ITS#9453 - Make pw argon2 official

.gitlab-ci.yml

@@ -23,7 +23,7 @@ build-openssl-heimdal-lloadd:
   stage: build
   script:
     - apt update
-    - DEBIAN_FRONTEND=noninteractive apt install -y build-essential python3 gdb procps pkg-config automake libsasl2-dev heimdal-multidev libssl-dev libltdl-dev groff-base unixodbc-dev libwiredtiger-dev libperl-dev heimdal-kdc libsasl2-modules-gssapi-heimdal sasl2-bin libevent-dev
+    - DEBIAN_FRONTEND=noninteractive apt install -y build-essential python3 gdb procps pkg-config automake libsasl2-dev heimdal-multidev libssl-dev libltdl-dev groff-base unixodbc-dev libwiredtiger-dev libperl-dev heimdal-kdc libsasl2-modules-gssapi-heimdal sasl2-bin libevent-dev libargon2-dev
     - autoreconf
     - ./configure --enable-backends=mod --enable-overlays=mod --enable-modules --enable-dynamic --disable-ndb --enable-balancer=mod
     - make depend
@@ -41,7 +41,7 @@ build-gnutls-mit-standalone-lloadd:
   stage: build
   script:
     - apt update
-    - DEBIAN_FRONTEND=noninteractive apt install -y build-essential python3 gdb procps pkg-config automake libsasl2-dev libltdl-dev groff-base unixodbc-dev libwiredtiger-dev libperl-dev krb5-user krb5-kdc krb5-admin-server libsasl2-modules-gssapi-mit sasl2-bin libgnutls28-dev libevent-dev
+    - DEBIAN_FRONTEND=noninteractive apt install -y build-essential python3 gdb procps pkg-config automake libsasl2-dev libltdl-dev groff-base unixodbc-dev libwiredtiger-dev libperl-dev krb5-user krb5-kdc krb5-admin-server libsasl2-modules-gssapi-mit sasl2-bin libgnutls28-dev libevent-dev libargon2-dev
     - autoreconf
     - ./configure --enable-backends=mod --enable-overlays=mod --disable-autoca --enable-modules --enable-dynamic --disable-ndb --enable-balancer=yes
     - make depend

build/top.mk

@@ -191,6 +191,7 @@ AC_LIBS = @LIBS@
 SASL_LIBS = @SASL_LIBS@
 TLS_LIBS = @TLS_LIBS@
 AUTH_LIBS = @AUTH_LIBS@
+ARGON2_LIBS = @ARGON2_LIBS@
 SECURITY_LIBS = $(SASL_LIBS) $(TLS_LIBS) $(AUTH_LIBS)
 
 MODULES_CPPFLAGS = @SLAPD_MODULES_CPPFLAGS@

configure.ac

@@ -363,6 +363,8 @@ Overlays="accesslog \
 	unique \
 	valsort"
 
+Pwmods="argon2"
+
 AC_ARG_ENABLE(xxslapoverlays,[
 SLAPD Overlay Options:])
 
@@ -413,6 +415,16 @@ OL_ARG_ENABLE(unique, [AS_HELP_STRING([--enable-unique], [Attribute Uniqueness o
 OL_ARG_ENABLE(valsort, [AS_HELP_STRING([--enable-valsort], [Value Sorting overlay])],
 	no, [no yes mod], ol_enable_overlays)
 
+dnl ----------------------------------------------------------------
+dnl PASSWORD MODULE OPTIONS
+AC_ARG_ENABLE(pwmodoptions,[
+SLAPD Password Module Options:])
+OL_ARG_ENABLE(argon2, [AS_HELP_STRING([--enable-argon2], [Argon2 password hashing module])],
+	no, [no yes], ol_enable_pwmodules)
+OL_ARG_WITH(argon2,
+	[AS_HELP_STRING([--with-argon2], [with argon2 support library auto|libsodum|libargon2])],
+	auto, [auto libsodium libargon2 yes no] )
+
 dnl ----------------------------------------------------------------
 dnl BALANCER OPTIONS
 AC_ARG_ENABLE(balanceroptions,[
@@ -442,7 +454,7 @@ if test $ol_enable_slapd = no ; then
 		fi
 	done
 
