Commit c7763538 authored by Quanah Gibson-Mount's avatar Quanah Gibson-Mount
Browse files

ITS#9453 - Make pw argon2 official

parent 535e2795
...@@ -23,7 +23,7 @@ build-openssl-heimdal-lloadd: ...@@ -23,7 +23,7 @@ build-openssl-heimdal-lloadd:
stage: build stage: build
script: script:
- apt update - apt update
- DEBIAN_FRONTEND=noninteractive apt install -y build-essential python3 gdb procps pkg-config automake libsasl2-dev heimdal-multidev libssl-dev libltdl-dev groff-base unixodbc-dev libwiredtiger-dev libperl-dev heimdal-kdc libsasl2-modules-gssapi-heimdal sasl2-bin libevent-dev - DEBIAN_FRONTEND=noninteractive apt install -y build-essential python3 gdb procps pkg-config automake libsasl2-dev heimdal-multidev libssl-dev libltdl-dev groff-base unixodbc-dev libwiredtiger-dev libperl-dev heimdal-kdc libsasl2-modules-gssapi-heimdal sasl2-bin libevent-dev libargon2-dev
- autoreconf - autoreconf
- ./configure --enable-backends=mod --enable-overlays=mod --enable-modules --enable-dynamic --disable-ndb --enable-balancer=mod - ./configure --enable-backends=mod --enable-overlays=mod --enable-modules --enable-dynamic --disable-ndb --enable-balancer=mod
- make depend - make depend
...@@ -41,7 +41,7 @@ build-gnutls-mit-standalone-lloadd: ...@@ -41,7 +41,7 @@ build-gnutls-mit-standalone-lloadd:
stage: build stage: build
script: script:
- apt update - apt update
- DEBIAN_FRONTEND=noninteractive apt install -y build-essential python3 gdb procps pkg-config automake libsasl2-dev libltdl-dev groff-base unixodbc-dev libwiredtiger-dev libperl-dev krb5-user krb5-kdc krb5-admin-server libsasl2-modules-gssapi-mit sasl2-bin libgnutls28-dev libevent-dev - DEBIAN_FRONTEND=noninteractive apt install -y build-essential python3 gdb procps pkg-config automake libsasl2-dev libltdl-dev groff-base unixodbc-dev libwiredtiger-dev libperl-dev krb5-user krb5-kdc krb5-admin-server libsasl2-modules-gssapi-mit sasl2-bin libgnutls28-dev libevent-dev libargon2-dev
- autoreconf - autoreconf
- ./configure --enable-backends=mod --enable-overlays=mod --disable-autoca --enable-modules --enable-dynamic --disable-ndb --enable-balancer=yes - ./configure --enable-backends=mod --enable-overlays=mod --disable-autoca --enable-modules --enable-dynamic --disable-ndb --enable-balancer=yes
- make depend - make depend
......
...@@ -191,6 +191,7 @@ AC_LIBS = @LIBS@ ...@@ -191,6 +191,7 @@ AC_LIBS = @LIBS@
SASL_LIBS = @SASL_LIBS@ SASL_LIBS = @SASL_LIBS@
TLS_LIBS = @TLS_LIBS@ TLS_LIBS = @TLS_LIBS@
AUTH_LIBS = @AUTH_LIBS@ AUTH_LIBS = @AUTH_LIBS@
ARGON2_LIBS = @ARGON2_LIBS@
SECURITY_LIBS = $(SASL_LIBS) $(TLS_LIBS) $(AUTH_LIBS) SECURITY_LIBS = $(SASL_LIBS) $(TLS_LIBS) $(AUTH_LIBS)
MODULES_CPPFLAGS = @SLAPD_MODULES_CPPFLAGS@ MODULES_CPPFLAGS = @SLAPD_MODULES_CPPFLAGS@
......
