From: Remi Gacogne Date: Wed, 31 Mar 2021 07:52:03 +0000 (+0200) Subject: dnsdist: We want to know if the password was hashed, not if it is now X-Git-Tag: dnsdist-1.7.0-alpha1~12^2~29 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=32e8669a262a916c5b40fbe045fe7da075a09e1b;p=thirdparty%2Fpdns.git dnsdist: We want to know if the password was hashed, not if it is now --- diff --git a/pdns/credentials.cc b/pdns/credentials.cc index e829a41288..24672e142a 100644 --- a/pdns/credentials.cc +++ b/pdns/credentials.cc @@ -96,13 +96,12 @@ CredentialsHolder::CredentialsHolder(std::string&& password) bool locked = false; if (isHashingAvailable()) { - d_hashed = true; - if (!isPasswordHashed(password)) { d_credentials = hashPassword(password); locked = true; } else { + d_wasHashed = true; d_credentials = std::move(password); } } @@ -131,7 +130,7 @@ CredentialsHolder::~CredentialsHolder() bool CredentialsHolder::matches(const std::string& password) const { - if (d_hashed) { + if (isHashingAvailable()) { return verifyPassword(d_credentials, password); } else { diff --git a/pdns/credentials.hh b/pdns/credentials.hh index 03978d1655..970aa3fbcd 100644 --- a/pdns/credentials.hh +++ b/pdns/credentials.hh @@ -39,9 +39,10 @@ public: CredentialsHolder& operator=(const CredentialsHolder&) = delete; bool matches(const std::string& password) const; - bool isHashed() const + /* whether it was constructed from a hashed and salted string */ + bool wasHashed() const { - return d_hashed; + return d_wasHashed; } static bool isHashingAvailable(); @@ -50,5 +51,6 @@ private: std::string d_credentials; uint32_t d_fallbackHashPerturb; uint32_t d_fallbackHash{0}; - bool d_hashed{false}; + /* whether it was constructed from a hashed and salted string */ + bool d_wasHashed{false}; }; diff --git a/pdns/dnsdist-lua.cc b/pdns/dnsdist-lua.cc index 8bdc9551bc..404f727256 100644 --- a/pdns/dnsdist-lua.cc +++ b/pdns/dnsdist-lua.cc @@ -945,7 +945,7 @@ static void setupLuaConfig(LuaContext& luaCtx, bool client, bool configCheck) auto launch=[sock, local, password, apiKey, customHeaders, acl]() { if (password) { auto holder = make_unique(std::string(*password)); - if (!holder->isHashed() && holder->isHashingAvailable()) { + if (!holder->wasHashed() && holder->isHashingAvailable()) { warnlog("Passing a plain-text password to 'webserver()' is deprecated, please use 'setWebserverConfig()' instead."); } @@ -993,7 +993,7 @@ static void setupLuaConfig(LuaContext& luaCtx, bool client, bool configCheck) if (vars->count("password")) { std::string password = boost::get(vars->at("password")); auto holder = make_unique(std::move(password)); - if (!holder->isHashed() && holder->isHashingAvailable()) { + if (!holder->wasHashed() && holder->isHashingAvailable()) { warnlog("Passing a plain-text password via the 'password' parameter to 'setWebserverConfig()' is deprecated, please generate a hashed one using 'hashPassword()' instead."); } @@ -1003,7 +1003,7 @@ static void setupLuaConfig(LuaContext& luaCtx, bool client, bool configCheck) if (vars->count("apiKey")) { std::string apiKey = boost::get(vars->at("apiKey")); auto holder = make_unique(std::move(apiKey)); - if (!holder->isHashed() && holder->isHashingAvailable()) { + if (!holder->wasHashed() && holder->isHashingAvailable()) { warnlog("Passing a plain-text API key via the 'apiKey' parameter to 'setWebserverConfig()' is deprecated, please generate a hashed one using 'hashPassword()' instead."); }