On 11.05.2016 14:50, Andreas Meyer wrote:
2016-05-06 23:15 GMT+02:00 Timo Sirainen tss@iki.fi:
Hi,
Thank you very much for creating and maintaining dovecot!
In my scenario, I want to use the password hash algorithms provided by libsodium: https://download.libsodium.org/doc/
So my difficulty is to have dovecot support libsodium's hash algorithms, particularly: crypto_pwhash_scryptsalsa208sha256_str
On the sodium maillinglist I asked for help and received an adjusted dovecot code, which exactly does what I need. You find it here: https://github.com/jedisct1/core/tree/scrypt-argon2
Obviously I need to apply these changes everytime I upgrade to a new dovecot version now.
So my question ist, what do I need to do so that you will include
support in future versions of dovecot? You could also change it to be a plugin to avoid patching. This is a
On 06 May 2016, at 13:14, Andreas Meyer luckyfellow42@gmail.com wrote: libsodium pretty old example, but it probably still works, at least with minor changes: http://dovecot.org/patches/password-scheme-lmpass.c
Although it's still a good idea to recompile the plugin after a new version since sometimes the ABI changes.
Hi Timo,
thank you very much for your reply. Creating a plugin is an option. Though I don't possess the right abilities to do that right away.
Nevertheless I want to re-ask my initial question: What is required to get libsodium support into the dovecot core? Or are there concerns about supporting it or is there simply no interest in doing so?
As I understand, security is a relevant concern when developing Dovecot. The sodium crypto library focuses on: "... provide all of the core operations needed to build higher-level cryptographic tools." I am sure, utilizing this library by default can be of great benefit for Dovecot. It will help to easily support the latest password hashing algorithms, currently Scrypt and Argon2. And if used for additional cryptographic purposes, it also provides easy to use cryptographically secure pseudo random data, secret-key authenticated encryption and of course secure memory allocations, just to name three features.
Thank you very much,
Andreas
Hi!
At the moment we do not want to add libsodium as permanent core dependency. If you are willing to make a plugin for sodium, that provides f.ex. Scrypt and Argon2 support, and make a pull request out of that, we are happy to include it as plugin.
Due to how dovecot works adding new libraries to certain places is not really wanted, since the memory requirements on large installations will increase quite a lot.
We already are able to handle most of the things sodium would provide with current code.
Aki