From: Ondřej Kuzník <ondra@mistotebe.net>
Date: Fri, 9 Apr 2021 09:41:00 +0000 (+0100)
Subject: ITS#9520 Refuse parallelism if not compiled with libargon2
X-Git-Tag: OPENLDAP_REL_ENG_2_5_4~7^2~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ae77343d675c9a8ae057c52d6cddcd133aec091e;p=thirdparty%2Fopenldap.git

ITS#9520 Refuse parallelism if not compiled with libargon2
---

diff --git a/doc/man/man5/slappw-argon2.5 b/doc/man/man5/slappw-argon2.5
index f5907b673a..86de38c9e3 100644
--- a/doc/man/man5/slappw-argon2.5
+++ b/doc/man/man5/slappw-argon2.5
@@ -39,7 +39,8 @@ kiB.
 .BI p= <parallelism>
 Set parallelism to
 .I <parallelism>
-threads.
+threads. Currently supported only when linked with
+.BR libargon2 .
 .TP
 .BI t= <iterations>
 Set the number of iterations to
diff --git a/servers/slapd/pwmods/argon2.c b/servers/slapd/pwmods/argon2.c
index 1e0142116f..0657340557 100644
--- a/servers/slapd/pwmods/argon2.c
+++ b/servers/slapd/pwmods/argon2.c
@@ -20,6 +20,8 @@
 #include "lber_pvt.h"
 #include "lutil.h"
 
+#include "slap.h"
+
 #include <stdint.h>
 #include <stdlib.h>
 
@@ -216,6 +218,22 @@ int init_module( int argc, char *argv[] )
 		}
 	}
 
+#ifndef HAVE_LIBARGON2
+	/* At the moment, we can only use libargon2 to set parallelism for new
+	 * hashes */
+	if ( parallelism != SLAPD_ARGON2_PARALLELISM ) {
+		Debug( LDAP_DEBUG_ANY, "pw-argon2: "
+				"non-default parallelism only supported when linked with "
+				"libargon2, got p=%lu\n",
+				parallelism );
+
+		if ( (slapMode & SLAP_MODE) != SLAP_TOOL_MODE ||
+				slapTool == SLAPPASSWD || slapTool == SLAPTEST ) {
+			return 1;
+		}
+	}
+#endif
+
 	return lutil_passwd_add( (struct berval *)&slapd_argon2_scheme,
 			slapd_argon2_verify, slapd_argon2_hash );
 }