diff options
| author | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2015-04-28 00:16:15 +0100 |
|---|---|---|
| committer | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2015-04-28 00:16:15 +0100 |
| commit | c385e1f39502ade5c42edb5e15ec7799573fb99c (patch) | |
| tree | bce0cdff34570a90960b130654ac62ab05bc7f84 /src | |
| parent | 1bb534f67d6e15e4cce60d9da838bc604e8eb408 (diff) | |
| download | rspamd-c385e1f39502ade5c42edb5e15ec7799573fb99c.tar.gz rspamd-c385e1f39502ade5c42edb5e15ec7799573fb99c.zip | |
Add password encryption mode.
Diffstat (limited to 'src')
| -rw-r--r-- | src/controller.c | 8 | ||||
| -rw-r--r-- | src/main.c | 46 | ||||
| -rw-r--r-- | src/main.h | 7 |
3 files changed, 54 insertions, 7 deletions
diff --git a/src/controller.c b/src/controller.c index bce75c568..522605165 100644 --- a/src/controller.c +++ b/src/controller.c @@ -133,14 +133,8 @@ struct rspamd_controller_session { gboolean is_spam; }; -struct rspamd_controller_pbkdf { - gint id; - guint rounds; - gsize salt_len; - gsize key_len; -}; -static const struct rspamd_controller_pbkdf pbkdf_list[] = { +const struct rspamd_controller_pbkdf pbkdf_list[] = { { .id = RSPAMD_PBKDF_ID_V1, .rounds = 16000, diff --git a/src/main.c b/src/main.c index 069c6e11a..fb9ec3470 100644 --- a/src/main.c +++ b/src/main.c @@ -84,6 +84,7 @@ static gboolean dump_cache = FALSE; static gboolean is_debug = FALSE; static gboolean is_insecure = FALSE; static gboolean gen_keypair = FALSE; +static gboolean encrypt_password = FALSE; /* List of workers that are pending to start */ static GList *workers_pending = NULL; @@ -129,9 +130,12 @@ static GOptionEntry entries[] = "Specify private key to sign", NULL }, { "gen-keypair", 0, 0, G_OPTION_ARG_NONE, &gen_keypair, "Generate new encryption " "keypair", NULL}, + { "encrypt-password", 0, 0, G_OPTION_ARG_NONE, &encrypt_password, "Encrypt " + "controller password to store in the configuration file", NULL }, { NULL, 0, 0, G_OPTION_ARG_NONE, NULL, NULL, NULL } }; +extern const struct rspamd_controller_pbkdf pbkdf_list[]; #ifndef HAVE_SA_SIGINFO static void @@ -1038,6 +1042,43 @@ perform_configs_sign (void) } static void +do_encrypt_password (void) +{ + const struct rspamd_controller_pbkdf *pbkdf; + guchar *salt, *key; + gchar *encoded_salt, *encoded_key; + gchar password[BUFSIZ]; + gsize plen; + + pbkdf = &pbkdf_list[0]; + g_assert (pbkdf != NULL); + + plen = rspamd_read_passphrase (password, sizeof (password), 0, NULL); + + if (plen == 0) { + fprintf (stderr, "Invalid password\n"); + exit (EXIT_FAILURE); + } + + salt = g_alloca (pbkdf->salt_len); + key = g_alloca (pbkdf->key_len); + ottery_rand_bytes (salt, pbkdf->salt_len); + /* Derive key */ + rspamd_cryptobox_pbkdf (password, strlen (password), + salt, pbkdf->salt_len, key, pbkdf->key_len, pbkdf->rounds); + + encoded_salt = rspamd_encode_base32 (salt, pbkdf->salt_len); + encoded_key = rspamd_encode_base32 (key, pbkdf->key_len); + + rspamd_printf ("$%d$%s$%s\n", pbkdf->id, encoded_salt, + encoded_key); + + g_free (encoded_salt); + g_free (encoded_key); + rspamd_explicit_memzero (password, sizeof (password)); +} + +static void rspamd_init_main (struct rspamd_main *rspamd) { rspamd->server_pool = rspamd_mempool_new ( @@ -1140,6 +1181,11 @@ main (gint argc, gchar **argv, gchar **env) exit (EXIT_SUCCESS); } + if (encrypt_password) { + do_encrypt_password (); + exit (EXIT_SUCCESS); + } + if (rspamd_main->cfg->config_test || dump_cache) { if (!load_rspamd_config (rspamd_main->cfg, FALSE)) { exit (EXIT_FAILURE); diff --git a/src/main.h b/src/main.h index 29096b86f..301e82c47 100644 --- a/src/main.h +++ b/src/main.h @@ -69,6 +69,13 @@ struct rspamd_worker_signal_handler { void *handler_data; }; +struct rspamd_controller_pbkdf { + gint id; + guint rounds; + gsize salt_len; + gsize key_len; +}; + /** * Module |