AM_LDFLAGS = \
$(PROGRAM_LDFLAGS) \
+ $(LIBCRYPTO_LIBS) \
$(THREADFLAGS)
AM_LFLAGS = -i
#endif
#include "credentials.hh"
+#include "misc.hh"
std::string hashPassword(const std::string& password)
{
}
}
else {
+ d_fallbackHashPerturb = random();
+ d_fallbackHash = burtle(reinterpret_cast<const unsigned char*>(password.data()), password.size(), d_fallbackHashPerturb);
d_credentials = std::move(password);
}
#ifdef HAVE_LIBSODIUM
sodium_munlock(d_credentials.data(), d_credentials.size());
#endif
+ d_fallbackHashPerturb = 0;
+ d_fallbackHash = 0;
}
bool CredentialsHolder::matches(const std::string& password) const
return verifyPassword(d_credentials, password);
}
else {
-#warning FIXME: would be better to do a poor-man hashing using burtle and a random seed first
- return password == d_credentials;
+ uint32_t fallback = burtle(reinterpret_cast<const unsigned char*>(password.data()), password.size(), d_fallbackHashPerturb);
+ if (fallback != d_fallbackHash) {
+ return false;
+ }
+
+ return constantTimeStringEquals(password, d_credentials);
}
}
private:
std::string d_credentials;
+ uint32_t d_fallbackHashPerturb;
+ uint32_t d_fallbackHash{0};
bool d_hashed{false};
};
if HAVE_LIBCRYPTO
dnsdist_LDADD += $(LIBCRYPTO_LDFLAGS) $(LIBCRYPTO_LIBS)
+testrunner_LDADD += $(LIBCRYPTO_LDFLAGS) $(LIBCRYPTO_LIBS)
dnsdist_SOURCES += ipcipher.cc ipcipher.hh
endif
return string((char*) hash, outlen);
}
-static bool constantTimeStringEquals(const std::string& a, const std::string& b)
-{
- if (a.size() != b.size()) {
- return false;
- }
- const size_t size = a.size();
-#ifdef HAVE_CRYPTO_MEMCMP
- return CRYPTO_memcmp(a.c_str(), b.c_str(), size) == 0;
-#else
- const volatile unsigned char *_a = (const volatile unsigned char *) a.c_str();
- const volatile unsigned char *_b = (const volatile unsigned char *) b.c_str();
- unsigned char res = 0;
-
- for (size_t idx = 0; idx < size; idx++) {
- res |= _a[idx] ^ _b[idx];
- }
-
- return res == 0;
-#endif
-}
-
static string makeTSIGPayload(const string& previous, const char* packetBegin, size_t packetSize, const DNSName& tsigKeyName, const TSIGRecordContent& trc, bool timersonly)
{
string message;
parseSVCBValueListFromParsedRFC1035CharString(parsed, val);
return ret;
};
+
+#ifdef HAVE_CRYPTO_MEMCMP
+#include <openssl/crypto.h>
+#endif
+
+bool constantTimeStringEquals(const std::string& a, const std::string& b)
+{
+ if (a.size() != b.size()) {
+ return false;
+ }
+ const size_t size = a.size();
+#ifdef HAVE_CRYPTO_MEMCMP
+ return CRYPTO_memcmp(a.c_str(), b.c_str(), size) == 0;
+#else
+ const volatile unsigned char *_a = (const volatile unsigned char *) a.c_str();
+ const volatile unsigned char *_b = (const volatile unsigned char *) b.c_str();
+ unsigned char res = 0;
+
+ for (size_t idx = 0; idx < size; idx++) {
+ res |= _a[idx] ^ _b[idx];
+ }
+
+ return res == 0;
+#endif
+}
+
std::string makeLuaString(const std::string& in);
+bool constantTimeStringEquals(const std::string& a, const std::string& b);
+
// Used in NID and L64 records
struct NodeOrLocatorID { uint8_t content[8]; };
sodiumsigners.cc
pdns_recursor_LDADD += $(LIBSODIUM_LIBS)
-rec_control_LDADD = $(LIBSODIUM_LIBS)
+rec_control_LDADD = $(LIBSODIUM_LIBS) \
+ $(LIBCRYPTO_LIBS)
testrunner_SOURCES += \
sodiumsigners.cc
projects / thirdparty / pdns.git / commitdiff
