_KEY aeskey;
AES_set_decrypt_key(key.data(), 8 * key.size(), &aeskey);
auto iv_copy = iv;
memset(plain.data(), '\0', bin_len);
AES_cbc_encrypt(encrypted_bin.data(), plain.data(), bin_len, &aeskey, iv_copy.data(), AES_DECRYPT);
rval = reinterpret_cast<const char*>(plain.data());
}
}
return rval;
}
#pragma GCC diagnostic pop
string decrypt_password(const ByteVec& key, const std::string& input)
{
int total_hex_len = input.length();
string rval;
// Extract IV.
auto ptr = input.data();
int iv_bin_len = secrets_ivlen();
int iv_hex_len = 2 * iv_bin_len;
utils::VLArray<uint8_t> iv_bin(iv_bin_len);
if (total_hex_len >= iv_hex_len)
{
hex2bin(ptr, iv_hex_len, iv_bin.data());
int encrypted_hex_len = total_hex_len - iv_hex_len;
int encrypted_bin_len = encrypted_hex_len / 2;
utils::VLArray<unsigned char> encrypted_bin(encrypted_bin_len);
hex2bin(ptr + iv_hex_len, encrypted_hex_len, encrypted_bin.data());
utils::VLArray<uint8_t> decrypted(
encrypted_bin_len); // Decryption output cannot be longer than input data.
int decrypted_len = 0;
if (encrypt_or_decrypt(key.data(), iv_bin.data(), ProcessingMode::DECRYPT, encrypted_bin.data(),
encrypted_bin_len, decrypted.data(), &decrypted_len))
{
// Decrypted data should be text.
auto output_data = reinterpret_cast<const char*>(decrypted.data());
rval.assign(output_data, decrypted_len);
}
}
return rval;
}
/**
* Encrypt a password that can be stored in the Columnstore configuration file.
*
* @param key Encryption key and init vector
* @param input The plaintext password to encrypt.
* @return The encrypted password, or empty on failure.
*/
string encrypt_password_old(const ByteVec& key, const ByteVec& iv, const string& input)
{
string rval;
// Output can be a block length longer than input.
auto input_len = input.length();
utils::VLArray<unsigned char> encrypted_bin(input_len + AES_BLOCK_SIZE);
// Although input is text, interpret as binary.
auto input_data = reinterpret_cast<const uint8_t*>(input.c_str());
int encrypted_len = 0;
if (encrypt_or_decrypt(key.data(), iv.data(), ProcessingMode::ENCRYPT, input_data, input_len,
encrypted_bin.data(), &encrypted_len))
{
int hex_len = 2 * encrypted_len;
utils::VLArray<char> hex_output(hex_len + 1);
bin2hex(encrypted_bin.data(), encrypted_len, hex_output.data());
rval.assign(hex_output.data(), hex_len);
}
return rval;
}
string encrypt_password(const ByteVec& key, const string& input)
{
string rval;
// Generate random IV.
auto ivlen = secrets_ivlen();
utils::VLArray<unsigned char> iv_bin(ivlen);
if (RAND_bytes(iv_bin.data(), ivlen) != 1)
{
printf("OpenSSL RAND_bytes() failed. %s.\n", ERR_error_string(ERR_get_error(), nullptr));
return rval;
}
// Output can be a block length longer than input.
auto input_len = input.length();
utils::VLArray<unsigned char> encrypted_bin(input_len + EVP_CIPHER_block_size(secrets_cipher()));
// Although input is text, interpret as binary.
auto input_data = reinterpret_cast<const uint8_t*>(input.c_str());
int encrypted_len = 0;
if (encrypt_or_decrypt(key.data(), iv_bin.data(), ProcessingMode::ENCRYPT, input_data, input_len,
encrypted_bin.data(), &encrypted_len))
{
// Form one string with IV in front.
int iv_hex_len = 2 * ivlen;
int encrypted_hex_len = 2 * encrypted_len;
int total_hex_len = iv_hex_len + encrypted_hex_len;
utils::VLArray<char> hex_output(total_hex_len + 1);
bin2hex(iv_bin.data(), ivlen, hex_output.data());
bin2hex(encrypted_bin.data(), encrypted_len, hex_output.data() + iv_hex_len);
rval.assign(hex_output.data(), total_hex_len);
}
return rval;
}
bool load_encryption_keys()
{
if (this_unit.key.empty() || this_unit.iv.empty())
{
string path(MCSDATADIR);
path.append("/").append(SECRETS_FILENAME);
auto ret = secrets_readkeys(path);
if (ret.ok)
{
if (!ret.key.empty())
{
this_unit.key = ret.key;
this_unit.iv = ret.iv;
}
return ret.ok;
}
}
return true;
}
/**
* Write encryption key to JSON-file. Also sets file permissions and owner.
*
* @param key Encryption key in binary form
* @param filepath The full path to the file to write to
* @param owner The final owner of the file. Changing the owner does not always succeed.
* @return True on total success. Even if false is returned, the file may have been written.
*/
bool secrets_write_keys(const ByteVec& key, const string& filepath, const string& owner)
{
auto keylen = key.size();
utils::VLArray<char> key_hex(2 * keylen + 1);
bin2hex(key.data(), keylen, key_hex.data());
nlohmann::json jsontree;
jsontree[field_desc] = desc;
jsontree[field_version] = columnstore_version;
jsontree[field_cipher] = CIPHER_NAME;
jsontree[field_key] = (const char*)key_hex.data();
auto filepathc = filepath.c_str();
bool write_ok = false;
errno = 0;
try
{
std::ofstream o(filepath);
o << jsontree;
}
catch (const nlohmann::json::exception& je)
{
std::cout << "Write to secrets file: " << filepath << std::endl;
std::cout << je.what() << std::endl;
}
catch (...)
{
printf("Write to secrets file '%s' failed. Error %d, %s.\n", filepathc, errno, strerror(errno));
}
write_ok = true;
jsontree.clear();
bool rval = false;
if (write_ok)
{
// Change file permissions to prevent modifications.
errno = 0;
if (chmod(filepathc, S_IRUSR) == 0)
{
printf("Permissions of '%s' set to owner:read.\n", filepathc);
auto ownerz = owner.c_str();
auto userinfo = getpwnam(ownerz);
if (userinfo)
{
if (chown(filepathc, userinfo->pw_uid, userinfo->pw_gid) == 0)
{
printf("Ownership of '%s' given to %s.\n", filepathc, ownerz);
rval = true;
}
else
{
printf("Failed to give '%s' ownership of '%s': %d, %s.\n", ownerz, filepathc, errno,
strerror(errno));
}
}
else
{
printf("Could not find user '%s' when attempting to change ownership of '%s': %d, %s.\n", ownerz,
filepathc, errno, strerror(errno));
}
}
else
{
printf("Failed to change the permissions of the secrets file '%s'. Error %d, %s.\n", filepathc, errno,
strerror(errno));
}
}
return rval;
}
View Git Blame Copy Permalink