diff --git a/src/entry/Maat_api.cpp b/src/entry/Maat_api.cpp index 75b6082..7f0a637 100644 --- a/src/entry/Maat_api.cpp +++ b/src/entry/Maat_api.cpp @@ -513,18 +513,18 @@ int load_maat_json_file(_Maat_feather_t* feather, const char* maat_json_fn, char int ret=0; struct stat fstat_buf; char* json_buff=NULL; - + size_t buff_sz=0; MESA_handle_runtime_log(feather->logger, RLOG_LV_INFO, maat_module , "Maat initial with JSON file %s, formating..", maat_json_fn); if(strlen(feather->decrypt_key)&&strlen(feather->decrypt_algo)) { - ret=decrypt_open(maat_json_fn, feather->decrypt_key, feather->decrypt_algo, (unsigned char**)&json_buff, err_str, err_str_sz); + ret=decrypt_open(maat_json_fn, feather->decrypt_key, feather->decrypt_algo, (unsigned char**)&json_buff, &buff_sz, err_str, err_str_sz); } if(json_buff==NULL)//decryption failed or no decryption. { - ret=load_file_to_memory(maat_json_fn, &json_buff); + ret=load_file_to_memory(maat_json_fn, (unsigned char**)&json_buff, &buff_sz); } ret=json2iris(json_buff, maat_json_fn, @@ -532,6 +532,8 @@ int load_maat_json_file(_Maat_feather_t* feather, const char* maat_json_fn, char NULL, feather->json_ctx.iris_file, sizeof(feather->json_ctx.iris_file), + strlen(feather->decrypt_key)?feather->decrypt_key:NULL, + strlen(feather->decrypt_algo)?feather->decrypt_algo:NULL, feather->logger); free(json_buff); json_buff=NULL; diff --git a/src/entry/Maat_utils.cpp b/src/entry/Maat_utils.cpp index 58da1a8..8462ba7 100644 --- a/src/entry/Maat_utils.cpp +++ b/src/entry/Maat_utils.cpp @@ -173,7 +173,7 @@ size_t memcat(void**dest, size_t offset, size_t *n_dest, const void* src, size_t *n_dest=(offset+n_src)*2; *dest=realloc(*dest, sizeof(char)*(*n_dest)); } - memcpy(*dest+offset, src, n_src); + memcpy((char*)*dest+offset, src, n_src); return n_src; } @@ -212,16 +212,21 @@ int system_cmd_mkdir(const char* path) int system_cmd_mv(const char* src_file,const char*dst_file) { char cmd[MAX_SYSTEM_CMD_LEN] = { 0 }; - snprintf(cmd,sizeof(cmd), "mv %s %s", src_file, dst_file); + snprintf(cmd, sizeof(cmd), "mv %s %s", src_file, dst_file); return system(cmd); } int system_cmd_cp(const char* src_file,const char*dst_file) { char cmd[MAX_SYSTEM_CMD_LEN] = { 0 }; - snprintf(cmd,sizeof(cmd), "cp -f %s %s", src_file, dst_file); + snprintf(cmd, sizeof(cmd), "cp -f %s %s", src_file, dst_file); + return system(cmd); +} +int system_cmd_encrypt(const char* src_file, const char* dst_file, const char* password) +{ + char cmd[MAX_SYSTEM_CMD_LEN] = { 0 }; + snprintf(cmd,sizeof(cmd), "openssl enc -e -aes-256-cbc -k %s -p -nosalt -in %s -out %s", password, src_file, dst_file); return system(cmd); } - int system_cmd_rm(const char* src_file) { char cmd[MAX_SYSTEM_CMD_LEN] = { 0 }; @@ -270,13 +275,11 @@ int lqueue_destroy_cb(void *data, long data_len, void *arg) assert(0); return 0; } -#define DECRYPT_BLOCK_SIZE (16*1024) -int decrypt_open(const char* filename, const char* key, const char* algorithm, unsigned char**pp_out, char* err_str, size_t err_str_sz) -{ - unsigned char inbuf[DECRYPT_BLOCK_SIZE]; - int inlen, out_blk_len=0; - int out_buff_len=0,buff_offset=0; +int crypt_memory(const unsigned char* inbuf, size_t inlen, unsigned char** pp_out, size_t *out_sz, const char* key, const char* algorithm, int do_encrypt, char* err_str, size_t err_str_sz) +{ + int ret=0, out_blk_len=0; + int out_buff_len=0, out_buff_offset=0; EVP_CIPHER_CTX *ctx; unsigned char cipher_key[EVP_MAX_KEY_LENGTH]; @@ -287,19 +290,12 @@ int decrypt_open(const char* filename, const char* key, const char* algorithm, u const EVP_CIPHER *cipher; const EVP_MD *dgst=NULL; const unsigned char *salt=NULL; - int ret=0; - - FILE*in=fopen(filename, "r"); - if(in==NULL) - { - return -1; - } OpenSSL_add_all_algorithms(); cipher=EVP_get_cipherbyname(algorithm); if(cipher==NULL) { - snprintf(err_str, err_str_sz, "Cipher %s is not supported.",algorithm); + snprintf(err_str, err_str_sz, "Cipher %s is not supported.", algorithm); return 0; } dgst=EVP_get_digestbyname("md5"); @@ -316,52 +312,39 @@ int decrypt_open(const char* filename, const char* key, const char* algorithm, u } /* Don't set key or IV right away; we want to check lengths */ ctx = EVP_CIPHER_CTX_new(); - EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL,0); + EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, do_encrypt); OPENSSL_assert(EVP_CIPHER_CTX_key_length(ctx) % 16==0); OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) == 16); /* Now we can set key and IV */ - EVP_CipherInit_ex(ctx, NULL, NULL, cipher_key, cipher_iv, 0); - out_buff_len=DECRYPT_BLOCK_SIZE; + //It should be set to 1 for encryption, 0 for decryption and -1 to leave the value unchanged (the actual value of 'enc' being supplied in a previous call). + EVP_CipherInit_ex(ctx, NULL, NULL, cipher_key, cipher_iv, -1); + out_buff_len=inlen+EVP_CIPHER_block_size(cipher)-1; *pp_out=(unsigned char*)malloc(out_buff_len*sizeof(unsigned char)); - for (;;) + if (!EVP_CipherUpdate(ctx, *pp_out+out_buff_offset, &out_blk_len, inbuf, inlen)) { - inlen = fread(inbuf, 1, sizeof(inbuf), in); - if (inlen <= 0) - break; - - if(out_buff_len-buff_offsetencryp_algorithm)>0) { @@ -294,20 +294,20 @@ int cm_read_table_file(struct cm_table_info_t* index, MESA_handle_runtime_log(logger,RLOG_LV_FATAL,module_config_monitor,"update error, no key to decrypt %s.",index->cfg_path); return -1; } - file_sz=decrypt_open(index->cfg_path, key, index->encryp_algorithm, (unsigned char**)&table_file_buff, error_string, sizeof(error_string)); - if(file_sz==0) + ret=decrypt_open(index->cfg_path, key, index->encryp_algorithm, (unsigned char**)&table_file_buff, &file_sz, error_string, sizeof(error_string)); + if(ret<0) { - MESA_handle_runtime_log(logger, RLOG_LV_FATAL, module_config_monitor, "update error, %s decrypt failed: %s", + MESA_handle_runtime_log(logger, RLOG_LV_FATAL, module_config_monitor, "update error, decrypt %s failed: %s", index->cfg_path, error_string); return -1; } } else { - file_sz=load_file_to_memory(index->cfg_path, &table_file_buff); - if(file_sz==0) + ret=load_file_to_memory(index->cfg_path, (unsigned char**)&table_file_buff, &file_sz); + if(ret<0) { - MESA_handle_runtime_log(logger, RLOG_LV_FATAL, module_config_monitor, "update error, %s decrypt failed: %s", + MESA_handle_runtime_log(logger, RLOG_LV_FATAL, module_config_monitor, "update error, open %s failed: %s", index->cfg_path, error_string); return -1; } diff --git a/src/entry/json2iris.cpp b/src/entry/json2iris.cpp index 60ff5e4..31943f3 100644 --- a/src/entry/json2iris.cpp +++ b/src/entry/json2iris.cpp @@ -51,6 +51,9 @@ struct iris_description_t MESA_htable_handle iris_table_map; MESA_htable_handle str2int_map; redisContext *redis_write_ctx; + char* encrypt_key; + char* encrypt_algo; + FILE* idx_fp; }; struct traslate_command_t { @@ -119,7 +122,7 @@ static int get_region_seq(struct iris_description_t* iris_cfg) return sequence; } -int set_iris_descriptor(const char* json_file,cJSON *json,const char*compile_tn,const char* group_tn, redisContext *redis_write_ctx, struct iris_description_t *iris_cfg, void * logger) +int set_iris_descriptor(const char* json_file,cJSON *json, const char* encrypt_key, const char* encrypt_algo, const char*compile_tn,const char* group_tn, redisContext *redis_write_ctx, struct iris_description_t *iris_cfg, void * logger) { memset(iris_cfg,0,sizeof(struct