Add routine to recommend users to encrypt their passwords.

src/controller.c

@@ -1727,6 +1727,49 @@ rspamd_controller_accept_socket (gint fd, short what, void *arg)
 	rspamd_http_router_handle_socket (ctx->http, nfd, nsession);
 }
 
+static void
+rspamd_controller_password_sane (const gchar *password, const gchar *type)
+{
+	const struct rspamd_controller_pbkdf *pbkdf = &pbkdf_list[0];
+	GString *msg;
+	guchar *salt, *key;
+	gchar *encoded_salt, *encoded_key;
+
+	if (password == NULL) {
+		msg_warn ("%s is not set, so you should filter controller availability "
+				"by using of firewall or `secure_ip` option", type);
+		return;
+	}
+
+	g_assert (pbkdf != NULL);
+
+	if (!rspamd_is_encrypted_password (password, NULL)) {
+		/* Suggest encryption to a user */
+		msg = g_string_new (NULL);
+
+		rspamd_printf_gstring (msg, "your %s is not encrypted, we strongly "
+				"recommend to replace it with the encrypted version: ", type);
+		salt = g_alloca (pbkdf->salt_len);
+		key = g_alloca (pbkdf->key_len);
+		ottery_rand_bytes (salt, pbkdf->salt_len);
+		/* Derive key */
+		rspamd_cryptobox_pbkdf (password, strlen (password),
+				salt, pbkdf->salt_len, key, pbkdf->key_len, pbkdf->rounds);
+
+		encoded_salt = rspamd_encode_base32 (salt, pbkdf->salt_len);
+		encoded_key = rspamd_encode_base32 (key, pbkdf->key_len);
+
+		rspamd_printf_gstring (msg, "$%d$%s$%s", pbkdf->id, encoded_salt,
+				encoded_key);
+
+		msg_warn ("%v", msg);
+
+		g_string_free (msg, TRUE);
+		g_free (encoded_salt);
+		g_free (encoded_key);
+	}
+}
+
 gpointer
 init_controller_worker (struct rspamd_config *cfg)
 {
@@ -1825,6 +1868,10 @@ start_controller_worker (struct rspamd_worker *worker)
 			cur = g_list_next (cur);
 		}
 	}
+
+	rspamd_controller_password_sane (ctx->password, "normal password");
+	rspamd_controller_password_sane (ctx->enable_password, "enable password");
+
 	/* Accept event */
 	cache = rspamd_keypair_cache_new (256);
 	ctx->http = rspamd_http_router_new (rspamd_controller_error_handler,