dnsdist: Add DISABLE_HASHED_CREDENTIALS

author Remi Gacogne <remi.gacogne@powerdns.com>

Fri, 21 Jan 2022 15:12:56 +0000 (16:12 +0100)

committer Remi Gacogne <remi.gacogne@powerdns.com>

Thu, 7 Apr 2022 14:44:28 +0000 (16:44 +0200)
author Remi Gacogne <remi.gacogne@powerdns.com>
Fri, 21 Jan 2022 15:12:56 +0000 (16:12 +0100)
committer Remi Gacogne <remi.gacogne@powerdns.com>
Thu, 7 Apr 2022 14:44:28 +0000 (16:44 +0200)
diff --git a/pdns/credentials.cc b/pdns/credentials.cc

index 3a7534f75705c657a5655cf1bd1bb416ef52bfb2..108822843bd289d6f9064bf248555952812fe60d 100644 (file)
--- a/pdns/credentials.cc
+++ b/pdns/credentials.cc
@@ -28,7 +28,7 @@
  #include <sodium.h>
  #endif
  
-#ifdef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
+#if !defined(DISABLE_HASHED_CREDENTIALS) && defined(HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT)
  #include <openssl/evp.h>
  #include <openssl/kdf.h>
  #include <openssl/opensslv.h>
@@ -43,7 +43,7 @@
  #include "credentials.hh"
  #include "misc.hh"
  
-#ifdef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
+#if !defined(DISABLE_HASHED_CREDENTIALS) && defined(HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT)
  static size_t const pwhash_max_size = 128U; /* maximum size of the output */
  static size_t const pwhash_output_size = 32U; /* size of the hashed output (before base64 encoding) */
  static unsigned int const pwhash_salt_size = 16U; /* size of the salt (before base64 encoding */
@@ -96,7 +96,7 @@ void SensitiveData::clear()
  
  static std::string hashPasswordInternal(const std::string& password, const std::string& salt, uint64_t workFactor, uint64_t parallelFactor, uint64_t blockSize)
  {
-#ifdef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
+#if !defined(DISABLE_HASHED_CREDENTIALS) && defined(HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT)
    auto pctx = std::unique_ptr<EVP_PKEY_CTX, void (*)(EVP_PKEY_CTX*)>(EVP_PKEY_CTX_new_id(EVP_PKEY_SCRYPT, nullptr), EVP_PKEY_CTX_free);
    if (!pctx) {
      throw std::runtime_error("Error getting a scrypt context to hash the supplied password");
@@ -148,7 +148,7 @@ static std::string hashPasswordInternal(const std::string& password, const std::
  
  static std::string generateRandomSalt()
  {
-#ifdef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
+#if !defined(DISABLE_HASHED_CREDENTIALS) && defined(HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT)
    /* generate a random salt */
    std::string salt;
    salt.resize(pwhash_salt_size);
@@ -165,7 +165,11 @@ static std::string generateRandomSalt()
  
  std::string hashPassword(const std::string& password, uint64_t workFactor, uint64_t parallelFactor, uint64_t blockSize)
  {
-#ifdef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
+#if !defined(DISABLE_HASHED_CREDENTIALS) && defined(HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT)
+  if (workFactor == 0) {
+    throw std::runtime_error("Invalid work factor of " + std::to_string(workFactor) + " passed to hashPassword()");
+  }
+
    std::string result;
    result.reserve(pwhash_max_size);
  
@@ -193,7 +197,7 @@ std::string hashPassword(const std::string& password, uint64_t workFactor, uint6
  
  std::string hashPassword(const std::string& password)
  {
-#ifdef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
+#if !defined(DISABLE_HASHED_CREDENTIALS) && defined(HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT)
    return hashPassword(password, CredentialsHolder::s_defaultWorkFactor, CredentialsHolder::s_defaultParallelFactor, CredentialsHolder::s_defaultBlockSize);
  #else
    throw std::runtime_error("Hashing a password requires scrypt support in OpenSSL, and it is not available");
@@ -202,7 +206,7 @@ std::string hashPassword(const std::string& password)
  
