diff options
| author | Xavier Del Campo Romero <xavi92@disroot.org> | 2025-10-08 13:50:52 +0200 |
|---|---|---|
| committer | Xavier Del Campo Romero <xavi92@disroot.org> | 2025-10-08 22:55:44 +0200 |
| commit | 10e42591ac72285736d5cc4ee5e7c2f68dbf1e4b (patch) | |
| tree | 3bb586177e375a6f7f91c0335876faefc28b805c /CMakeLists.txt | |
| parent | 805630dbfcd409a5d49bc89102f4183b71f713f9 (diff) | |
| download | slcl-10e42591ac72285736d5cc4ee5e7c2f68dbf1e4b.tar.gz | |
Replace OpenSSL with libsodium and argon2id
The SHA256-based password hashing algorithm used by slcl(1) and
usergen(1) is considered insecure against several kinds of attacks,
including brute force attacks. [1]
Therefore, a stronger password hashing algorithm based on the Argon2id
key derivation function is now used by default. While OpenSSL does
support Argon2id, it is only supported by very recent versions [2],
which are still not packaged by most distributions as of the time of
this writing. [3]
As an alternative to OpenSSL, libsodium [4] had several benefits:
- It provides easy-to-use functions for password hashing, base64
encoding/decoding and other cryptographic primitives used by slcl(1)
and usergen(1).
- It is packaged by most distributions [5], and most often only the patch
version differs, which ensures good compatibility across distributions.
Unfortunately, and as opposed to OpenSSL, libsodium does not come with
command-line tools. Therefore, usergen(1) had to be rewritten in C.
In order to maintain backwards compatiblity with existing databases,
slcl(1) and usergen(1) shall support the insecure, SHA256-based password
hashing algorithm. However, Argon2id shall now be the default choice for
usergen(1).
[1]: https://security.stackexchange.com/questions/195563/why-is-sha-256-not-good-for-passwords
[2]: https://docs.openssl.org/3.3/man7/EVP_KDF-ARGON2/
[3]: https://repology.org/project/openssl/versions
[4]: https://www.libsodium.org/
[5]: https://repology.org/project/libsodium/versions
Diffstat (limited to 'CMakeLists.txt')
| -rw-r--r-- | CMakeLists.txt | 18 |
1 files changed, 8 insertions, 10 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt index 4d234c3..c3e4ea1 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,6 @@ cmake_minimum_required(VERSION 3.13) project(slcl LANGUAGES C VERSION 0.2.0) add_executable(${PROJECT_NAME} auth.c - base64.c cftw.c crealpath.c hex.c @@ -12,6 +11,10 @@ add_executable(${PROJECT_NAME} style.c zip.c ) +add_executable(usergen + hex.c + usergen.c +) target_compile_options(${PROJECT_NAME} PRIVATE -Wall) target_compile_definitions(${PROJECT_NAME} PRIVATE _FILE_OFFSET_BITS=64) set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} ${CMAKE_CURRENT_LIST_DIR}/cmake) @@ -26,7 +29,7 @@ else() endif() find_package(cJSON 1.0 REQUIRED) -find_package(OpenSSL 1.0 REQUIRED) +find_package(libsodium 1.0.0 REQUIRED) find_package(fdzipstream) if(NOT fdzipstream_FOUND) @@ -34,13 +37,8 @@ if(NOT fdzipstream_FOUND) add_subdirectory(fdzipstream) endif() -target_link_libraries(${PROJECT_NAME} PRIVATE web dynstr cjson OpenSSL::SSL +target_link_libraries(${PROJECT_NAME} PRIVATE web dynstr cjson libsodium fdzipstream) -install(TARGETS ${PROJECT_NAME}) -install(FILES usergen - TYPE BIN - PERMISSIONS - OWNER_READ OWNER_WRITE OWNER_EXECUTE - GROUP_READ GROUP_EXECUTE - WORLD_READ WORLD_EXECUTE) +target_link_libraries(usergen PRIVATE dynstr cjson libsodium) +install(TARGETS ${PROJECT_NAME} usergen) add_subdirectory(doc) |
