ITS#9520 Refuse parallelism if not compiled with libargon2

diff --git a/doc/man/man5/slappw-argon2.5 b/doc/man/man5/slappw-argon2.5
index f5907b673ac30d3bbc4ee42e3f7d6cef414bf487..86de38c9e3abdaaa7f21693643b7621d22ec9f3f 100644 (file)
--- a/doc/man/man5/slappw-argon2.5
+++ b/doc/man/man5/slappw-argon2.5
@@ -39,7 +39,8 @@ kiB.
 .BI p= <parallelism>
 Set parallelism to
 .I <parallelism>
-threads.
+threads. Currently supported only when linked with
+.BR libargon2 .
 .TP
 .BI t= <iterations>
 Set the number of iterations to

diff --git a/servers/slapd/pwmods/argon2.c b/servers/slapd/pwmods/argon2.c
index 1e0142116f737b22f8f19562b866a0635247b21d..0657340557fc8471660286adbc8870844db7f56d 100644 (file)
--- a/servers/slapd/pwmods/argon2.c
+++ b/servers/slapd/pwmods/argon2.c
@@ -20,6 +20,8 @@
 #include "lber_pvt.h"
 #include "lutil.h"
 
+#include "slap.h"
+
 #include <stdint.h>
 #include <stdlib.h>
 
@@ -216,6 +218,22 @@ int init_module( int argc, char *argv[] )
                }
        }
 
+#ifndef HAVE_LIBARGON2
+       /* At the moment, we can only use libargon2 to set parallelism for new
+        * hashes */
+       if ( parallelism != SLAPD_ARGON2_PARALLELISM ) {
+               Debug( LDAP_DEBUG_ANY, "pw-argon2: "
+                               "non-default parallelism only supported when linked with "
+                               "libargon2, got p=%lu\n",
+                               parallelism );
+
+               if ( (slapMode & SLAP_MODE) != SLAP_TOOL_MODE ||
+                               slapTool == SLAPPASSWD || slapTool == SLAPTEST ) {
+                       return 1;
+               }
+       }
+#endif
+
        return lutil_passwd_add( (struct berval *)&slapd_argon2_scheme,
                        slapd_argon2_verify, slapd_argon2_hash );
 }