From c385e1f39502ade5c42edb5e15ec7799573fb99c Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Tue, 28 Apr 2015 00:16:15 +0100
Subject: [PATCH] Add password encryption mode.

---
 src/controller.c |  8 +-------
 src/main.c       | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 src/main.h       |  7 +++++++
 3 files changed, 54 insertions(+), 7 deletions(-)

diff --git a/src/controller.c b/src/controller.c
index bce75c568..522605165 100644
--- a/src/controller.c
+++ b/src/controller.c
@@ -133,14 +133,8 @@ struct rspamd_controller_session {
 	gboolean is_spam;
 };
 
-struct rspamd_controller_pbkdf {
-	gint id;
-	guint rounds;
-	gsize salt_len;
-	gsize key_len;
-};
 
-static const struct rspamd_controller_pbkdf pbkdf_list[] = {
+const struct rspamd_controller_pbkdf pbkdf_list[] = {
 	{
 		.id = RSPAMD_PBKDF_ID_V1,
 		.rounds = 16000,
diff --git a/src/main.c b/src/main.c
index 069c6e11a..fb9ec3470 100644
--- a/src/main.c
+++ b/src/main.c
@@ -84,6 +84,7 @@ static gboolean dump_cache = FALSE;
 static gboolean is_debug = FALSE;
 static gboolean is_insecure = FALSE;
 static gboolean gen_keypair = FALSE;
+static gboolean encrypt_password = FALSE;
 /* List of workers that are pending to start */
 static GList *workers_pending = NULL;
 
@@ -129,9 +130,12 @@ static GOptionEntry entries[] =
 	  "Specify private key to sign", NULL },
 	{ "gen-keypair", 0, 0, G_OPTION_ARG_NONE, &gen_keypair, "Generate new encryption "
 			"keypair", NULL},
+	{ "encrypt-password", 0, 0, G_OPTION_ARG_NONE, &encrypt_password, "Encrypt "
+			"controller password to store in the configuration file", NULL },
 	{ NULL, 0, 0, G_OPTION_ARG_NONE, NULL, NULL, NULL }
 };
 
+extern const struct rspamd_controller_pbkdf pbkdf_list[];
 
 #ifndef HAVE_SA_SIGINFO
 static void
@@ -1037,6 +1041,43 @@ perform_configs_sign (void)
 #endif
 }
 
+static void
+do_encrypt_password (void)
+{
+	const struct rspamd_controller_pbkdf *pbkdf;
+	guchar *salt, *key;
+	gchar *encoded_salt, *encoded_key;
+	gchar password[BUFSIZ];
+	gsize plen;
+
+	pbkdf = &pbkdf_list[0];
+	g_assert (pbkdf != NULL);
+
+	plen = rspamd_read_passphrase (password, sizeof (password), 0, NULL);
+
+	if (plen == 0) {
+		fprintf (stderr, "Invalid password\n");
+		exit (EXIT_FAILURE);
+	}
+
+	salt = g_alloca (pbkdf->salt_len);
+	key = g_alloca (pbkdf->key_len);
+	ottery_rand_bytes (salt, pbkdf->salt_len);
+	/* Derive key */
+	rspamd_cryptobox_pbkdf (password, strlen (password),
+			salt, pbkdf->salt_len, key, pbkdf->key_len, pbkdf->rounds);
+
+	encoded_salt = rspamd_encode_base32 (salt, pbkdf->salt_len);
+	encoded_key = rspamd_encode_base32 (key, pbkdf->key_len);
+
+	rspamd_printf ("$%d$%s$%s\n", pbkdf->id, encoded_salt,
+			encoded_key);
+
+	g_free (encoded_salt);
+	g_free (encoded_key);
+	rspamd_explicit_memzero (password, sizeof (password));
+}
+
 static void
 rspamd_init_main (struct rspamd_main *rspamd)
 {
@@ -1140,6 +1181,11 @@ main (gint argc, gchar **argv, gchar **env)
 		exit (EXIT_SUCCESS);
 	}
 
+	if (encrypt_password) {
+		do_encrypt_password ();
+		exit (EXIT_SUCCESS);
+	}
+
 	if (rspamd_main->cfg->config_test || dump_cache) {
 		if (!load_rspamd_config (rspamd_main->cfg, FALSE)) {
 			exit (EXIT_FAILURE);
diff --git a/src/main.h b/src/main.h
index 29096b86f..301e82c47 100644
--- a/src/main.h
+++ b/src/main.h
@@ -69,6 +69,13 @@ struct rspamd_worker_signal_handler {
 	void *handler_data;
 };
 
+struct rspamd_controller_pbkdf {
+	gint id;
+	guint rounds;
+	gsize salt_len;
+	gsize key_len;
+};
+
 
 /**
  * Module
-- 
2.39.5