From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Fri, 21 Jan 2022 15:12:56 +0000 (+0100)
Subject: dnsdist: Add DISABLE_HASHED_CREDENTIALS
X-Git-Tag: rec-4.7.0-beta1~7^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2f32819a5304e7e53fe461613a3616545440875e;p=thirdparty%2Fpdns.git

dnsdist: Add DISABLE_HASHED_CREDENTIALS
---

diff --git a/pdns/credentials.cc b/pdns/credentials.cc
index 3a7534f757..108822843b 100644
--- a/pdns/credentials.cc
+++ b/pdns/credentials.cc
@@ -28,7 +28,7 @@
 #include <sodium.h>
 #endif
 
-#ifdef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
+#if !defined(DISABLE_HASHED_CREDENTIALS) && defined(HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT)
 #include <openssl/evp.h>
 #include <openssl/kdf.h>
 #include <openssl/opensslv.h>
@@ -43,7 +43,7 @@
 #include "credentials.hh"
 #include "misc.hh"
 
-#ifdef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
+#if !defined(DISABLE_HASHED_CREDENTIALS) && defined(HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT)
 static size_t const pwhash_max_size = 128U; /* maximum size of the output */
 static size_t const pwhash_output_size = 32U; /* size of the hashed output (before base64 encoding) */
 static unsigned int const pwhash_salt_size = 16U; /* size of the salt (before base64 encoding */
@@ -96,7 +96,7 @@ void SensitiveData::clear()
 
 static std::string hashPasswordInternal(const std::string& password, const std::string& salt, uint64_t workFactor, uint64_t parallelFactor, uint64_t blockSize)
 {
-#ifdef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
+#if !defined(DISABLE_HASHED_CREDENTIALS) && defined(HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT)
   auto pctx = std::unique_ptr<EVP_PKEY_CTX, void (*)(EVP_PKEY_CTX*)>(EVP_PKEY_CTX_new_id(EVP_PKEY_SCRYPT, nullptr), EVP_PKEY_CTX_free);
   if (!pctx) {
     throw std::runtime_error("Error getting a scrypt context to hash the supplied password");
@@ -148,7 +148,7 @@ static std::string hashPasswordInternal(const std::string& password, const std::
 
 static std::string generateRandomSalt()
 {
-#ifdef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
+#if !defined(DISABLE_HASHED_CREDENTIALS) && defined(HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT)
   /* generate a random salt */
   std::string salt;
   salt.resize(pwhash_salt_size);
@@ -165,7 +165,11 @@ static std::string generateRandomSalt()
 
 std::string hashPassword(const std::string& password, uint64_t workFactor, uint64_t parallelFactor, uint64_t blockSize)
 {
-#ifdef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
+#if !defined(DISABLE_HASHED_CREDENTIALS) && defined(HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT)
+  if (workFactor == 0) {
+    throw std::runtime_error("Invalid work factor of " + std::to_string(workFactor) + " passed to hashPassword()");
+  }
+
   std::string result;
   result.reserve(pwhash_max_size);
 
@@ -193,7 +197,7 @@ std::string hashPassword(const std::string& password, uint64_t workFactor, uint6
 
 std::string hashPassword(const std::string& password)
 {
-#ifdef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
+#if !defined(DISABLE_HASHED_CREDENTIALS) && defined(HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT)
   return hashPassword(password, CredentialsHolder::s_defaultWorkFactor, CredentialsHolder::s_defaultParallelFactor, CredentialsHolder::s_defaultBlockSize);
 #else
   throw std::runtime_error("Hashing a password requires scrypt support in OpenSSL, and it is not available");
@@ -202,7 +206,7 @@ std::string hashPassword(const std::string& password)
 
 bool verifyPassword(const std::string& binaryHash, const std::string& salt, uint64_t workFactor, uint64_t parallelFactor, uint64_t blockSize, const std::string& binaryPassword)
 {
-#ifdef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
+#if !defined(DISABLE_HASHED_CREDENTIALS) && defined(HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT)
   auto expected = hashPasswordInternal(binaryPassword, salt, workFactor, parallelFactor, blockSize);
   return constantTimeStringEquals(expected, binaryHash);
 #else
@@ -213,7 +217,7 @@ bool verifyPassword(const std::string& binaryHash, const std::string& salt, uint
 /* parse a hashed password in PHC string format */
 static void parseHashed(const std::string& hash, std::string& salt, std::string& hashedPassword, uint64_t& workFactor, uint64_t& parallelFactor, uint64_t& blockSize)
 {
-#ifdef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
+#if !defined(DISABLE_HASHED_CREDENTIALS) && defined(HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT)
   auto parametersEnd = hash.find('$', pwhash_prefix.size());
   if (parametersEnd == std::string::npos || parametersEnd == hash.size()) {
     throw std::runtime_error("Invalid hashed password format, no parameters");
@@ -282,7 +286,7 @@ bool verifyPassword(const std::string& hash, const std::string& password)
     return false;
   }
 
-#ifdef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
+#if !defined(DISABLE_HASHED_CREDENTIALS) && defined(HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT)
   std::string salt;
   std::string hashedPassword;
   uint64_t workFactor = 0;
@@ -300,7 +304,7 @@ bool verifyPassword(const std::string& hash, const std::string& password)
 
 bool isPasswordHashed(const std::string& password)
 {
-#ifdef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
+#if !defined(DISABLE_HASHED_CREDENTIALS) && defined(HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT)
   if (password.size() < pwhash_prefix_size || password.size() > pwhash_max_size) {
     return false;
   }
@@ -395,7 +399,7 @@ bool CredentialsHolder::matches(const std::string& password) const
 
 bool CredentialsHolder::isHashingAvailable()
 {
-#ifdef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
+#if !defined(DISABLE_HASHED_CREDENTIALS) && defined(HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT)
   return true;
 #else
   return false;
diff --git a/pdns/dnsdistdist/docs/install.rst b/pdns/dnsdistdist/docs/install.rst
index 39119d43a0..fcd6fd6372 100644
--- a/pdns/dnsdistdist/docs/install.rst
+++ b/pdns/dnsdistdist/docs/install.rst
@@ -118,6 +118,7 @@ Our ``configure`` script provides a fair number of options with regard to which
 * ``DISABLE_COMPLETION`` for completion support in the console
 * ``DISABLE_DEPRECATED_DYNBLOCK`` for legacy dynamic blocks not using the new ``DynBlockRulesGroup`` interface
 * ``DISABLE_ECS_ACTIONS`` to disable actions altering EDNS Client Subnet
+* ``DISABLE_HASHED_CREDENTIALS`` to disable password-hashing support
 * ``DISABLE_LUA_WEB_HANDLERS`` for custom Lua web handlers support
 * ``DISABLE_OCSP_STAPLING`` for OCSP stapling
 * ``DISABLE_PROMETHEUS`` for prometheus
diff --git a/pdns/test-credentials_cc.cc b/pdns/test-credentials_cc.cc
index 89bd6e4a22..20eee93d89 100644
--- a/pdns/test-credentials_cc.cc
+++ b/pdns/test-credentials_cc.cc
@@ -10,6 +10,10 @@
 
 BOOST_AUTO_TEST_SUITE(credentials_cc)
 
+#if defined(DISABLE_HASHED_CREDENTIALS)
+#undef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
+#endif
+
 #ifdef HAVE_EVP_PKEY_CTX_SET1_SCRYPT_SALT
 BOOST_AUTO_TEST_CASE(test_CredentialsUtils)
 {