...@@ -363,6 +363,8 @@ Overlays="accesslog \ ...@@ -363,6 +363,8 @@ Overlays="accesslog \
unique \ unique \
valsort" valsort"
Pwmods="argon2"
AC_ARG_ENABLE(xxslapoverlays,[ AC_ARG_ENABLE(xxslapoverlays,[
SLAPD Overlay Options:]) SLAPD Overlay Options:])
...@@ -413,6 +415,16 @@ OL_ARG_ENABLE(unique, [AS_HELP_STRING([--enable-unique], [Attribute Uniqueness o ...@@ -413,6 +415,16 @@ OL_ARG_ENABLE(unique, [AS_HELP_STRING([--enable-unique], [Attribute Uniqueness o
OL_ARG_ENABLE(valsort, [AS_HELP_STRING([--enable-valsort], [Value Sorting overlay])], OL_ARG_ENABLE(valsort, [AS_HELP_STRING([--enable-valsort], [Value Sorting overlay])],
no, [no yes mod], ol_enable_overlays) no, [no yes mod], ol_enable_overlays)
dnl ----------------------------------------------------------------
dnl PASSWORD MODULE OPTIONS
AC_ARG_ENABLE(pwmodoptions,[
SLAPD Password Module Options:])
OL_ARG_ENABLE(argon2, [AS_HELP_STRING([--enable-argon2], [Argon2 password hashing module])],
no, [no yes], ol_enable_pwmodules)
OL_ARG_WITH(argon2,
[AS_HELP_STRING([--with-argon2], [with argon2 support library auto|libsodum|libargon2])],
auto, [auto libsodium libargon2 yes no] )
dnl ---------------------------------------------------------------- dnl ----------------------------------------------------------------
dnl BALANCER OPTIONS dnl BALANCER OPTIONS
AC_ARG_ENABLE(balanceroptions,[ AC_ARG_ENABLE(balanceroptions,[
...@@ -442,7 +454,7 @@ if test $ol_enable_slapd = no ; then ...@@ -442,7 +454,7 @@ if test $ol_enable_slapd = no ; then
fi fi
done done
for i in $Backends $Overlays; do for i in $Backends $Overlays $Pwmods; do
eval "ol_tmp=\$ol_enable_$i" eval "ol_tmp=\$ol_enable_$i"
if test $ol_tmp != no ; then if test $ol_tmp != no ; then
AC_MSG_WARN([slapd disabled, ignoring --enable-$i argument]) AC_MSG_WARN([slapd disabled, ignoring --enable-$i argument])
...@@ -467,6 +479,13 @@ else ...@@ -467,6 +479,13 @@ else
fi fi
done done
for i in $Pwmods; do
eval "ol_tmp=\$ol_enable_$i"
if test -n "$ol_tmp" && test "$ol_tmp" = yes ; then
AC_MSG_ERROR([--enable-$i=yes requires --enable-modules])
fi
done
ol_any_backend=no ol_any_backend=no
for i in $Backends; do for i in $Backends; do
eval "ol_tmp=\$ol_enable_$i" eval "ol_tmp=\$ol_enable_$i"
...@@ -582,9 +601,13 @@ BUILD_TRANSLUCENT=no ...@@ -582,9 +601,13 @@ BUILD_TRANSLUCENT=no
BUILD_UNIQUE=no BUILD_UNIQUE=no
BUILD_VALSORT=no BUILD_VALSORT=no
BUILD_PW_ARGON2=no
SLAPD_STATIC_OVERLAYS= SLAPD_STATIC_OVERLAYS=
SLAPD_DYNAMIC_OVERLAYS= SLAPD_DYNAMIC_OVERLAYS=
SLAPD_DYNAMIC_PWMODS=
SLAPD_MODULES_LDFLAGS= SLAPD_MODULES_LDFLAGS=
SLAPD_MODULES_CPPFLAGS= SLAPD_MODULES_CPPFLAGS=
...@@ -2971,6 +2994,50 @@ if test "$ol_enable_valsort" != no ; then ...@@ -2971,6 +2994,50 @@ if test "$ol_enable_valsort" != no ; then
AC_DEFINE_UNQUOTED(SLAPD_OVER_VALSORT,$MFLAG,[define for Value Sorting overlay]) AC_DEFINE_UNQUOTED(SLAPD_OVER_VALSORT,$MFLAG,[define for Value Sorting overlay])
fi fi
ol_link_argon2=no
if test "$ol_enable_argon2" = "yes" ; then
if test $ol_with_argon2 = libargon2 || test $ol_with_argon2 = auto; then
AC_CHECK_HEADERS(argon2.h)
if test $ac_cv_header_argon2_h = yes ; then
