From 3c22572863f35871eb0f547594f3d65b35f9f50f Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Mon, 21 Jun 2021 18:14:02 +0200
Subject: [PATCH] rec: Allow hashing with a custom work factor

---
 pdns/rec_control.cc                           | 30 +++++++++++++++----
 .../docs/manpages/rec_control.1.rst           |  4 ++-
 2 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/pdns/rec_control.cc b/pdns/rec_control.cc
index 229229d319..a7ab7cab1d 100644
--- a/pdns/rec_control.cc
+++ b/pdns/rec_control.cc
@@ -108,6 +108,31 @@ int main(int argc, char** argv)
     sockname.append(".controlsocket");
 
     const vector<string>&commands=arg().getCommands();
+
+    if (commands.size() >= 1 && commands.at(0) == "hash-password") {
+      uint64_t workFactor = CredentialsHolder::s_defaultWorkFactor;
+      if (commands.size() > 1) {
+        try {
+          workFactor = pdns_stou(commands.at(1));
+        }
+        catch (const std::exception& e) {
+          cerr << "Unable to parse the supplied work factor: " << e.what() << endl;
+          return EXIT_FAILURE;
+        }
+      }
+
+      auto password = CredentialsHolder::readFromTerminal();
+
+      try {
+        cout << hashPassword(password.getString(), workFactor, CredentialsHolder::s_defaultParallelFactor, CredentialsHolder::s_defaultBlockSize) << endl;
+        return EXIT_SUCCESS;
+      }
+      catch (const std::exception& e) {
+        cerr << "Error while hashing the supplied password: " << e.what() << endl;
+        return EXIT_FAILURE;
+      }
+    }
+
     string command;
     int fd = -1;
     unsigned int i = 0;
@@ -141,11 +166,6 @@ int main(int argc, char** argv)
           throw PDNSException("Command needs a file argument");
         }
       }
-      else if (commands.at(i) == "hash-password") {
-        auto password = CredentialsHolder::readFromTerminal();
-        cout << hashPassword(password.getString()) << endl;
-        return 0;
-      }
       ++i;
     }
 
diff --git a/pdns/recursordist/docs/manpages/rec_control.1.rst b/pdns/recursordist/docs/manpages/rec_control.1.rst
index b0fb9d9d7e..7bd6b857a1 100644
--- a/pdns/recursordist/docs/manpages/rec_control.1.rst
+++ b/pdns/recursordist/docs/manpages/rec_control.1.rst
@@ -152,10 +152,12 @@ get-parameter *KEY* [*KEY*]...
 get-qtypelist
     Retrieves QType statistics. Queries from cache aren't being counted yet.
 
-hash-password
+hash-password [*WORK-FACTOR*]
     Asks for a password then returns the hashed and salted version,
     to use as a webserver password or API key. This command does
     not contact the recursor but does the hashing inside rec_control.
+    An optional scrypt work factor can be specified, in power of two.
+    The default is 1024.
 
 help
     Shows a list of supported commands understood by the running
-- 
2.47.2