]> git.ipfire.org Git - thirdparty/dovecot/core.git/commitdiff
projects / thirdparty / dovecot / core.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 626421c)
libpassword: Add support for ARGON2 scheme
authorAki Tuomi <aki.tuomi@dovecot.fi>
Tue, 10 Oct 2017 14:58:03 +0000 (17:58 +0300)
committerAki Tuomi <aki.tuomi@dovecot.fi>
Mon, 16 Oct 2017 07:13:49 +0000 (10:13 +0300)
src/auth/Makefile.am patch | blob | blame | history
src/auth/password-scheme-sodium.c [new file with mode: 0644] patch | blob
src/auth/password-scheme.c patch | blob | blame | history
src/auth/password-scheme.h patch | blob | blame | history
src/doveadm/Makefile.am patch | blob | blame | history

diff --git a/src/auth/Makefile.am b/src/auth/Makefile.am
index b6e9f291bcff247931403a4a4472229cb11617c5..2a9468ef9310474ce80852173c7ed51f5804287e 100644 (file)
--- a/src/auth/Makefile.am
+++ b/src/auth/Makefile.am
@@ -51,7 +51,9 @@ libpassword_la_SOURCES = \
        password-scheme-scram.c \
        password-scheme-otp.c \
        password-scheme-rpa.c \
-       password-scheme-pbkdf2.c
+       password-scheme-pbkdf2.c \
+       password-scheme-sodium.c
+libpassword_la_CFLAGS = $(AM_CPPFLAGS) $(LIBSODIUM_CFLAGS)
 
 auth_libs = \
        libauth.la \
@@ -59,7 +61,8 @@ auth_libs = \
        libpassword.la \
        ../lib-ntlm/libntlm.la \
        ../lib-otp/libotp.la \
-       $(LIBDOVECOT_SQL)
+       $(LIBDOVECOT_SQL) \
+       $(LIBSODIUM_LIBS)
 
 auth_CPPFLAGS = $(AM_CPPFLAGS) $(BINARY_CFLAGS)
 auth_LDADD = $(auth_libs) $(LIBDOVECOT) $(AUTH_LIBS) $(BINARY_LDFLAGS)
diff --git a/src/auth/password-scheme-sodium.c b/src/auth/password-scheme-sodium.c
new file mode 100644 (file)
index 0000000..03d5b72
--- /dev/null
+++ b/src/auth/password-scheme-sodium.c
@@ -0,0 +1,53 @@
+#include "lib.h"
+#include "password-scheme.h"
+
+#ifdef HAVE_LIBSODIUM
+#include <sodium.h>
+
+static void
+generate_argon2(const char *plaintext, const struct password_generate_params *params,
+               const unsigned char **raw_password_r, size_t *size_r)
+{
+       unsigned long long rounds = params->rounds;
+       size_t memlimit;
+       char result[crypto_pwhash_STRBYTES];
+
+       if (rounds == 0)
+               rounds = crypto_pwhash_argon2i_OPSLIMIT_INTERACTIVE;
+
+       if (rounds >= crypto_pwhash_argon2i_OPSLIMIT_SENSITIVE)
+               memlimit = crypto_pwhash_argon2i_MEMLIMIT_SENSITIVE;
+       else if (rounds >= crypto_pwhash_argon2i_OPSLIMIT_MODERATE)
+               memlimit = crypto_pwhash_argon2i_MEMLIMIT_MODERATE;
+       else
+               memlimit = crypto_pwhash_argon2i_MEMLIMIT_INTERACTIVE;
+
+       if (crypto_pwhash_str(result, plaintext, strlen(plaintext), rounds, memlimit) < 0)
+               i_fatal("crypto_pwhash_str failed");
+       *raw_password_r = (const unsigned char*)t_strdup(result);
+       *size_r = strlen(result);
+}
+
+static int
+verify_argon2(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED,
+             const unsigned char *raw_password, size_t size,
+             const char **error_r ATTR_UNUSED)
+{
+       const char *passwd = t_strndup(raw_password, size);
+       if (crypto_pwhash_str_verify(passwd, plaintext, strlen(plaintext)) < 0)
+               return 0;
+       return 1;
+}
+
+
+static const struct password_scheme sodium_schemes[] = {
+       { "ARGON2", PW_ENCODING_NONE, 0, verify_argon2,
+         generate_argon2 },
+};
+
+void password_scheme_register_sodium(void)
+{
+       for(size_t i = 0; i < N_ELEMENTS(sodium_schemes); i++)
+               password_scheme_register(&sodium_schemes[i]);
+}
+#endif
diff --git a/src/auth/password-scheme.c b/src/auth/password-scheme.c
index 10ca0fbc3a02705e2bba55ca69b9f51ecde96dae..de6c763db6f1aa7d2f7b22413086717400b5fcfc 100644 (file)
--- a/src/auth/password-scheme.c
+++ b/src/auth/password-scheme.c
@@ -868,6 +868,9 @@ void password_schemes_init(void)
        for (i = 0; i < N_ELEMENTS(builtin_schemes); i++)
                password_scheme_register(&builtin_schemes[i]);
        password_scheme_register_crypt();
+#ifdef HAVE_LIBSODIUM
+       password_scheme_register_sodium();
+#endif
 }
 
 void password_schemes_deinit(void)
diff --git a/src/auth/password-scheme.h b/src/auth/password-scheme.h
index 6c94dd6d0d3f097e51b924d1c67b9d45c0aac8e6..d30594657649c0ec4cdf739a9c9651cbbe54335b 100644 (file)
--- a/src/auth/password-scheme.h
+++ b/src/auth/password-scheme.h
@@ -110,4 +110,8 @@ int pbkdf2_verify(const char *plaintext, const struct password_generate_params *
    supported by the used libc's/glibc's crypt() */
 void password_scheme_register_crypt(void);
 
+#ifdef HAVE_LIBSODIUM
+void password_scheme_register_sodium(void);
+#endif
+
 #endif
diff --git a/src/doveadm/Makefile.am b/src/doveadm/Makefile.am
index cda12ade2bd8baaae5f0ab3c1bf24d8b258ea3e8..05d792a434782f98e257d4fd409a61f3a8cb73dc 100644 (file)
--- a/src/doveadm/Makefile.am
+++ b/src/doveadm/Makefile.am
@@ -49,6 +49,7 @@ doveadm_LDADD = \
        $(CRYPT_LIBS) \
        $(LIBDOVECOT_STORAGE) \
        $(LIBDOVECOT) \
+       $(LIBSODIUM_LIBS) \
        $(BINARY_LDFLAGS)
 
 doveadm_DEPENDENCIES = \
Mirror of https://github.com/dovecot/core.git