Sorry, I wanted to post from this alias, but From-Address isn't saved with
my drafts :)
?
I failed to recognize during my patchwork that the verification function is the
same for ARGON2I and -ID:
both call `verify_argon2`, which in turn calls `libsodium's
crypto_pwhash_str_verify`.
In the new light this, there is no "harm" in my patch:
- If backend gives back "{ARGON2}...", dovecot verifies with the same
call anyway, regardless of what subtype it actually is, i.e.: {ARGON2I} will
work too.
- If dovecot generates the hash, the prefix will be the one set by the
config's default hash, so for backwards comp., "{ARGON2ID}" could
be used if someone wants that. Dovecot will succeed in verifying {ARGON2}
generated by itself as well.
?
"Aki Tuomi" aki.tuomi at open-xchange.com ? 15 November 2022
13:55> > On 15/11/2022 14:45 EET Kriszti?n Szegi <oni-dono at mszk.eu>
wrote:
> >?
> >?
> > Good day to all,
> > ?
> > this is my first post to the mailing list!
> > ?
> > I'd like to report that non-binding auth to (Open)LDAP doesn't
work if the latter hashes passwords with ARGON2.
> > ?
> > Although dovecot (I am using http://2.3.19.1) does support ARGON2 with
libsodium, but it doesn't recoginize hashes beginning
"{ARGON2}$argon2id$" stored (and hashed, using ppolicy module's
hashCleartext) by OpenLDAP.
> > ?
> > Now, I understand that ARGON2I, -D, and -ID are not compatible, but
the ACTUAL algorithm is there between the two $.
> > Furthermore, I think dovecot is in the minority here, I haven't
met any software that specifies the ARGON2 subtype between {}.
> > BTW, I haven't met any software that hashes passwords with ARGON2,
but not with the ARGON2ID subtype (where libsodium is available, which also
seems to be the standard here), as THAT is the recommended one anyway.
> >?
> > I patched the rpm in OpenSUSE repo to alias {ARGON2} to {ARGON2ID}:
> >
https://build.opensuse.org/package/view_file/home:Samonitari:branches:openSUSE:Factory/dovecot23/dovecot-2.3.0-alias_ARGON2_to_ARGON2ID.patch
> > ?
> > Could we get something like this (but maybe more correct) into the
official source?
> > Maybe a config switch to alias it runtime?
> > ?
> > Thanks for the attention:
> > Kriszti?n
>?
> Hi!
>?
> Thanks for your report. I think it makes sense, we'll see what we can
do about this.
>?
> Aki
>?
>
?