AC_CHECK_LIB(argon2, argon2i_hash_encoded,
[have_argon2=yes], [have_argon2=no],
[-largon2])
fi
if test "$have_argon2" = "yes" ; then
ol_with_argon2=libargon2
ol_link_argon2=yes
AC_DEFINE(HAVE_LIBARGON2, 1,
[define if you have libargon2])
ARGON2_LIBS="-largon2"
fi
fi
if test $ol_with_argon2 = libsodium || test $ol_with_argon2 = auto; then
AC_CHECK_HEADERS(sodium.h)
if test $ac_cv_header_sodium_h = yes ; then
AC_CHECK_LIB(sodium, crypto_pwhash_str_alg,
[have_argon2=yes], [have_argon2=no],
[-lsodium])
fi
if test "$have_argon2" = "yes" ; then
ol_with_argon2=libsodium
ol_link_argon2=yes
AC_DEFINE(HAVE_LIBSODIUM, 1,
[define if you have libsodium])
ARGON2_LIBS="-lsodium"
fi
fi
if test "$ol_link_argon2" = no ; then
AC_MSG_ERROR([--enable_argon2=$ol_enable_argon2 requires --with-argon2])
fi
BUILD_PW_ARGON2=$ol_enable_argon2
if test "$ol_enable_argon2" = "yes" ; then
SLAPD_DYNAMIC_PWMODS="$SLAPD_DYNAMIC_PWDMODS argon2.la"
fi
AC_DEFINE_UNQUOTED(SLAPD_PWMOD_PW_ARGON2,$SLAPD_MOD_DYNAMIC,[define for Argon2 Password hashing module])
fi
if test "$ol_enable_balancer" != no \ if test "$ol_enable_balancer" != no \
-a "$ol_with_threads" != no \ -a "$ol_with_threads" != no \
-a "$have_libevent" = yes ; then -a "$have_libevent" = yes ; then
...@@ -3057,6 +3124,8 @@ dnl overlays ...@@ -3057,6 +3124,8 @@ dnl overlays
AC_SUBST(BUILD_UNIQUE) AC_SUBST(BUILD_UNIQUE)
AC_SUBST(BUILD_VALSORT) AC_SUBST(BUILD_VALSORT)
AC_SUBST(BUILD_BALANCER) AC_SUBST(BUILD_BALANCER)
dnl pwmods
AC_SUBST(BUILD_PW_ARGON2)
AC_SUBST(LDAP_LIBS) AC_SUBST(LDAP_LIBS)
AC_SUBST(CLIENT_LIBS) AC_SUBST(CLIENT_LIBS)
...@@ -3077,6 +3146,7 @@ AC_SUBST(SLAPD_STATIC_BACKENDS) ...@@ -3077,6 +3146,7 @@ AC_SUBST(SLAPD_STATIC_BACKENDS)
AC_SUBST(SLAPD_DYNAMIC_BACKENDS) AC_SUBST(SLAPD_DYNAMIC_BACKENDS)
AC_SUBST(SLAPD_STATIC_OVERLAYS) AC_SUBST(SLAPD_STATIC_OVERLAYS)
AC_SUBST(SLAPD_DYNAMIC_OVERLAYS) AC_SUBST(SLAPD_DYNAMIC_OVERLAYS)
AC_SUBST(SLAPD_DYNAMIC_PWMODS)
AC_SUBST(PERL_CPPFLAGS) AC_SUBST(PERL_CPPFLAGS)
AC_SUBST(SLAPD_PERL_LDFLAGS) AC_SUBST(SLAPD_PERL_LDFLAGS)
...@@ -3089,6 +3159,7 @@ AC_SUBST(MODULES_LIBS) ...@@ -3089,6 +3159,7 @@ AC_SUBST(MODULES_LIBS)
AC_SUBST(SLAPI_LIBS) AC_SUBST(SLAPI_LIBS)
AC_SUBST(LIBSLAPI) AC_SUBST(LIBSLAPI)
AC_SUBST(AUTH_LIBS) AC_SUBST(AUTH_LIBS)
AC_SUBST(ARGON2_LIBS)
AC_SUBST(SLAPD_SLP_LIBS) AC_SUBST(SLAPD_SLP_LIBS)
AC_SUBST(SLAPD_GMP_LIBS) AC_SUBST(SLAPD_GMP_LIBS)
...@@ -3148,6 +3219,7 @@ AC_CONFIG_FILES([Makefile:build/top.mk:Makefile.in:build/dir.mk] ...@@ -3148,6 +3219,7 @@ AC_CONFIG_FILES([Makefile:build/top.mk:Makefile.in:build/dir.mk]
[servers/slapd/shell-backends/Makefile:build/top.mk:servers/slapd/shell-backends/Makefile.in:build/srv.mk] [servers/slapd/shell-backends/Makefile:build/top.mk:servers/slapd/shell-backends/Makefile.in:build/srv.mk]
[servers/slapd/slapi/Makefile:build/top.mk:servers/slapd/slapi/Makefile.in:build/lib.mk:build/lib-shared.mk] [servers/slapd/slapi/Makefile:build/top.mk:servers/slapd/slapi/Makefile.in:build/lib.mk:build/lib-shared.mk]
[servers/slapd/overlays/Makefile:build/top.mk:servers/slapd/overlays/Makefile.in:build/lib.mk] [servers/slapd/overlays/Makefile:build/top.mk:servers/slapd/overlays/Makefile.in:build/lib.mk]