-	for i in $Backends $Overlays; do
+	for i in $Backends $Overlays $Pwmods; do
 		eval "ol_tmp=\$ol_enable_$i"
 		if test $ol_tmp != no ; then
 			AC_MSG_WARN([slapd disabled, ignoring --enable-$i argument])
@@ -467,6 +479,13 @@ else
 			fi
 		done
 
+		for i in $Pwmods; do
+			eval "ol_tmp=\$ol_enable_$i"
+			if test -n "$ol_tmp" && test "$ol_tmp" = yes ; then
+				AC_MSG_ERROR([--enable-$i=yes requires --enable-modules])
+			fi
+		done
+
 		ol_any_backend=no
 		for i in $Backends; do
 			eval "ol_tmp=\$ol_enable_$i"
@@ -582,9 +601,13 @@ BUILD_TRANSLUCENT=no
 BUILD_UNIQUE=no
 BUILD_VALSORT=no
 
+BUILD_PW_ARGON2=no
+
 SLAPD_STATIC_OVERLAYS=
 SLAPD_DYNAMIC_OVERLAYS=
 
+SLAPD_DYNAMIC_PWMODS=
+
 SLAPD_MODULES_LDFLAGS=
 SLAPD_MODULES_CPPFLAGS=
 
@@ -2971,6 +2994,50 @@ if test "$ol_enable_valsort" != no ; then
 	AC_DEFINE_UNQUOTED(SLAPD_OVER_VALSORT,$MFLAG,[define for Value Sorting overlay])
 fi
 
+ol_link_argon2=no
+if test "$ol_enable_argon2" = "yes" ; then
+	if test $ol_with_argon2 = libargon2 || test $ol_with_argon2 = auto; then
+		AC_CHECK_HEADERS(argon2.h)
+		if test $ac_cv_header_argon2_h = yes ; then
+			AC_CHECK_LIB(argon2, argon2i_hash_encoded,
+				[have_argon2=yes], [have_argon2=no],
+				[-largon2])
+		fi
+		if test "$have_argon2" = "yes" ; then
+			ol_with_argon2=libargon2
+			ol_link_argon2=yes
+			AC_DEFINE(HAVE_LIBARGON2, 1,
+				[define if you have libargon2])
+			ARGON2_LIBS="-largon2"
+		fi
+	fi
+	if test $ol_with_argon2 = libsodium || test $ol_with_argon2 = auto; then
+		AC_CHECK_HEADERS(sodium.h)
+		if test $ac_cv_header_sodium_h = yes ; then
+			AC_CHECK_LIB(sodium, crypto_pwhash_str_alg,
+				[have_argon2=yes], [have_argon2=no],
+				[-lsodium])
+		fi
+		if test "$have_argon2" = "yes" ; then
+			ol_with_argon2=libsodium
+			ol_link_argon2=yes
+			AC_DEFINE(HAVE_LIBSODIUM, 1,
+				[define if you have libsodium])
+			ARGON2_LIBS="-lsodium"
+		fi
+	fi
+
+	if test "$ol_link_argon2" = no ; then
+		AC_MSG_ERROR([--enable_argon2=$ol_enable_argon2 requires --with-argon2])
+	fi
+
+	BUILD_PW_ARGON2=$ol_enable_argon2
+	if test "$ol_enable_argon2" = "yes" ; then
+		SLAPD_DYNAMIC_PWMODS="$SLAPD_DYNAMIC_PWDMODS argon2.la"
+	fi
+	AC_DEFINE_UNQUOTED(SLAPD_PWMOD_PW_ARGON2,$SLAPD_MOD_DYNAMIC,[define for Argon2 Password hashing module])
+fi
+
 if test "$ol_enable_balancer" != no \
 		-a "$ol_with_threads" != no \
 		-a "$have_libevent" = yes ; then
@@ -3057,6 +3124,8 @@ dnl overlays
   AC_SUBST(BUILD_UNIQUE)
   AC_SUBST(BUILD_VALSORT)
   AC_SUBST(BUILD_BALANCER)
+dnl pwmods
+  AC_SUBST(BUILD_PW_ARGON2)
 
