dovecot - May 2016 - Dovecot + libsodium

Hi,

Thank you very much for creating and maintaining dovecot!

In my scenario, I want to use the password hash algorithms provided by
libsodium: https://download.libsodium.org/doc/

So my difficulty is to have dovecot support libsodium's hash algorithms,
particularly: crypto_pwhash_scryptsalsa208sha256_str

On the sodium maillinglist I asked for help and received an adjusted
dovecot code, which exactly does what I need. You find it here:
https://github.com/jedisct1/core/tree/scrypt-argon2

Obviously I need to apply these changes everytime I upgrade to a new
dovecot version now.

So my question ist, what do I need to do so that you will include libsodium
support in future versions of dovecot?


Thank you very much for your attention,

Andreas

On 06 May 2016, at 13:14, Andreas Meyer <luckyfellow42 at gmail.com>
wrote:
> 
> Hi,
> 
> Thank you very much for creating and maintaining dovecot!
> 
> In my scenario, I want to use the password hash algorithms provided by
> libsodium: https://download.libsodium.org/doc/
> 
> So my difficulty is to have dovecot support libsodium's hash
algorithms,
> particularly: crypto_pwhash_scryptsalsa208sha256_str
> 
> On the sodium maillinglist I asked for help and received an adjusted
> dovecot code, which exactly does what I need. You find it here:
> https://github.com/jedisct1/core/tree/scrypt-argon2
> 
> Obviously I need to apply these changes everytime I upgrade to a new
> dovecot version now.
> 
> So my question ist, what do I need to do so that you will include libsodium
> support in future versions of dovecot?
You could also change it to be a plugin to avoid patching. This is a pretty old
example, but it probably still works, at least with minor changes:
http://dovecot.org/patches/password-scheme-lmpass.c

Although it's still a good idea to recompile the plugin after a new version
since sometimes the ABI changes.

2016-05-06 23:15 GMT+02:00 Timo Sirainen <tss at iki.fi>:
> On 06 May 2016, at 13:14, Andreas Meyer <luckyfellow42 at gmail.com>
wrote:
> >
> > Hi,
> >
> > Thank you very much for creating and maintaining dovecot!
> >
> > In my scenario, I want to use the password hash algorithms provided by
> > libsodium: https://download.libsodium.org/doc/
> >
> > So my difficulty is to have dovecot support libsodium's hash
algorithms,
> > particularly: crypto_pwhash_scryptsalsa208sha256_str
> >
> > On the sodium maillinglist I asked for help and received an adjusted
> > dovecot code, which exactly does what I need. You find it here:
> > https://github.com/jedisct1/core/tree/scrypt-argon2
> >
> > Obviously I need to apply these changes everytime I upgrade to a new
> > dovecot version now.
> >
> > So my question ist, what do I need to do so that you will include
> libsodium
> > support in future versions of dovecot?
>
> You could also change it to be a plugin to avoid patching. This is a
> pretty old example, but it probably still works, at least with minor
> changes:
> http://dovecot.org/patches/password-scheme-lmpass.c
>
> Although it's still a good idea to recompile the plugin after a new
> version since sometimes the ABI changes.
>
>
Hi Timo,


thank you very much for your reply. Creating a plugin is an option. Though
I don't possess the right abilities to do that right away.

Nevertheless I want to re-ask my initial question: What is required to get
libsodium support into the dovecot core?
Or are there concerns about supporting it or is there simply no interest in
doing so?

As I understand, security is a relevant concern when developing Dovecot.
The sodium crypto library focuses on: "... provide all of the core
operations needed to build higher-level cryptographic tools."
I am sure, utilizing this library by default can be of great benefit for
Dovecot. It will help to easily support the latest password hashing
algorithms, currently Scrypt and Argon2.
And if used for additional cryptographic purposes, it also provides easy to
use cryptographically secure pseudo random data, secret-key authenticated
encryption and of course secure memory allocations, just to name three
features.


Thank you very much,

Andreas