https://bugs.openldap.org/show_bug.cgi?id=9206
Bug ID: 9206 Summary: contrib/passwd/argon2: consolidate libsodium implementation Product: OpenLDAP Version: 2.5 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: contrib Assignee: bugs@openldap.org Reporter: peter@adpm.de Target Milestone: ---
Created attachment 702 --> https://bugs.openldap.org/attachment.cgi?id=702&action=edit patch to consolidate pw-argon2 implementation based on libsodium
Hi,
current libsodium implementation of pw-argon2 has 2 issues: - it uses crypto_pwhash_str(), which only guarantees a "memory-hard, CPU-intensive hash function", but not necessarily Argon2. - it uses a different unit for the 'memory' parameter than the libargon2 implementation: bytes instead of KiB.
The attached patch aims to fix both issues. (The patch is is git format, you can merge it using 'git am')
I'd appreciate if you include them into OpenLDAP.
The referenced files are derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Peter Marschall peter@adpm.de. I have not assigned rights and/or interest in this work to any party.
The referenced modifications to OpenLDAP Software are subject to the following notice: Copyright 2020 Peter Marschall Redistribution and use in source and binary forms, with or without modification, are permitted only as authorized by the OpenLDAP Public License.
https://bugs.openldap.org/show_bug.cgi?id=9206
Ryan Tandy ryan@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=9203
https://bugs.openldap.org/show_bug.cgi?id=9206
--- Comment #1 from Ryan Tandy ryan@openldap.org --- Thanks for the patch! I will add one fixup: the default limit for libsodium (crypto_pwhash_MEMLIMIT_INTERACTIVE) is also expressed in bytes; we don't want to multiply that one.
https://bugs.openldap.org/show_bug.cgi?id=9206
Ryan Tandy ryan@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Ever confirmed|0 |1 Status|UNCONFIRMED |IN_PROGRESS
--- Comment #2 from Ryan Tandy ryan@openldap.org --- https://git.openldap.org/openldap/openldap/-/merge_requests/25
https://bugs.openldap.org/show_bug.cgi?id=9206
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.5.0
https://bugs.openldap.org/show_bug.cgi?id=9206
--- Comment #3 from Quanah Gibson-Mount quanah@openldap.org --- • 40ce9a46 by Peter Marschall at 2020-04-14T09:26:19-07:00 ITS#9206 contrib/passwd/argon2: consolidate libsodium implementation
* use 'crypto_pwhash_str_alg(..., crypto_pwhash_ALG_ARGON2ID13)' to set the algorithm to Argon2. According to libsodium's documentation, the original 'crypto_pwhash_str()' only guarantees a "memory-hard, CPU-intensive hash function", but not necessarily Argon2. Although in released versions of libsodium Argon2 is the only implemented backend, this may chane in the future. * multiply the 'memory' parameter by 1024 to align it with the libargon2 implementation. The objective is to have consistent configuration in OpenLDAP's pw-argon2 module no matter what backend implementation is used.
Signed-off-by: Peter Marschall peter@adpm.de
• 64856677 by Ryan Tandy at 2020-04-14T09:26:19-07:00 ITS#9206 Initialize libsodium before calling its functions
• 307b06ff by Ryan Tandy at 2020-04-14T09:26:19-07:00 ITS#9206 Convert libsodium default memlimit to KiB
• 0ec42b08 by Ryan Tandy at 2020-04-14T09:26:19-07:00 ITS#9206 Use argon2id default values explicitly
https://bugs.openldap.org/show_bug.cgi?id=9206
Ryan Tandy ryan@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |TEST
https://bugs.openldap.org/show_bug.cgi?id=9206
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.5.0 |2.4.50 Resolution|TEST |FIXED
https://bugs.openldap.org/show_bug.cgi?id=9206
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
-
openldap-its@openldap.org