 AC_SUBST(LDAP_LIBS)
 AC_SUBST(CLIENT_LIBS)
@@ -3077,6 +3146,7 @@ AC_SUBST(SLAPD_STATIC_BACKENDS)
 AC_SUBST(SLAPD_DYNAMIC_BACKENDS)
 AC_SUBST(SLAPD_STATIC_OVERLAYS)
 AC_SUBST(SLAPD_DYNAMIC_OVERLAYS)
+AC_SUBST(SLAPD_DYNAMIC_PWMODS)
 
 AC_SUBST(PERL_CPPFLAGS)
 AC_SUBST(SLAPD_PERL_LDFLAGS)
@@ -3089,6 +3159,7 @@ AC_SUBST(MODULES_LIBS)
 AC_SUBST(SLAPI_LIBS)
 AC_SUBST(LIBSLAPI)
 AC_SUBST(AUTH_LIBS)
+AC_SUBST(ARGON2_LIBS)
 
 AC_SUBST(SLAPD_SLP_LIBS)
 AC_SUBST(SLAPD_GMP_LIBS)
@@ -3148,6 +3219,7 @@ AC_CONFIG_FILES([Makefile:build/top.mk:Makefile.in:build/dir.mk]
 [servers/slapd/shell-backends/Makefile:build/top.mk:servers/slapd/shell-backends/Makefile.in:build/srv.mk]
 [servers/slapd/slapi/Makefile:build/top.mk:servers/slapd/slapi/Makefile.in:build/lib.mk:build/lib-shared.mk]
 [servers/slapd/overlays/Makefile:build/top.mk:servers/slapd/overlays/Makefile.in:build/lib.mk]
+[servers/slapd/pwmods/Makefile:build/top.mk:servers/slapd/pwmods/Makefile.in:build/lib.mk]
 [servers/lloadd/Makefile:build/top.mk:servers/lloadd/Makefile.in]
 [servers/lloadd/Makefile.server:servers/lloadd/Makefile_server.in:build/srv.mk]
 [servers/lloadd/Makefile.module:servers/lloadd/Makefile_module.in:build/mod.mk]

contrib/slapd-modules/passwd/argon2/Makefile

-# $OpenLDAP$
-
-LDAP_SRC = ../../../..
-LDAP_BUILD = ../../../..
-LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd
-LDAP_LIB = $(LDAP_BUILD)/libraries/libldap/libldap.la \
-	$(LDAP_BUILD)/libraries/liblber/liblber.la
-
-LIBTOOL = $(LDAP_BUILD)/libtool
-INSTALL = /usr/bin/install
-CC = gcc
-OPT = -g -O2 -Wall
-#DEFS = -DSLAPD_ARGON2_DEBUG
-
-INCS = $(LDAP_INC)
-LIBS = $(LDAP_LIB)
-
-implementation = sodium
-
-ifeq ($(implementation),argon2)
-LIBS += -largon2
-DEFS += -DSLAPD_ARGON2_USE_ARGON2
-else ifeq ($(implementation),sodium)
-LIBS += -lsodium
-DEFS += -DSLAPD_ARGON2_USE_SODIUM
-else
-$(error Unsupported implementation $(implementation))
-endif
-
-PROGRAMS = pw-argon2.la
-MANPAGES = slapd-pw-argon2.5
-LTVER = 0:0:0
-
-prefix=/usr/local
-exec_prefix=$(prefix)
-ldap_subdir=/openldap
-
-libdir=$(exec_prefix)/lib
-libexecdir=$(exec_prefix)/libexec
-moduledir = $(libexecdir)$(ldap_subdir)
-mandir = $(exec_prefix)/share/man
-man5dir = $(mandir)/man5
-
-.SUFFIXES: .c .o .lo
-
-.c.lo:
-	$(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $<
-
-all:		$(PROGRAMS)
-
-pw-argon2.la: pw-argon2.lo
-	$(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \
-	-rpath $(moduledir) -module -o $@ $? $(LIBS)
-
-clean:
-	rm -rf *.o *.lo *.la .libs
-
-install: install-lib install-man FORCE
-
-install-lib: $(PROGRAMS)
-	mkdir -p $(DESTDIR)$(moduledir)
-	for p in $(PROGRAMS) ; do \
-		$(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \
-	done
-
-install-man: $(MANPAGES)
-	mkdir -p  $(DESTDIR)$(man5dir)
-	$(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir)
-
-FORCE:

