Re: bug: ARGON2 hash selection incompatible with LDAP

Tue, 15 Nov 2022 05:17:10 -0800 

Sorry, I wanted to post from this alias, but From-Address isn't saved with my 
drafts :)
 
I failed to recognize during my patchwork that the verification function is the 
same for ARGON2I and -ID:
both call `verify_argon2`, which in turn calls `libsodium's 
crypto_pwhash_str_verify`.

In the new light this, there is no "harm" in my patch:
- If backend gives back "{ARGON2}...", dovecot verifies with the same call 
anyway, regardless of what subtype it actually is, i.e.: {ARGON2I} will work 
too.
- If dovecot generates the hash, the prefix will be the one set by the config's 
default hash, so for backwards comp., "{ARGON2ID}" could be used if someone 
wants that. Dovecot will succeed in verifying {ARGON2} generated by itself as 
well.
 
"Aki Tuomi" aki.tu...@open-xchange.com – 15 November 2022 13:55
> > On 15/11/2022 14:45 EET Krisztián Szegi <oni-d...@mszk.eu> wrote:
> > 
> > 
> > Good day to all,
> >  
> > this is my first post to the mailing list!
> >  
> > I'd like to report that non-binding auth to (Open)LDAP doesn't work if the 
> > latter hashes passwords with ARGON2.
> >  
> > Although dovecot (I am using http://2.3.19.1) does support ARGON2 with 
> > libsodium, but it doesn't recoginize hashes beginning "{ARGON2}$argon2id$" 
> > stored (and hashed, using ppolicy module's hashCleartext) by OpenLDAP.
> >  
> > Now, I understand that ARGON2I, -D, and -ID are not compatible, but the 
> > ACTUAL algorithm is there between the two $.
> > Furthermore, I think dovecot is in the minority here, I haven't met any 
> > software that specifies the ARGON2 subtype between {}.
> > BTW, I haven't met any software that hashes passwords with ARGON2, but not 
> > with the ARGON2ID subtype (where libsodium is available, which also seems 
> > to be the standard here), as THAT is the recommended one anyway.
> > 
> > I patched the rpm in OpenSUSE repo to alias {ARGON2} to {ARGON2ID}:
> > https://build.opensuse.org/package/view_file/home:Samonitari:branches:openSUSE:Factory/dovecot23/dovecot-2.3.0-alias_ARGON2_to_ARGON2ID.patch
> >  
> > Could we get something like this (but maybe more correct) into the official 
> > source?
> > Maybe a config switch to alias it runtime?
> >  
> > Thanks for the attention:
> > Krisztián
> 
> Hi!
> 
> Thanks for your report. I think it makes sense, we'll see what we can do 
> about this.
> 
> Aki
> 
>

 

Reply via email to