[servers/slapd/pwmods/Makefile:build/top.mk:servers/slapd/pwmods/Makefile.in:build/lib.mk]
[servers/lloadd/Makefile:build/top.mk:servers/lloadd/Makefile.in] [servers/lloadd/Makefile:build/top.mk:servers/lloadd/Makefile.in]
[servers/lloadd/Makefile.server:servers/lloadd/Makefile_server.in:build/srv.mk] [servers/lloadd/Makefile.server:servers/lloadd/Makefile_server.in:build/srv.mk]
[servers/lloadd/Makefile.module:servers/lloadd/Makefile_module.in:build/mod.mk] [servers/lloadd/Makefile.module:servers/lloadd/Makefile_module.in:build/mod.mk]
......
# $OpenLDAP$
LDAP_SRC = ../../../..
LDAP_BUILD = ../../../..
LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd
LDAP_LIB = $(LDAP_BUILD)/libraries/libldap/libldap.la \
$(LDAP_BUILD)/libraries/liblber/liblber.la
LIBTOOL = $(LDAP_BUILD)/libtool
INSTALL = /usr/bin/install
CC = gcc
OPT = -g -O2 -Wall
#DEFS = -DSLAPD_ARGON2_DEBUG
INCS = $(LDAP_INC)
LIBS = $(LDAP_LIB)
implementation = sodium
ifeq ($(implementation),argon2)
LIBS += -largon2
DEFS += -DSLAPD_ARGON2_USE_ARGON2
else ifeq ($(implementation),sodium)
LIBS += -lsodium
DEFS += -DSLAPD_ARGON2_USE_SODIUM
else
$(error Unsupported implementation $(implementation))
endif
PROGRAMS = pw-argon2.la
MANPAGES = slapd-pw-argon2.5
LTVER = 0:0:0
prefix=/usr/local
exec_prefix=$(prefix)
ldap_subdir=/openldap
libdir=$(exec_prefix)/lib
libexecdir=$(exec_prefix)/libexec
moduledir = $(libexecdir)$(ldap_subdir)
mandir = $(exec_prefix)/share/man
man5dir = $(mandir)/man5
.SUFFIXES: .c .o .lo
.c.lo:
$(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $<
all: $(PROGRAMS)
pw-argon2.la: pw-argon2.lo
$(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \
-rpath $(moduledir) -module -o $@ $? $(LIBS)
clean:
rm -rf *.o *.lo *.la .libs
install: install-lib install-man FORCE
install-lib: $(PROGRAMS)
mkdir -p $(DESTDIR)$(moduledir)
for p in $(PROGRAMS) ; do \
$(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \
done
install-man: $(MANPAGES)
mkdir -p $(DESTDIR)$(man5dir)
$(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir)
FORCE:
.TH SLAPD-PW-ARGON2 5 "RELEASEDATE" "OpenLDAP LDVERSION" .TH SLAPPW-ARGON2 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" Copyright 2020-2021 The OpenLDAP Foundation All Rights Reserved. .\" Copyright 2020-2021 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE. .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$ .\" $OpenLDAP$
.SH NAME .SH NAME
slapd-pw-argon2 \- Argon2 password module to slapd slappw\-argon2 \- Argon2 password module to slapd
.SH SYNOPSIS .SH SYNOPSIS
ETCDIR/slapd.conf ETCDIR/slapd.conf
.RS .RS
.LP .LP
.B moduleload pw-argon2 .B moduleload argon2
.RI [ <parameters> ] .RI [ <parameters> ]
.RE .RE
.SH DESCRIPTION .SH DESCRIPTION
.LP .LP
The The
.B pw-argon2 .B argon2
module to module to
.BR slapd (8) .BR slapd (8)
provides support for the use of the key derivation function Argon2, provides support for the use of the key derivation function Argon2,
...@@ -27,7 +27,7 @@ for use in slapd. ...@@ -27,7 +27,7 @@ for use in slapd.
