Replace OpenSSL with libsodium and argon2id

The SHA256-based password hashing algorithm used by slcl(1) and
usergen(1) is considered insecure against several kinds of attacks,
including brute force attacks. [1]

Therefore, a stronger password hashing algorithm based on the Argon2id
key derivation function is now used by default. While OpenSSL does
support Argon2id, it is only supported by very recent versions [2],
which are still not packaged by most distributions as of the time of
this writing. [3]

As an alternative to OpenSSL, libsodium [4] had several benefits:

- It provides easy-to-use functions for password hashing, base64
encoding/decoding and other cryptographic primitives used by slcl(1)
and usergen(1).

- It is packaged by most distributions [5], and most often only the patch
version differs, which ensures good compatibility across distributions.

Unfortunately, and as opposed to OpenSSL, libsodium does not come with
command-line tools. Therefore, usergen(1) had to be rewritten in C.

In order to maintain backwards compatiblity with existing databases,
slcl(1) and usergen(1) shall support the insecure, SHA256-based password
hashing algorithm. However, Argon2id shall now be the default choice for
usergen(1).

[1]: https://security.stackexchange.com/questions/195563/why-is-sha-256-not-good-for-passwords
[2]: https://docs.openssl.org/3.3/man7/EVP_KDF-ARGON2/
[3]: https://repology.org/project/openssl/versions
[4]: https://www.libsodium.org/
[5]: https://repology.org/project/libsodium/versions

1 files changed, 58 insertions, 0 deletions

diff --git a/cmake/Findlibsodium.cmake b/cmake/Findlibsodium.cmake
new file mode 100644
index 0000000..0844e74
--- /dev/null
+++ b/cmake/Findlibsodium.cmake
@@ -0,0 +1,58 @@
+find_package(PkgConfig)
+
+if(PKG_CONFIG_FOUND)
+    pkg_check_modules(libsodium libsodium)
+endif()
+
+if(NOT libsodium_FOUND)
+    find_library(libsodium_LIBRARIES NAMES sodium)
+    find_path(libsodium_INCLUDE_DIRS NAMES
+        sodium.h
+        sodium/version.h
+        PATH_SUFFIXES include)
+
+    if(libsodium_INCLUDE_DIRS)
+        set(libsodium_VERSION ${libsodium_INCLUDE_DIRS}/sodium/version.h)
+
+        if(NOT EXISTS ${libsodium_VERSION})
+            message(FATAL_ERROR "Missing file: ${libsodium_VERSION}")
+        endif()
+    endif()
+
+    file(STRINGS ${libsodium_VERSION} libsodium_VERSION_LINE REGEX "^#define[ \t]+SODIUM_VERSION_STRING[ \t]+\"[0-9\.]+\"$")
+    set(libsodium_expr "^#define[ \t]+SODIUM_VERSION_STRING[ \t]+\"([0-9]+)\.([0-9]+)\.([0-9]+)\"$")
+    string(REGEX REPLACE ${libsodium_expr} "\\1" libsodium_VERSION_MAJOR "${libsodium_VERSION_LINE}")
+    string(REGEX REPLACE ${libsodium_expr} "\\2" libsodium_VERSION_MINOR "${libsodium_VERSION_LINE}")
+    string(REGEX REPLACE ${libsodium_expr} "\\3" libsodium_VERSION_PATCH "${libsodium_VERSION_LINE}")
+    set(libsodium_VERSION_STRING ${libsodium_VERSION_MAJOR}.${libsodium_VERSION_MINOR}.${libsodium_VERSION_PATCH})
+    unset(libsodium_VERSION_MAJOR_LINE)
+    unset(libsodium_VERSION_MINOR_LINE)
+    unset(libsodium_VERSION_PATCH_LINE)
+    unset(libsodium_VERSION_MAJOR)
+    unset(libsodium_VERSION_MINOR)
+    unset(libsodium_VERSION_PATCH)
+    unset(libsodium_expr)
+
+    if (libsodium_LIBRARIES STREQUAL "libsodium_LIBRARIES-NOTFOUND")
+        message(FATAL_ERROR "libsodium not found")
+    elseif (libsodium_INCLUDE_DIRS STREQUAL "libsodium_INCLUDE_DIRS-NOTFOUND")
+        message(FATAL_ERROR "libsodium headers not found")
+    endif()
+
+    set(libsodium_LINK_LIBRARIES ${libsodium_LIBRARIES})
+endif()
+
+include(FindPackageHandleStandardArgs)
+find_package_handle_standard_args(libsodium
+    REQUIRED_VARS
+        libsodium_LINK_LIBRARIES
+        libsodium_INCLUDE_DIRS
+    VERSION_VAR libsodium_VERSION_STRING
+)
+
+if(NOT TARGET libsodium)
+    add_library(libsodium INTERFACE IMPORTED)
+    set_target_properties(libsodium PROPERTIES
+        INTERFACE_INCLUDE_DIRECTORIES ${libsodium_INCLUDE_DIRS}
+        INTERFACE_LINK_LIBRARIES ${libsodium_LINK_LIBRARIES})
+endif()