Dovecot + libsodium

Andreas Meyer luckyfellow42 at gmail.com
Wed May 11 11:50:31 UTC 2016


2016-05-06 23:15 GMT+02:00 Timo Sirainen <tss at iki.fi>:

> On 06 May 2016, at 13:14, Andreas Meyer <luckyfellow42 at gmail.com> wrote:
> >
> > Hi,
> >
> > Thank you very much for creating and maintaining dovecot!
> >
> > In my scenario, I want to use the password hash algorithms provided by
> > libsodium: https://download.libsodium.org/doc/
> >
> > So my difficulty is to have dovecot support libsodium's hash algorithms,
> > particularly: crypto_pwhash_scryptsalsa208sha256_str
> >
> > On the sodium maillinglist I asked for help and received an adjusted
> > dovecot code, which exactly does what I need. You find it here:
> > https://github.com/jedisct1/core/tree/scrypt-argon2
> >
> > Obviously I need to apply these changes everytime I upgrade to a new
> > dovecot version now.
> >
> > So my question ist, what do I need to do so that you will include
> libsodium
> > support in future versions of dovecot?
>
> You could also change it to be a plugin to avoid patching. This is a
> pretty old example, but it probably still works, at least with minor
> changes:
> http://dovecot.org/patches/password-scheme-lmpass.c
>
> Although it's still a good idea to recompile the plugin after a new
> version since sometimes the ABI changes.
>
>

Hi Timo,


thank you very much for your reply. Creating a plugin is an option. Though
I don't possess the right abilities to do that right away.

Nevertheless I want to re-ask my initial question: What is required to get
libsodium support into the dovecot core?
Or are there concerns about supporting it or is there simply no interest in
doing so?

As I understand, security is a relevant concern when developing Dovecot.
The sodium crypto library focuses on: "... provide all of the core
operations needed to build higher-level cryptographic tools."
I am sure, utilizing this library by default can be of great benefit for
Dovecot. It will help to easily support the latest password hashing
algorithms, currently Scrypt and Argon2.
And if used for additional cryptographic purposes, it also provides easy to
use cryptographically secure pseudo random data, secret-key authenticated
encryption and of course secure memory allocations, just to name three
features.


Thank you very much,

Andreas


More information about the dovecot mailing list