.SH CONFIGURATION .SH CONFIGURATION
The The
.B pw-argon2 .B argon2
module does not need any configuration, module does not need any configuration,
but it can be configured by giving the following parameters: but it can be configured by giving the following parameters:
.TP .TP
...@@ -72,11 +72,11 @@ The relevant option/value is: ...@@ -72,11 +72,11 @@ The relevant option/value is:
.RS .RS
.LP .LP
.B \-o .B \-o
.BR module\-load = pw-argon2 .BR module\-load = argon2
.LP .LP
.RE .RE
Depending on Depending on
.BR pw-argon2 's .BR argon2 's
location, you may also need: location, you may also need:
.RS .RS
.LP .LP
......
...@@ -280,6 +280,9 @@ dummy $(SLAPD_DYNAMIC_BACKENDS): slapd ...@@ -280,6 +280,9 @@ dummy $(SLAPD_DYNAMIC_BACKENDS): slapd
dynamic_overlays: slapd dynamic_overlays: slapd
cd overlays && $(MAKE) $(MFLAGS) dynamic cd overlays && $(MAKE) $(MFLAGS) dynamic
dynamic_pwmods: slapd
cd pwmods && $(MAKE) $(MFLAGS) dynamic
# #
# In Windows, dynamic backends have to be built after slapd. For this # In Windows, dynamic backends have to be built after slapd. For this
# reason, we only build static backends now and dynamic backends later. # reason, we only build static backends now and dynamic backends later.
...@@ -382,7 +385,7 @@ install-slapd: FORCE ...@@ -382,7 +385,7 @@ install-slapd: FORCE
fi; \ fi; \
done done
all-cffiles: slapd $(SLAPD_DYNAMIC_BACKENDS) dynamic_overlays all-cffiles: slapd $(SLAPD_DYNAMIC_BACKENDS) dynamic_overlays dynamic_pwmods
@if test $(PLAT) = NT; then \ @if test $(PLAT) = NT; then \
sysconfdir=`cygpath -w $(sysconfdir) | \ sysconfdir=`cygpath -w $(sysconfdir) | \
$(SED) -e 's/\\\\/\\\\\\\\\\\\\\\\/g'`; \ $(SED) -e 's/\\\\/\\\\\\\\\\\\\\\\/g'`; \
......
# Makefile.in for overlays
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 2003-2021 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
SRCS = argon2.c
LTONLY_MOD = $(LTONLY_mod)
LDAP_INCDIR= ../../../include
LDAP_LIBDIR= ../../../libraries
MOD_DEFS = -DSLAPD_IMPORT
shared_LDAP_LIBS = $(LDAP_LIBLDAP_LA) $(LDAP_LIBLBER_LA)
NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
LIBRARY = dummyvalue
PROGRAMS = @SLAPD_DYNAMIC_PWMODS@
XINCPATH = -I.. -I$(srcdir)/..