iris_description_t)); snprintf(iris_cfg->tmp_iris_dir,sizeof(iris_cfg->tmp_iris_dir),"%s_iris_tmp",json_file); @@ -186,6 +189,12 @@ int set_iris_descriptor(const char* json_file,cJSON *json,const char*compile_tn, iris_cfg->compile_table=query_table_info(iris_cfg, compile_tn, TABLE_TYPE_COMPILE); iris_cfg->group_table=query_table_info(iris_cfg, group_tn, TABLE_TYPE_GROUP); + + if(encrypt_key && encrypt_algo) + { + iris_cfg->encrypt_key=_maat_strdup(encrypt_key); + iris_cfg->encrypt_algo=_maat_strdup(encrypt_algo); + } return 0; } @@ -200,6 +209,8 @@ void clear_iris_descriptor(struct iris_description_t *iris_cfg) MESA_htable_destroy(iris_cfg->iris_table_map, NULL); } map_destroy(iris_cfg->str2int_map); + free(iris_cfg->encrypt_algo); + free(iris_cfg->encrypt_key); return; } int create_tmp_dir(struct iris_description_t *p) @@ -862,29 +873,50 @@ int write_group_line(int group_id, int parent_id, int group_not_flag, int parent } void table_idx_write_cb(const uchar * key, uint size, void * data, void * user) { - FILE* fp=NULL; + struct iris_description_t *p_iris=(struct iris_description_t *)user; struct iris_table_t* table=(struct iris_table_t*)data; - fp=fopen(table->table_path, "w"); - fprintf(fp,"%d\n", table->line_count); - fwrite(table->buff, table->write_pos, 1, fp); - fclose(fp); - - fp=(FILE*)user; - fprintf(fp,"%s\t%d\t%s\n", table->table_name, table->line_count, table->table_path); + FILE* table_fp=NULL; + char line_cnt_str[32], err_str[256]; + snprintf(line_cnt_str, sizeof(line_cnt_str), "%010d\n", table->line_count); + int ret=0; + size_t table_file_sz=strlen(line_cnt_str)+table->write_pos; + unsigned char* buff=ALLOC(unsigned char, table_file_sz); + unsigned char* encrypt_buff=NULL; + size_t encrypt_buff_sz=0; + memcpy(buff, line_cnt_str, strlen(line_cnt_str)); + memcpy(buff+strlen(line_cnt_str), table->buff, table->write_pos); + table_fp=fopen(table->table_path, "w"); + if(p_iris->encrypt_key) + { + ret=crypt_memory(buff, table_file_sz, &encrypt_buff, &encrypt_buff_sz, p_iris->encrypt_key, p_iris->encrypt_algo, 1, err_str, sizeof(err_str)); + assert(ret==0); + fwrite(encrypt_buff, encrypt_buff_sz, 1, table_fp); + fprintf(p_iris->idx_fp,"%s\t%d\t%s\t%s\n", table->table_name, table->line_count, table->table_path, p_iris->encrypt_algo); + } + else + { + fwrite(buff, table_file_sz, 1, table_fp); + fprintf(p_iris->idx_fp,"%s\t%d\t%s\n", table->table_name, table->line_count, table->table_path); + } + fclose(table_fp); + free(buff); + buff=NULL; + + } int write_index_file(struct iris_description_t *p_iris,void* logger) { - FILE*fp=NULL; - fp=fopen(p_iris->index_path,"w"); - if(fp==NULL) + p_iris->idx_fp=fopen(p_iris->index_path,"w"); + if(p_iris->idx_fp==NULL) { MESA_handle_runtime_log(logger,RLOG_LV_FATAL,maat_json, - "index file %s fopen error %s.",p_iris->index_path,strerror(errno)); + "index file %s fopen error %s.",p_iris->index_path, strerror(errno)); return -1; } - MESA_htable_iterate(p_iris->iris_table_map, table_idx_write_cb, fp); - fclose(fp); + MESA_htable_iterate(p_iris->iris_table_map, table_idx_write_cb, p_iris); + fclose(p_iris->idx_fp); + p_iris->idx_fp=NULL; return 0; } int write_group_rule(cJSON *group_json, int parent_id, int parent_type, int tracking_compile_id, struct iris_description_t *p_iris, void* logger) @@ -1053,31 +1085,30 @@ int write_iris(cJSON *json, struct iris_description_t *p_iris, void* logger) return 0; } // redis_write_ctx is used by maat_redis_tool to write json to redis. -int json2iris(const char* json_buff, const char* json_filename, const char*compile_tn, const char* group_tn, redisContext *redis_write_ctx, char* iris_dir_buf, int buf_len, void* logger) +int