cabal: Add a flag to enable/disable scrypt

cardano-foundation · Jul 20, 2021 · f3d4d11 · f3d4d11
1 parent defbc26
commit f3d4d11
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 5 deletions.
diff --git a/lib/core/cardano-wallet-core.cabal b/lib/core/cardano-wallet-core.cabal
@@ -17,6 +17,10 @@ flag release
     default: False
     manual: True
 
+flag scrypt
+    description: Enable compatibility support for legacy wallet passwords.
+    default: True
+
 library
   default-language:
       Haskell2010
@@ -29,6 +33,9 @@ library
       -fwarn-redundant-constraints
   if (flag(release))
     ghc-options: -O2 -Werror
+  if (flag(scrypt))
+    cpp-options: -DHAVE_SCRYPT
+    build-depends: scrypt
   build-depends:
       aeson
     , async
@@ -93,7 +100,6 @@ library
     , retry
     , safe
     , scientific
-    , scrypt
     , servant
     , servant-client
     , servant-server

diff --git a/lib/core/src/Cardano/Wallet/Api/Server.hs b/lib/core/src/Cardano/Wallet/Api/Server.hs
@@ -3249,6 +3249,12 @@ instance IsServerError ErrWithRootKey where
                 , "to encrypt the root private key of the given wallet: "
                 , toText wid
                 ]
+        ErrWithRootKeyWrongPassphrase wid ErrScryptUnsupported ->
+            apiError err501 WrongEncryptionPassphrase $ mconcat
+                [ "This build is not compiled with support for the "
+                , "legacy scrypt scheme used by the given wallet: "
+                , toText wid
+                ]
 
 instance IsServerError ErrListAssets where
     toServerError = \case

diff --git a/lib/core/src/Cardano/Wallet/Primitive/AddressDerivation.hs b/lib/core/src/Cardano/Wallet/Primitive/AddressDerivation.hs
@@ -1,4 +1,5 @@
 {-# LANGUAGE AllowAmbiguousTypes #-}
+{-# LANGUAGE CPP #-}
 {-# LANGUAGE DataKinds #-}
 {-# LANGUAGE DeriveGeneric #-}
 {-# LANGUAGE DerivingVia #-}
@@ -156,14 +157,17 @@ import Safe
     ( readMay, toEnumMay )
 
 import qualified Cardano.Address.Script as CA
-import qualified Codec.CBOR.Encoding as CBOR
-import qualified Codec.CBOR.Write as CBOR
-import qualified Crypto.Scrypt as Scrypt
 import qualified Data.ByteArray as BA
 import qualified Data.ByteString as BS
 import qualified Data.Text as T
 import qualified Data.Text.Encoding as T
 
+#ifdef HAVE_SCRYPT
+import qualified Codec.CBOR.Encoding as CBOR
+import qualified Codec.CBOR.Write as CBOR
+import qualified Crypto.Scrypt as Scrypt
+#endif
+
 {-------------------------------------------------------------------------------
                                 HD Hierarchy
 -------------------------------------------------------------------------------}
@@ -610,13 +614,17 @@ checkPassphrase scheme received stored = do
             unless (constantTimeEq (encryptPassphrase prepared salt) stored) $
                 Left ErrWrongPassphrase
         EncryptWithScrypt -> do
+#ifdef HAVE_SCRYPT
             let msg = Scrypt.Pass
                     $ CBOR.toStrictByteString
                     $ CBOR.encodeBytes
                     $ BA.convert prepared
             if Scrypt.verifyPass' msg (Scrypt.EncryptedPass (getHash stored))
                 then Right ()
                 else Left ErrWrongPassphrase
+#else
+           Left ErrScryptUnsupported
+#endif
   where
     getSalt :: Hash purpose -> Either ErrWrongPassphrase (Passphrase "salt")
     getSalt (Hash bytes) = do
@@ -629,7 +637,9 @@ checkPassphrase scheme received stored = do
         BA.convert @_ @ScrubbedBytes a == BA.convert @_ @ScrubbedBytes b
 
 -- | Indicate a failure when checking for a given 'Passphrase' match
-data ErrWrongPassphrase = ErrWrongPassphrase
+data ErrWrongPassphrase
+    = ErrWrongPassphrase
+    | ErrScryptUnsupported
     deriving stock (Show, Eq)
 
 -- | Little trick to be able to provide our own "random" salt in order to