XDEFS = $(MODULES_CPPFLAGS)
dynamic: $(PROGRAMS)
argon2.la : argon2.lo version.lo
$(LTLINK_MOD) -module -o $@ argon2.lo version.lo $(ARGON2_LIBS) $(LINK_LIBS) $(MODULES_LIBS)
install-local: $(PROGRAMS)
@if test -n "$?" ; then \
$(MKDIR) $(DESTDIR)$(moduledir); \
$(LTINSTALL) $(INSTALLFLAGS) -m 755 $? $(DESTDIR)$(moduledir);\
fi
MKDEPFLAG = -l
.SUFFIXES: .c .o .lo
.c.lo:
$(LTCOMPILE_MOD) $<
# Must fixup depends for non-libtool objects
depend-local: depend-common
@if test -n "$(OBJS)"; then \
OBJ2=`echo $(OBJS) $(OBJDEP) | $(SED) -e 's/\.o//g'`; \
SCR=''; for i in $$OBJ2; do SCR="$$SCR -e s/^$$i.lo:/$$i.o:/"; done; \
mv Makefile Makefile.bak; $(SED) $$SCR Makefile.bak > Makefile && \
$(RM) Makefile.bak; fi
Argon2 OpenLDAP support Argon2 OpenLDAP support
---------------------- ----------------------
pw-argon2.c provides support for ARGON2 hashed passwords in OpenLDAP. For argon2.c provides support for ARGON2 hashed passwords in OpenLDAP. For
instance, one could have the LDAP attribute: instance, one could have the LDAP attribute:
userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHQ$DKlexoEJUoZTmkAAC3SaMWk30El9/RvVhlqGo6afIng userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHQ$DKlexoEJUoZTmkAAC3SaMWk30El9/RvVhlqGo6afIng
...@@ -22,13 +22,13 @@ For initial testing you might also want to edit DEFS to define ...@@ -22,13 +22,13 @@ For initial testing you might also want to edit DEFS to define
SLAPD_ARGON2_DEBUG, which enables logging to stderr (don't leave this on SLAPD_ARGON2_DEBUG, which enables logging to stderr (don't leave this on
in production, as it prints passwords in cleartext). in production, as it prints passwords in cleartext).
2) Run 'make' to produce pw-argon2.so 2) Run 'make' to produce argon2.so
3) Copy pw-argon2.so somewhere permanent. 3) Copy argon2.so somewhere permanent.
4) Edit your slapd.conf (eg. /etc/ldap/slapd.conf), and add: 4) Edit your slapd.conf (eg. /etc/ldap/slapd.conf), and add:
moduleload ...path/to/pw-argon2.so moduleload ...path/to/argon2.so
5) Restart slapd. 5) Restart slapd.
......
/* pw-argon2.c - Password module for argon2 */ /* argon2.c - Password module for argon2 */
/* $OpenLDAP$ */ /* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>. /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
* *
...@@ -15,6 +15,7 @@ ...@@ -15,6 +15,7 @@
*/ */
#include "portable.h" #include "portable.h"
#ifdef SLAPD_PWMOD_PW_ARGON2
#include "ac/string.h" #include "ac/string.h"
#include "lber_pvt.h" #include "lber_pvt.h"
#include "lutil.h" #include "lutil.h"
...@@ -22,7 +23,7 @@ ...@@ -22,7 +23,7 @@
#include <stdint.h> #include <stdint.h>
#include <stdlib.h> #include <stdlib.h>
#ifdef SLAPD_ARGON2_USE_ARGON2 #ifdef HAVE_LIBARGON2
#include <argon2.h> #include <argon2.h>
/* /*
...@@ -35,7 +36,7 @@ ...@@ -35,7 +36,7 @@
#define SLAPD_ARGON2_SALT_LENGTH 16 #define SLAPD_ARGON2_SALT_LENGTH 16
#define SLAPD_ARGON2_HASH_LENGTH 32 #define SLAPD_ARGON2_HASH_LENGTH 32
#else /* !SLAPD_ARGON2_USE_ARGON2 */ #else /* !HAVE_LIBARGON2 */
#include <sodium.h> #include <sodium.h>
/* /*
...@@ -71,7 +72,7 @@ slapd_argon2_hash( ...@@ -71,7 +72,7 @@ slapd_argon2_hash(
char *p; char *p;
