From f2d1ebbc1c8c79b29c79a1fc39302580c2862dbe Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Mon, 21 Jun 2021 18:14:15 +0200
Subject: [PATCH] auth: Allow hashing with a custom work factor

---
 docs/manpages/pdnsutil.1.rst |  4 +++-
 pdns/pdnsutil.cc             | 26 ++++++++++++++++++++++----
 2 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/docs/manpages/pdnsutil.1.rst b/docs/manpages/pdnsutil.1.rst
index 12285832d0..e9dfa7f29e 100644
--- a/docs/manpages/pdnsutil.1.rst
+++ b/docs/manpages/pdnsutil.1.rst
@@ -189,9 +189,11 @@ edit-zone *ZONE*
     **EDITOR** is empty, *pdnsutil* falls back to using *editor*.
 get-meta *ZONE* [*ATTRIBUTE*]...
     Get zone metadata. If no *ATTRIBUTE* given, lists all known.
-hash-password
+hash-password [*WORK-FACTOR*]
     This convenience command asks for a password and returns a hashed
     and salted version, for use as a webserver password or api key.
+    An optional scrypt work factor can be specified, in power of two,
+    otherwise it defaults to 1024.
 hash-zone-record *ZONE* *RNAME*
     This convenience command hashes the name *RNAME* according to the
     NSEC3 settings of *ZONE*. Refuses to hash for zones with no NSEC3
diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc
index ac32efc0e0..a4ed9a8195 100644
--- a/pdns/pdnsutil.cc
+++ b/pdns/pdnsutil.cc
@@ -2332,7 +2332,7 @@ try
     cout<<"generate-zone-key {zsk|ksk} [ALGORITHM] [BITS]"<<endl;
     cout<<"                                   Generate a ZSK or KSK to stdout with specified ALGORITHM and BITS"<<endl;
     cout<<"get-meta ZONE [KIND ...]           Get zone metadata. If no KIND given, lists all known"<<endl;
-    cout<<"hash-password                      Ask for a plaintext password or api key and output a hashed and salted version"<<endl;
+    cout<<"hash-password [WORK FACTOR]        Ask for a plaintext password or api key and output a hashed and salted version"<<endl;
     cout<<"hash-zone-record ZONE RNAME        Calculate the NSEC3 hash for RNAME in ZONE"<<endl;
 #ifdef HAVE_P11KIT1
     cout<<"hsm assign ZONE ALGORITHM {ksk|zsk} MODULE SLOT PIN LABEL"<<endl<<
@@ -2483,10 +2483,28 @@ try
 
     return 0;
   }
-  else if (cmds[0]=="hash-password") {
+  else if (cmds.at(0) == "hash-password") {
+    uint64_t workFactor = CredentialsHolder::s_defaultWorkFactor;
+    if (cmds.size() > 1) {
+      try {
+        workFactor = pdns_stou(cmds.at(1));
+      }
+      catch (const std::exception& e) {
+        cerr<<"Unable to parse the supplied work factor: "<<e.what()<<endl;
+        return 1;
+      }
+    }
+
     auto password = CredentialsHolder::readFromTerminal();
-    cout<<hashPassword(password.getString())<<endl;
-    return 0;
+
+    try {
+      cout<<hashPassword(password.getString(), workFactor, CredentialsHolder::s_defaultParallelFactor, CredentialsHolder::s_defaultBlockSize)<<endl;
+      return EXIT_SUCCESS;
+    }
+    catch (const std::exception& e) {
+      cerr<<"Error while hashing the supplied password: "<<e.what()<<endl;
+      return 1;
+    }
   }
 
   DNSSECKeeper dk;
-- 
2.47.2