contrib/slapd-modules/passwd/argon2/slapd-pw-argon2.5 → doc/man/man5/slappw-argon2.5

-.TH SLAPD-PW-ARGON2 5 "RELEASEDATE" "OpenLDAP LDVERSION"
+.TH SLAPPW-ARGON2 5 "RELEASEDATE" "OpenLDAP LDVERSION"
 .\" Copyright 2020-2021 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .\" $OpenLDAP$
 .SH NAME
-slapd-pw-argon2 \- Argon2 password module to slapd
+slappw\-argon2 \- Argon2 password module to slapd
 .SH SYNOPSIS
 ETCDIR/slapd.conf
 .RS
 .LP
-.B moduleload pw-argon2
+.B moduleload argon2
 .RI [ <parameters> ]
 .RE
 .SH DESCRIPTION
 .LP
 The
-.B pw-argon2
+.B argon2
 module to
 .BR slapd (8)
 provides support for the use of the key derivation function Argon2,
@@ -27,7 +27,7 @@ for use in slapd.
 
 .SH CONFIGURATION
 The
-.B pw-argon2
+.B argon2
 module does not need any configuration,
 but it can be configured by giving the following parameters:
 .TP
@@ -72,11 +72,11 @@ The relevant option/value is:
 .RS
 .LP
 .B \-o
-.BR module\-load = pw-argon2
+.BR module\-load = argon2
 .LP
 .RE
 Depending on
-.BR pw-argon2 's
+.BR argon2 's
 location, you may also need:
 .RS
 .LP

servers/slapd/Makefile.in

@@ -280,6 +280,9 @@ dummy $(SLAPD_DYNAMIC_BACKENDS): slapd
 dynamic_overlays: slapd
 	cd overlays && $(MAKE) $(MFLAGS) dynamic
 
+dynamic_pwmods: slapd
+	cd pwmods && $(MAKE) $(MFLAGS) dynamic
+
 #
 # In Windows, dynamic backends have to be built after slapd. For this
 # reason, we only build static backends now and dynamic backends later.
@@ -382,7 +385,7 @@ install-slapd: FORCE
 	    fi; \
 	done
 
-all-cffiles: slapd $(SLAPD_DYNAMIC_BACKENDS) dynamic_overlays
+all-cffiles: slapd $(SLAPD_DYNAMIC_BACKENDS) dynamic_overlays dynamic_pwmods
 	@if test $(PLAT) = NT; then \
 	    sysconfdir=`cygpath -w $(sysconfdir) | \
 		$(SED) -e 's/\\\\/\\\\\\\\\\\\\\\\/g'`; \