int rc = LUTIL_PASSWD_ERR; int rc = LUTIL_PASSWD_ERR;
#ifdef SLAPD_ARGON2_USE_ARGON2 #ifdef HAVE_LIBARGON2
struct berval salt; struct berval salt;
size_t encoded_length; size_t encoded_length;
...@@ -114,7 +115,7 @@ slapd_argon2_hash( ...@@ -114,7 +115,7 @@ slapd_argon2_hash(
hash->bv_len = scheme->bv_len + encoded_length; hash->bv_len = scheme->bv_len + encoded_length;
ber_memfree( salt.bv_val ); ber_memfree( salt.bv_val );
#else /* !SLAPD_ARGON2_USE_ARGON2 */ #else /* !HAVE_LIBARGON2 */
/* Not exposed by libsodium /* Not exposed by libsodium
salt_length = SLAPD_ARGON2_SALT_LENGTH; salt_length = SLAPD_ARGON2_SALT_LENGTH;
hash_length = SLAPD_ARGON2_HASH_LENGTH; hash_length = SLAPD_ARGON2_HASH_LENGTH;
...@@ -153,7 +154,7 @@ slapd_argon2_verify( ...@@ -153,7 +154,7 @@ slapd_argon2_verify(
{ {
int rc = LUTIL_PASSWD_ERR; int rc = LUTIL_PASSWD_ERR;
#ifdef SLAPD_ARGON2_USE_ARGON2 #ifdef HAVE_LIBARGON2
if ( strncmp( passwd->bv_val, "$argon2i$", STRLENOF("$argon2i$") ) == 0 ) { if ( strncmp( passwd->bv_val, "$argon2i$", STRLENOF("$argon2i$") ) == 0 ) {
rc = argon2i_verify( passwd->bv_val, cred->bv_val, cred->bv_len ); rc = argon2i_verify( passwd->bv_val, cred->bv_val, cred->bv_len );
} else if ( strncmp( passwd->bv_val, "$argon2d$", STRLENOF("$argon2d$") ) == 0 ) { } else if ( strncmp( passwd->bv_val, "$argon2d$", STRLENOF("$argon2d$") ) == 0 ) {
...@@ -161,7 +162,7 @@ slapd_argon2_verify( ...@@ -161,7 +162,7 @@ slapd_argon2_verify(
} else if ( strncmp( passwd->bv_val, "$argon2id$", STRLENOF("$argon2id$") ) == 0 ) { } else if ( strncmp( passwd->bv_val, "$argon2id$", STRLENOF("$argon2id$") ) == 0 ) {
rc = argon2id_verify( passwd->bv_val, cred->bv_val, cred->bv_len ); rc = argon2id_verify( passwd->bv_val, cred->bv_val, cred->bv_len );
} }
#else /* !SLAPD_ARGON2_USE_ARGON2 */ #else /* !HAVE_LIBARGON2 */
rc = crypto_pwhash_str_verify( passwd->bv_val, cred->bv_val, cred->bv_len ); rc = crypto_pwhash_str_verify( passwd->bv_val, cred->bv_val, cred->bv_len );
#endif #endif
...@@ -175,7 +176,7 @@ int init_module( int argc, char *argv[] ) ...@@ -175,7 +176,7 @@ int init_module( int argc, char *argv[] )
{ {
int i; int i;
#ifndef SLAPD_ARGON2_USE_ARGON2 #ifdef HAVE_LIBSODIUM
if ( sodium_init() == -1 ) { if ( sodium_init() == -1 ) {
return -1; return -1;
} }
...@@ -218,3 +219,4 @@ int init_module( int argc, char *argv[] ) ...@@ -218,3 +219,4 @@ int init_module( int argc, char *argv[] )
return lutil_passwd_add( (struct berval *)&slapd_argon2_scheme, return lutil_passwd_add( (struct berval *)&slapd_argon2_scheme,
slapd_argon2_verify, slapd_argon2_hash ); slapd_argon2_verify, slapd_argon2_hash );
} }
#endif /* SLAPD_OVER_PW_ARGON2 */
...@@ -27,3 +27,11 @@ objectclass: person ...@@ -27,3 +27,11 @@ objectclass: person
cn: ssha cn: ssha
sn: ssha sn: ssha
userpassword: secret userpassword: secret
dn: cn=argon2,dc=example,dc=com
objectclass: person
cn: argon2
sn: argon2
userPassword:: e0FSR09OMn0kYXJnb24yaSR2PTE5JG09NDA5Nix0PTMscD0xJHZTc1orVnZjM
UhoZzc0WFNrdVZLOFEkd1B2UUc0blFMS2xaSkRGU0tna2k0L2NYejNLT2lOYXpwL2VDWkFWOFlt
Zw==
...@@ -41,6 +41,7 @@ AC_sql=sql@BUILD_SQL@ ...@@ -41,6 +41,7 @@ AC_sql=sql@BUILD_SQL@