2016-05-06 23:15 GMT+02:00 Timo Sirainen <tss@iki.fi>:
On 06 May 2016, at 13:14, Andreas Meyer <luckyfellow42@gmail.com> wrote:
Hi,
Thank you very much for creating and maintaining dovecot!
In my scenario, I want to use the password hash algorithms provided by libsodium: https://download.libsodium.org/doc/
So my difficulty is to have dovecot support libsodium's hash algorithms, particularly: crypto_pwhash_scryptsalsa208sha256_str
On the sodium maillinglist I asked for help and received an adjusted dovecot code, which exactly does what I need. You find it here: https://github.com/jedisct1/core/tree/scrypt-argon2
Obviously I need to apply these changes everytime I upgrade to a new dovecot version now.
So my question ist, what do I need to do so that you will include
libsodium
support in future versions of dovecot?
You could also change it to be a plugin to avoid patching. This is a pretty old example, but it probably still works, at least with minor changes: http://dovecot.org/patches/password-scheme-lmpass.c
Although it's still a good idea to recompile the plugin after a new version since sometimes the ABI changes.
Hi Timo,
thank you very much for your reply. Creating a plugin is an option. Though I don't possess the right abilities to do that right away.
Nevertheless I want to re-ask my initial question: What is required to get libsodium support into the dovecot core? Or are there concerns about supporting it or is there simply no interest in doing so?
As I understand, security is a relevant concern when developing Dovecot. The sodium crypto library focuses on: "... provide all of the core operations needed to build higher-level cryptographic tools." I am sure, utilizing this library by default can be of great benefit for Dovecot. It will help to easily support the latest password hashing algorithms, currently Scrypt and Argon2. And if used for additional cryptographic purposes, it also provides easy to use cryptographically secure pseudo random data, secret-key authenticated encryption and of course secure memory allocations, just to name three features.
Thank you very much,
Andreas