Replace OpenSSL with libsodium and argon2id

The SHA256-based password hashing algorithm used by slcl(1) and
usergen(1) is considered insecure against several kinds of attacks,
including brute force attacks. [1]

Therefore, a stronger password hashing algorithm based on the Argon2id
key derivation function is now used by default. While OpenSSL does
support Argon2id, it is only supported by very recent versions [2],
which are still not packaged by most distributions as of the time of
this writing. [3]

As an alternative to OpenSSL, libsodium [4] had several benefits:

- It provides easy-to-use functions for password hashing, base64
encoding/decoding and other cryptographic primitives used by slcl(1)
and usergen(1).

- It is packaged by most distributions [5], and most often only the patch
version differs, which ensures good compatibility across distributions.

Unfortunately, and as opposed to OpenSSL, libsodium does not come with
command-line tools. Therefore, usergen(1) had to be rewritten in C.

In order to maintain backwards compatiblity with existing databases,
slcl(1) and usergen(1) shall support the insecure, SHA256-based password
hashing algorithm. However, Argon2id shall now be the default choice for
usergen(1).

[1]: https://security.stackexchange.com/questions/195563/why-is-sha-256-not-good-for-passwords
[2]: https://docs.openssl.org/3.3/man7/EVP_KDF-ARGON2/
[3]: https://repology.org/project/openssl/versions
[4]: https://www.libsodium.org/
[5]: https://repology.org/project/libsodium/versions

1 files changed, 25 insertions, 6 deletions

diff --git a/configure b/configure
index 73d5610..cc9e0dc 100755
--- a/configure
+++ b/configure
@@ -7,11 +7,12 @@ prefix=$default_prefix
 default_CC='c99'
 # FILE_OFFSET_BITS=64 is required for large file support on 32-bit platforms.
 default_CFLAGS='-O1 -g -D_FILE_OFFSET_BITS=64 -Wall -MD'
-default_LDFLAGS="-lcjson -lssl -lm -lcrypto"
+default_LDFLAGS="-lcjson -lm"
 
 CC=${CC:-$default_CC}
 CFLAGS=${CFLAGS:-"$default_CFLAGS $default_NPCFLAGS"}
 LDFLAGS=${LDFLAGS:-$default_LDFLAGS}
+USERGEN_LDFLAGS=${LDFLAGS}
 
 help()
 {
@@ -47,16 +48,27 @@ while true; do
 	esac
 done
 
+if pkg-config libsodium
+then
+	CFLAGS="$CFLAGS $(pkg-config --cflags libsodium)"
+	LDFLAGS="$LDFLAGS $(pkg-config --libs libsodium)"
+else
+	echo "Error: libsodium not found." >&2
+	exit 1
+fi
+
 if pkg-config dynstr
 then
 	in_tree_dynstr=0
 	CFLAGS="$CFLAGS $(pkg-config --cflags dynstr)"
 	LDFLAGS="$LDFLAGS $(pkg-config --libs dynstr)"
+	USERGEN_LDFLAGS="$USERGEN_LDFLAGS $(pkg-config --libs dynstr)"
 else
 	echo "Info: dynstr not found. Using in-tree copy" >&2
 	in_tree_dynstr=1
 	CFLAGS="$CFLAGS -Ilibweb/dynstr/include"
 	LDFLAGS="$LDFLAGS -Llibweb/dynstr -ldynstr"
+	USERGEN_LDFLAGS="$LDFLAGS -Llibweb/dynstr -ldynstr"
 fi
 
 if pkg-config libweb
@@ -99,6 +111,7 @@ PREFIX = $prefix
 DST = $prefix/bin
 CFLAGS = $CFLAGS
 LDFLAGS = $LDFLAGS
+USERGEN_LDFLAGS = $USERGEN_LDFLAGS
 EOF
 
 cat <<"EOF" >> $F
@@ -106,7 +119,6 @@ PROJECT = slcl
 DEPS = $(OBJECTS:.o=.d)
 OBJECTS = \
 	auth.o \
-	base64.o \
 	cftw.o \
 	crealpath.o \
 	hex.o \
@@ -116,9 +128,13 @@ OBJECTS = \
 	style.o \
 	zip.o
 
-all: $(PROJECT)
+USERGEN_OBJECTS = \
+	hex.o \
+	usergen.o \
+
+all: $(PROJECT) usergen
 
-install: all usergen
+install: all
 	mkdir -p $(DST)
 	cp slcl usergen $(DST)
 	chmod 0755 $(DST)/slcl
@@ -129,6 +145,9 @@ FORCE:
 
 $(PROJECT): $(OBJECTS)
 	$(CC) $(OBJECTS) $(LDFLAGS) -o $@
+
+usergen: $(USERGEN_OBJECTS)
+	$(CC) $(USERGEN_OBJECTS) $(USERGEN_LDFLAGS) -o $@
 EOF
 
 if [ $in_tree_dynstr -ne 0 ]
@@ -156,7 +175,7 @@ then
 cat <<"EOF" >> $F
 FDZIPSTREAM = fdzipstream/libfdzipstream.a
 $(PROJECT): $(FDZIPSTREAM)
-$(FDZIPSTREAM): FORCE
+$(FDZIPSTREAM): FORCE $(DYNSTR)
 	+cd fdzipstream && $(MAKE) CC=$(CC)
 EOF
 fi
@@ -189,7 +208,7 @@ fi
 
 cat <<"EOF" >> $F
 distclean: clean
-	rm -f slcl
+	rm -f slcl usergen
 	rm Makefile
 EOF