https://bugs.openldap.org/show_bug.cgi?id=9233
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|IN_PROGRESS |RESOLVED
--- Comment #2 from Quanah Gibson-Mount quanah@openldap.org --- Quanah Gibson-Mount pushed to branch OPENLDAP_REL_ENG_2_4 at openldap / OpenLDAP
Commits: • 2210a3bd by Simon Levermann at 2020-04-21T19:40:16+00:00 ITS#8575 Implement argon2 password hashing as a module
This change implements argon2, which won the Password Hashing Competition (https://password-hashing.net/) as a contrib-module in order to provide a modern password hashing alternative in openldap. The currently available password hashing algorithms are relatively old, and modern hardware, especially GPUs can compute quite a few (ranging from tens of thousands to millions) of hashes per second. Argon2 was designed to withstand such attacks.
This implementation uses the default work factors used in the argon2 command line client, but the resulting hashes are stored in a way that would allow retroactive changes to these values, or even exposing them as configuration in the module.
• 793f6ecd by Ondřej Kuzník at 2020-04-21T19:40:21+00:00 ITS#8575 Add a libsodium based implementation
• b643f7fc by Ondřej Kuzník at 2020-04-21T19:40:24+00:00 ITS#8575 Accept parameters for hashing new passwords
• 997ff449 by Peter Marschall at 2020-04-21T19:40:30+00:00 ITS#9203 contrib/passwd/argon2: add manual page
Add manual page slapd-pw-argon2.5 and make sure it gets installed.
Signed-off-by: Peter Marschall peter@adpm.de
• 0ff54ddf by Ryan Tandy at 2020-04-21T19:40:33+00:00 ITS#9203 slapd-argon2 -> pw-argon2
Based on initial patch by Peter Marschall.
• 8ff81631 by Peter Marschall at 2020-04-21T19:40:38+00:00 ITS#9206 contrib/passwd/argon2: consolidate libsodium implementation
* use 'crypto_pwhash_str_alg(..., crypto_pwhash_ALG_ARGON2ID13)' to set the algorithm to Argon2. According to libsodium's documentation, the original 'crypto_pwhash_str()' only guarantees a "memory-hard, CPU-intensive hash function", but not necessarily Argon2. Although in released versions of libsodium Argon2 is the only implemented backend, this may chane in the future. * multiply the 'memory' parameter by 1024 to align it with the libargon2 implementation. The objective is to have consistent configuration in OpenLDAP's pw-argon2 module no matter what backend implementation is used.
Signed-off-by: Peter Marschall peter@adpm.de
• 511ad098 by Ryan Tandy at 2020-04-21T19:40:42+00:00 ITS#9206 Initialize libsodium before calling its functions
• 07405636 by Ryan Tandy at 2020-04-21T19:40:45+00:00 ITS#9206 Convert libsodium default memlimit to KiB
• 59bed7e6 by Ryan Tandy at 2020-04-21T19:40:49+00:00 ITS#9206 Use argon2id default values explicitly
• ba50189b by Ryan Tandy at 2020-04-21T19:40:55+00:00 ITS#9203 Remove default values from slapd-pw-argon2.5
The defaults vary by crypto library and possibly even version, so it's not worth trying to keep them accurate.
4 changed files: • + contrib/slapd-modules/passwd/argon2/Makefile • + contrib/slapd-modules/passwd/argon2/README • + contrib/slapd-modules/passwd/argon2/pw-argon2.c • + contrib/slapd-modules/passwd/argon2/slapd-pw-argon2.5