servers/slapd/pwmods/Makefile.in

+# Makefile.in for overlays
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 2003-2021 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+SRCS = argon2.c
+
+LTONLY_MOD = $(LTONLY_mod)
+LDAP_INCDIR= ../../../include
+LDAP_LIBDIR= ../../../libraries
+
+MOD_DEFS = -DSLAPD_IMPORT
+
+shared_LDAP_LIBS = $(LDAP_LIBLDAP_LA) $(LDAP_LIBLBER_LA)
+NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+
+LIBRARY = dummyvalue
+PROGRAMS = @SLAPD_DYNAMIC_PWMODS@
+
+XINCPATH = -I.. -I$(srcdir)/..
+XDEFS = $(MODULES_CPPFLAGS)
+
+dynamic: $(PROGRAMS)
+
+argon2.la : argon2.lo version.lo
+	$(LTLINK_MOD) -module -o $@ argon2.lo version.lo $(ARGON2_LIBS) $(LINK_LIBS) $(MODULES_LIBS)
+
+install-local:	$(PROGRAMS)
+	@if test -n "$?" ; then \
+		$(MKDIR) $(DESTDIR)$(moduledir); \
+		$(LTINSTALL) $(INSTALLFLAGS) -m 755 $? $(DESTDIR)$(moduledir);\
+	fi
+
+MKDEPFLAG = -l
+
+.SUFFIXES: .c .o .lo
+
+.c.lo:
+	$(LTCOMPILE_MOD) $<
+
+# Must fixup depends for non-libtool objects
+depend-local: depend-common
+	@if test -n "$(OBJS)"; then \
+	OBJ2=`echo $(OBJS) $(OBJDEP) | $(SED) -e 's/\.o//g'`; \
+	SCR=''; for i in $$OBJ2; do SCR="$$SCR -e s/^$$i.lo:/$$i.o:/"; done; \
+	mv Makefile Makefile.bak; $(SED) $$SCR Makefile.bak > Makefile && \
+	$(RM) Makefile.bak; fi
+

contrib/slapd-modules/passwd/argon2/README → servers/slapd/pwmods/README.argon2

 Argon2 OpenLDAP support
 ----------------------
 
-pw-argon2.c provides support for ARGON2 hashed passwords in OpenLDAP. For
+argon2.c provides support for ARGON2 hashed passwords in OpenLDAP. For
 instance, one could have the LDAP attribute:
 
 userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHQ$DKlexoEJUoZTmkAAC3SaMWk30El9/RvVhlqGo6afIng
@@ -22,13 +22,13 @@ For initial testing you might also want to edit DEFS to define
 SLAPD_ARGON2_DEBUG, which enables logging to stderr (don't leave this on
 in production, as it prints passwords in cleartext).
 
-2) Run 'make' to produce pw-argon2.so
+2) Run 'make' to produce argon2.so
 
-3) Copy pw-argon2.so somewhere permanent.
+3) Copy argon2.so somewhere permanent.
 
 4) Edit your slapd.conf (eg. /etc/ldap/slapd.conf), and add:
 
-moduleload ...path/to/pw-argon2.so
+moduleload ...path/to/argon2.so
 
 5) Restart slapd.
 

contrib/slapd-modules/passwd/argon2/pw-argon2.c → servers/slapd/pwmods/argon2.c

-/* pw-argon2.c - Password module for argon2 */
+/* argon2.c - Password module for argon2 */
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
@@ -15,6 +15,7 @@
  */
 
 #include "portable.h"
+#ifdef SLAPD_PWMOD_PW_ARGON2
 #include "ac/string.h"
 #include "lber_pvt.h"
 #include "lutil.h"
@@ -22,7 +23,7 @@
 #include <stdint.h>
 #include <stdlib.h>
 
-#ifdef SLAPD_ARGON2_USE_ARGON2
+#ifdef HAVE_LIBARGON2
 #include <argon2.h>
 
 /*
@@ -35,7 +36,7 @@
 #define SLAPD_ARGON2_SALT_LENGTH 16
 #define SLAPD_ARGON2_HASH_LENGTH 32
 
-#else /* !SLAPD_ARGON2_USE_ARGON2 */
+#else /* !HAVE_LIBARGON2 */
 #include <sodium.h>
 
 /*
@@ -71,7 +72,7 @@ slapd_argon2_hash(
 	char *p;
 	int rc = LUTIL_PASSWD_ERR;
 
-#ifdef SLAPD_ARGON2_USE_ARGON2
+#ifdef HAVE_LIBARGON2
 	struct berval salt;
 	size_t encoded_length;
 
@@ -114,7 +115,7 @@ slapd_argon2_hash(
 	hash->bv_len = scheme->bv_len + encoded_length;
 	ber_memfree( salt.bv_val );
 