  bool verifyPassword(const std::string& binaryHash, const std::string& salt, uint64_t workFactor, uint64_t parallelFactor, uint64_t blockSize, const std::string& binaryPassword)
  {
-#ifdef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
+#if !defined(DISABLE_HASHED_CREDENTIALS) && defined(HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT)
    auto expected = hashPasswordInternal(binaryPassword, salt, workFactor, parallelFactor, blockSize);
    return constantTimeStringEquals(expected, binaryHash);
  #else
@@ -213,7 +217,7 @@ bool verifyPassword(const std::string& binaryHash, const std::string& salt, uint
  /* parse a hashed password in PHC string format */
  static void parseHashed(const std::string& hash, std::string& salt, std::string& hashedPassword, uint64_t& workFactor, uint64_t& parallelFactor, uint64_t& blockSize)
  {
-#ifdef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
+#if !defined(DISABLE_HASHED_CREDENTIALS) && defined(HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT)
    auto parametersEnd = hash.find('$', pwhash_prefix.size());
    if (parametersEnd == std::string::npos || parametersEnd == hash.size()) {
      throw std::runtime_error("Invalid hashed password format, no parameters");
@@ -282,7 +286,7 @@ bool verifyPassword(const std::string& hash, const std::string& password)
      return false;
    }
  
-#ifdef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
+#if !defined(DISABLE_HASHED_CREDENTIALS) && defined(HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT)
    std::string salt;
    std::string hashedPassword;
    uint64_t workFactor = 0;
@@ -300,7 +304,7 @@ bool verifyPassword(const std::string& hash, const std::string& password)
  
  bool isPasswordHashed(const std::string& password)
  {
-#ifdef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
+#if !defined(DISABLE_HASHED_CREDENTIALS) && defined(HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT)
    if (password.size() < pwhash_prefix_size || password.size() > pwhash_max_size) {
      return false;
    }
@@ -395,7 +399,7 @@ bool CredentialsHolder::matches(const std::string& password) const
  
  bool CredentialsHolder::isHashingAvailable()
  {
-#ifdef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
+#if !defined(DISABLE_HASHED_CREDENTIALS) && defined(HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT)
    return true;
  #else
    return false;
diff --git a/pdns/dnsdistdist/docs/install.rst b/pdns/dnsdistdist/docs/install.rst

index 39119d43a054e828880b3266737f2bf986a10f22..fcd6fd6372938dee96bf1b83dbcefde6e713e69e 100644 (file)
--- a/pdns/dnsdistdist/docs/install.rst
+++ b/pdns/dnsdistdist/docs/install.rst
@@ -118,6 +118,7 @@ Our ``configure`` script provides a fair number of options with regard to which
  * ``DISABLE_COMPLETION`` for completion support in the console
  * ``DISABLE_DEPRECATED_DYNBLOCK`` for legacy dynamic blocks not using the new ``DynBlockRulesGroup`` interface
  * ``DISABLE_ECS_ACTIONS`` to disable actions altering EDNS Client Subnet
+* ``DISABLE_HASHED_CREDENTIALS`` to disable password-hashing support
  * ``DISABLE_LUA_WEB_HANDLERS`` for custom Lua web handlers support
  * ``DISABLE_OCSP_STAPLING`` for OCSP stapling
  * ``DISABLE_PROMETHEUS`` for prometheus
diff --git a/pdns/test-credentials_cc.cc b/pdns/test-credentials_cc.cc

index 89bd6e4a227657e0bd3c585c70455cfe1e2684ff..20eee93d89f33382692bdcbd78a306df6567594e 100644 (file)
--- a/pdns/test-credentials_cc.cc
+++ b/pdns/test-credentials_cc.cc
@@ -10,6 +10,10 @@
  
  BOOST_AUTO_TEST_SUITE(credentials_cc)
  
+#if defined(DISABLE_HASHED_CREDENTIALS)
+#undef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
+#endif
+
  #ifdef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
  BOOST_AUTO_TEST_CASE(test_CredentialsUtils)
  {
author	Remi Gacogne <remi.gacogne@powerdns.com>
	Fri, 21 Jan 2022 15:12:56 +0000 (16:12 +0100)
committer	Remi Gacogne <remi.gacogne@powerdns.com>
	Thu, 7 Apr 2022 14:44:28 +0000 (16:44 +0200)
pdns/credentials.cc		patch \| blob \| blame \| history
pdns/dnsdistdist/docs/install.rst		patch \| blob \| blame \| history
pdns/test-credentials_cc.cc		patch \| blob \| blame \| history