json2iris(const char* json_buff, const char* json_filename, const char*compile_tn, const char* group_tn, redisContext *redis_write_ctx, char* iris_dir_buf, int buf_len, char* encrypt_key, char* encrypt_algo, void* logger) { cJSON *json=NULL, *tmp_obj=NULL; int ret=-1; struct iris_description_t iris_cfg; - memset(&iris_cfg,0,sizeof(iris_cfg)); - + memset(&iris_cfg, 0, sizeof(iris_cfg)); json=cJSON_Parse(json_buff); if (!json) { MESA_handle_runtime_log(logger,RLOG_LV_FATAL,maat_json,"Error before: %-200.200s",cJSON_GetErrorPtr()); goto error_out; } - tmp_obj=cJSON_GetObjectItem(json,"compile_table"); + tmp_obj=cJSON_GetObjectItem(json, "compile_table"); if(tmp_obj) { compile_tn=tmp_obj->valuestring; } - tmp_obj=cJSON_GetObjectItem(json,"group_table"); + tmp_obj=cJSON_GetObjectItem(json, "group_table"); if(tmp_obj) { group_tn=tmp_obj->valuestring; } - ret=set_iris_descriptor(json_filename, json, compile_tn, group_tn, redis_write_ctx, &iris_cfg, logger); + ret=set_iris_descriptor(json_filename, json, encrypt_key, encrypt_algo, compile_tn, group_tn, redis_write_ctx, &iris_cfg, logger); if(ret<0) { goto error_out; @@ -1086,15 +1117,15 @@ int json2iris(const char* json_buff, const char* json_filename, const char*compi if(ret<0) { MESA_handle_runtime_log(logger, RLOG_LV_FATAL, maat_json, - "create tmp folder %s error",iris_cfg.tmp_iris_dir); + "create tmp folder %s error", iris_cfg.tmp_iris_dir); goto error_out; } - ret=write_iris(json ,&iris_cfg, logger); + ret=write_iris(json, &iris_cfg, logger); if(ret<0) { goto error_out; } - memcpy(iris_dir_buf,iris_cfg.tmp_iris_index_dir, MIN(strlen(iris_cfg.tmp_iris_index_dir)+1, (unsigned int)buf_len)); + memcpy(iris_dir_buf, iris_cfg.tmp_iris_index_dir, MIN(strlen(iris_cfg.tmp_iris_index_dir)+1, (unsigned int)buf_len)); cJSON_Delete(json); clear_iris_descriptor(&iris_cfg); diff --git a/src/inc_internal/Maat_utils.h b/src/inc_internal/Maat_utils.h index faf5a67..ac4054b 100644 --- a/src/inc_internal/Maat_utils.h +++ b/src/inc_internal/Maat_utils.h @@ -69,14 +69,18 @@ size_t memcat(void**dest, size_t offset, size_t *n_dest, const void* src, size_t pid_t gettid(void); int system_cmd_mkdir(const char* path); int system_cmd_rm(const char* src_file); -int system_cmd_mv(const char* src_file,const char*dst_file); -int system_cmd_cp(const char* src_file,const char*dst_file); +int system_cmd_mv(const char* src_file, const char*dst_file); +int system_cmd_cp(const char* src_file, const char*dst_file); +int system_cmd_encrypt(const char* src_file, const char* dst_file, const char* password); + char* md5_file(const char* filename, char* md5string); int get_column_pos(const char* line, int column_seq, size_t *offset, size_t *len); const char** charset_get_all_name(void); const char* charset_get_name(enum MAAT_CHARSET charset); int lqueue_destroy_cb(void *data, long data_len, void *arg); -int decrypt_open(const char* filename, const char* key, const char* algorithm, unsigned char**pp_out, char* err_str, size_t err_str_sz); -int load_file_to_memory(const char* file_name, char**pp_out); +int decrypt_open(const char* file_name, const char* key, const char* algorithm, unsigned char**pp_out, size_t *out_sz, char* err_str, size_t err_str_sz); +int load_file_to_memory(const char* file_name, unsigned char**pp_out, size_t *out_sz); +//do_encrypt: 1 for encryption, 0 for decryption. +int crypt_memory(const unsigned char* inbuf, size_t inlen, unsigned char** pp_out, size_t *out_sz, const char* key, const char* algorithm, int do_encrypt, char* err_str, size_t err_str_sz); diff --git a/src/inc_internal/json2iris.h b/src/inc_internal/json2iris.h index ab8e5c6..247a191 100644 --- a/src/inc_internal/json2iris.h +++ b/src/inc_internal/json2iris.h @@ -1,6 +1,6 @@ #ifndef H_MAAT_JSON2IRIS_H_INCLUDE #define H_MAAT_JSON2IRIS_H_INCLUDE -int json2iris(const char* json_buff, const char* json_filename, const char*compile_tn, const char* group_tn, redisContext *redis_write_ctx, char* iris_dir_buf, int buf_len, void* logger); +int json2iris(const char* json_buff, const char* json_filename, const char*compile_tn, const char* group_tn, redisContext *redis_write_ctx, char* iris_dir_buf, int buf_len, char* encrypt_key, char* encrypt_algo, void* logger); int set_file_rulenum(const char* path, int rulenum, void* logger); #endif diff --git a/test/test_maatframe.cpp b/test/test_maatframe.cpp index afe4316..bc4b7d0 100644 --- a/test/test_maatframe.cpp +++ b/test/test_maatframe.cpp @@ -32,6 +32,7 @@ extern int my_scandir(const char *dir, struct dirent ***namelist, int(*compar)(const void *, const void *)); extern char* md5_file(const char* filename, char* md5string); extern int system_cmd_cp(const char* src_file,const char*dst_file); +extern int system_cmd_encrypt(const char* src_file, const char* dst_file, const char* password); Maat_feather_t g_feather=NULL; void *g_logger=NULL; int g_iThreadNum=4; @@ -105,6 +106,7 @@ const char* watched_json="./json_update/maat.json"; const char* old_json="./json_update/old.json"; const char* new_json="./json_update/new.json"; const char* corrupted_json="./json_update/corrupted.json"; +const char* json_decrypt_key="himaat!"; class JSONUpdate : public testing::Test { @@ -112,10 +114,11 @@ class JSONUpdate : public testing::Test protected: static void SetUpTestCase() { - const char* decrypt_key="himaat!"; - system_cmd_cp(old_json, watched_json); + + system_cmd_encrypt(old_json, watched_json, json_decrypt_key); + _shared_feather_j=Maat_feather(g_iThreadNum, table_info_path, g_logger); - // Maat_set_feather_opt(_shared_feather_j, MAAT_OPT_DECRYPT_KEY, decrypt_key, strlen(decrypt_key)+1); + Maat_set_feather_opt(_shared_feather_j, MAAT_OPT_DECRYPT_KEY, json_decrypt_key, strlen(json_decrypt_key)+1); Maat_set_feather_opt(_shared_feather_j, MAAT_OPT_JSON_FILE_PATH, watched_json, strlen(watched_json)+1); Maat_set_feather_opt(_shared_feather_j, MAAT_OPT_SCANDIR_INTERVAL_MS, &scan_interval_ms, sizeof(scan_interval_ms)); @@ -139,10 +142,11 @@ TEST_F(JSONUpdate, OldCfg) } TEST_F(JSONUpdate, NewCfg) { - system_cmd_cp(corrupted_json, watched_json); + system_cmd_encrypt(corrupted_json, watched_json, json_decrypt_key); sleep(2); scan_with_old_or_new_cfg(JSONUpdate::_shared_feather_j, 1); - system_cmd_cp(new_json, watched_json); + + system_cmd_encrypt(new_json, watched_json, json_decrypt_key); sleep(5); scan_with_old_or_new_cfg(JSONUpdate::_shared_feather_j, 0); } diff --git a/tools/maat_redis_tool.cpp b/tools/maat_redis_tool.cpp index 584ab3e..41fe97e 100644 --- a/tools/maat_redis_tool.cpp +++ b/tools/maat_redis_tool.cpp @@ -239,7 +239,7 @@ int main(int argc, char * argv[]) unsigned long json_file_size=0,read_size=0; long long desired_version=0; char* json_buff=NULL; - + size_t json_buff_sz=0; while((oc=getopt(argc,argv,"h:p:n:d:v:f:j:t:"))!=-1) { switch(oc) @@ -327,12 +327,12 @@ int main(int argc, char * argv[]) } else if(model==WORK_MODE_JSON) { - ret=load_file_to_memory(json_file, &json_buff); + ret=load_file_to_memory(json_file, (unsigned char**)&json_buff, &json_buff_sz); if(ret<0) { printf("open %s failed.\n", json_file); } - ret=json2iris(json_buff, json_file, NULL, NULL, ctx, tmp_iris_path, sizeof(tmp_iris_path), NULL); + ret=json2iris(json_buff, json_file, NULL, NULL, ctx, tmp_iris_path, sizeof(tmp_iris_path), NULL, NULL, NULL); if(ret<0) { printf("Invalid json format.\n");