-#else /* !SLAPD_ARGON2_USE_ARGON2 */
+#else /* !HAVE_LIBARGON2 */
 	/* Not exposed by libsodium
 	salt_length = SLAPD_ARGON2_SALT_LENGTH;
 	hash_length = SLAPD_ARGON2_HASH_LENGTH;
@@ -153,7 +154,7 @@ slapd_argon2_verify(
 {
 	int rc = LUTIL_PASSWD_ERR;
 
-#ifdef SLAPD_ARGON2_USE_ARGON2
+#ifdef HAVE_LIBARGON2
 	if ( strncmp( passwd->bv_val, "$argon2i$", STRLENOF("$argon2i$") ) == 0 ) {
 		rc = argon2i_verify( passwd->bv_val, cred->bv_val, cred->bv_len );
 	} else if ( strncmp( passwd->bv_val, "$argon2d$", STRLENOF("$argon2d$") ) == 0 ) {
@@ -161,7 +162,7 @@ slapd_argon2_verify(
 	} else if ( strncmp( passwd->bv_val, "$argon2id$", STRLENOF("$argon2id$") ) == 0 ) {
 		rc = argon2id_verify( passwd->bv_val, cred->bv_val, cred->bv_len );
 	}
-#else /* !SLAPD_ARGON2_USE_ARGON2 */
+#else /* !HAVE_LIBARGON2 */
 	rc = crypto_pwhash_str_verify( passwd->bv_val, cred->bv_val, cred->bv_len );
 #endif
 
@@ -175,7 +176,7 @@ int init_module( int argc, char *argv[] )
 {
 	int i;
 
-#ifndef SLAPD_ARGON2_USE_ARGON2
+#ifdef HAVE_LIBSODIUM
 	if ( sodium_init() == -1 ) {
 		return -1;
 	}
@@ -218,3 +219,4 @@ int init_module( int argc, char *argv[] )
 	return lutil_passwd_add( (struct berval *)&slapd_argon2_scheme,
 			slapd_argon2_verify, slapd_argon2_hash );
 }
+#endif /* SLAPD_OVER_PW_ARGON2 */

tests/data/passwd.ldif

@@ -27,3 +27,11 @@ objectclass: person
 cn: ssha
 sn: ssha
 userpassword: secret
+
+dn: cn=argon2,dc=example,dc=com
+objectclass: person
+cn: argon2
+sn: argon2
+userPassword:: e0FSR09OMn0kYXJnb24yaSR2PTE5JG09NDA5Nix0PTMscD0xJHZTc1orVnZjM
+ UhoZzc0WFNrdVZLOFEkd1B2UUc0blFMS2xaSkRGU0tna2k0L2NYejNLT2lOYXpwL2VDWkFWOFlt
+ Zw==

tests/run.in

@@ -41,6 +41,7 @@ AC_sql=sql@BUILD_SQL@
 
 # overlays
 AC_accesslog=accesslog@BUILD_ACCESSLOG@
+AC_argon2=argon2@BUILD_PW_ARGON2@
 AC_autoca=autoca@BUILD_AUTOCA@
 AC_constraint=constraint@BUILD_CONSTRAINT@
 AC_dds=dds@BUILD_DDS@
@@ -76,7 +77,7 @@ if test "${AC_asyncmeta}" = "asyncmetamod" && test "${AC_LIBS_DYNAMIC}" = "stati
 	AC_meta="asyncmetano"
 fi
 export AC_ldap AC_mdb AC_meta AC_asyncmeta AC_monitor AC_null AC_perl AC_relay AC_sql \
-	AC_accesslog AC_autoca AC_constraint AC_dds AC_dynlist AC_memberof \
+	AC_accesslog AC_argon2 AC_autoca AC_constraint AC_dds AC_dynlist AC_memberof \
 	AC_pcache AC_ppolicy AC_refint AC_remoteauth \
 	AC_retcode AC_rwm AC_unique AC_syncprov AC_translucent \
 	AC_valsort \

tests/scripts/defines.sh

@@ -29,6 +29,7 @@ BACKSQL=${AC_sql-sqlno}
 
 # overlays
 ACCESSLOG=${AC_accesslog-accesslogno}
+ARGON2=${AC_argon2-argon2no}
 AUTOCA=${AC_autoca-autocano}
 CONSTRAINT=${AC_constraint-constraintno}
 DDS=${AC_dds-ddsno}

tests/scripts/test083-argon2

+#!/bin/sh
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 2021 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+echo "running defines.sh"
+. $SRCDIR/scripts/defines.sh
+
+if test $ARGON2 = argon2no; then
+	echo "argon2 overlay not available, test skipped"
+	exit 0
+fi
+
+USERDN="cn=argon2,$BASEDN"
+
+CONFDIR=$TESTDIR/slapd.d
+mkdir -p $TESTDIR $CONFDIR $DBDIR1
+
+$SLAPPASSWD -g -n >$CONFIGPWF
+
+cat > $TESTDIR/config.ldif <<EOF
+dn: cn=config
+objectClass: olcGlobal
+cn: config
+olcArgsFile: $TESTDIR/slapd.args
+olcPidFile: $TESTDIR/slapd.pid
+
+dn: cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: schema
+
+include: file://$TESTWD/schema/core.ldif
+include: file://$TESTWD/schema/cosine.ldif
+include: file://$TESTWD/schema/inetorgperson.ldif
+EOF
+
+if [ "$BACKENDTYPE" = mod ]; then
+	cat >> $TESTDIR/config.ldif <<EOF
+
+dn: cn=module,cn=config
+objectClass: olcModuleList
+cn: module
+olcModulePath: $TESTWD/../servers/slapd/back-$BACKEND
+olcModuleLoad: back_$BACKEND.la
+EOF
+fi
+
+if [ "$ARGON2" = argon2yes ]; then
+	cat >> $TESTDIR/config.ldif <<EOF
+
+dn: cn=module,cn=config
+objectClass: olcModuleList
+cn: module
+olcModulePath: $TESTWD/../servers/slapd/pwmods
+olcModuleLoad: argon2.la
+EOF
+fi
+
+cat >> $TESTDIR/config.ldif <<EOF
+
+dn: olcDatabase={-1}frontend,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcFrontendConfig
+olcDatabase: {-1}frontend
+olcPasswordHash: {ARGON2}
+
+dn: olcDatabase=config,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: config
+olcRootPW:< file://$CONFIGPWF
+
+dn: olcDatabase={1}$BACKEND,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olc${BACKEND}Config
+olcDatabase: $BACKEND
+olcSuffix: $BASEDN
+olcRootDN: $MANAGERDN
+olcRootPW: $PASSWD
+olcDbDirectory: $TESTDIR/db.1.a
+EOF
+
+if [ "$INDEXDB" = indexdb ]; then
+	cat >> $TESTDIR/config.ldif <<EOF
+olcDbIndex: objectClass eq,pres
+olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
+EOF
+fi
+
+$SLAPADD -F $CONFDIR -n 0 -l $TESTDIR/config.ldif
+
+echo "Starting slapd on TCP/IP port $PORT1..."
+$SLAPD -F $CONFDIR -h $URI1 -d $LVL > $LOG1 2>&1 &
+PID=$!
+if test $WAIT != 0 ; then
+	echo PID $PID
+	read foo
+fi
+KILLPIDS="$PID"
+sleep 1
+
+echo "Using ldapsearch to check that slapd is running..."
+for i in 0 1 2 3 4 5; do
+	$LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \
+		'objectclass=*' > /dev/null 2>&1
+	RC=$?
+	if test $RC = 0 ; then
+		break
+	fi
+	echo "Waiting 5 seconds for slapd to start..."
+	sleep 5
+done
+if test $RC != 0 ; then
+	echo "ldapsearch failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+echo "Adding basic structure..."
+$LDAPADD -D "$MANAGERDN" -H $URI1 -w $PASSWD -f $LDIFPASSWD >/dev/null 2>&1
+RC=$?
+if test $RC != 0 ; then