From 10e42591ac72285736d5cc4ee5e7c2f68dbf1e4b Mon Sep 17 00:00:00 2001
From: Xavier Del Campo Romero <xavi92@disroot.org>
Date: Wed, 8 Oct 2025 13:50:52 +0200
Subject: Replace OpenSSL with libsodium and argon2id

The SHA256-based password hashing algorithm used by slcl(1) and
usergen(1) is considered insecure against several kinds of attacks,
including brute force attacks. [1]

Therefore, a stronger password hashing algorithm based on the Argon2id
key derivation function is now used by default. While OpenSSL does
support Argon2id, it is only supported by very recent versions [2],
which are still not packaged by most distributions as of the time of
this writing. [3]

As an alternative to OpenSSL, libsodium [4] had several benefits:

- It provides easy-to-use functions for password hashing, base64
encoding/decoding and other cryptographic primitives used by slcl(1)
and usergen(1).

- It is packaged by most distributions [5], and most often only the patch
version differs, which ensures good compatibility across distributions.

Unfortunately, and as opposed to OpenSSL, libsodium does not come with
command-line tools. Therefore, usergen(1) had to be rewritten in C.

In order to maintain backwards compatiblity with existing databases,
slcl(1) and usergen(1) shall support the insecure, SHA256-based password
hashing algorithm. However, Argon2id shall now be the default choice for
usergen(1).

[1]: https://security.stackexchange.com/questions/195563/why-is-sha-256-not-good-for-passwords
[2]: https://docs.openssl.org/3.3/man7/EVP_KDF-ARGON2/
[3]: https://repology.org/project/openssl/versions
[4]: https://www.libsodium.org/
[5]: https://repology.org/project/libsodium/versions
---
 auth.c | 95 ++++++++++++++++++++++++++++++++++++++++++++++++++----------------
 1 file changed, 72 insertions(+), 23 deletions(-)

(limited to 'auth.c')

diff --git a/auth.c b/auth.c
index ec8c75c..8ff23fd 100644
--- a/auth.c
+++ b/auth.c
@@ -5,7 +5,7 @@
 #include <libweb/http.h>
 #include <cjson/cJSON.h>
 #include <dynstr.h>
-#include <openssl/sha.h>
+#include <sodium.h>
 #include <errno.h>
 #include <limits.h>
 #include <stddef.h>
@@ -195,17 +195,21 @@ end:
     return ret;
 }
 
-static int compare_pwd(const char *const salt, const char *const password,
-    const char *const exp_password)
+static int compare_pwd_sha256(const char *const salt,
+    const char *const password, const char *const exp_password)
 {
     int ret = -1;
-    enum {SALT_LEN = SHA256_DIGEST_LENGTH};
-    unsigned char dec_salt[SALT_LEN], sha256[SHA256_DIGEST_LENGTH];
-    const size_t slen = strlen(salt),
-        len = strlen(password), n = sizeof dec_salt + len;
+    unsigned char dec_salt[crypto_hash_sha256_BYTES],
+        sha256[sizeof dec_salt];
+    size_t len = strlen(password), n = sizeof dec_salt + len, slen;
     unsigned char *const salted = malloc(n);
 
-    if (slen != SALT_LEN * 2)
+    if (!salt)
+    {
+        fprintf(stderr, "%s: missing salt\n", __func__);
+        goto end;
+    }
+    else if ((slen = strlen(salt)) != sizeof dec_salt * 2)
     {
         fprintf(stderr, "%s: unexpected salt length: %zu\n", __func__, slen);
         goto end;
@@ -224,18 +228,19 @@ static int compare_pwd(const char *const salt, const char *const password,
     memcpy(salted, dec_salt, sizeof dec_salt);
     memcpy(salted + sizeof dec_salt, password, len);
 
-    if (!SHA256(salted, n, sha256))
+    if (crypto_hash_sha256(sha256, salted, n))
     {
-        fprintf(stderr, "%s: SHA256 (first round) failed\n", __func__);
+        fprintf(stderr, "%s: crypto_hash_sha256 (first round) failed\n",
+            __func__);
         goto end;
     }
 
     enum {ROUNDS = 1000 - 1};
 
     for (int i = 0; i < ROUNDS; i++)
-        if (!SHA256(sha256, sizeof sha256, sha256))
+        if (crypto_hash_sha256(sha256, sha256, sizeof sha256))
         {
-            fprintf(stderr, "%s: SHA256 failed\n", __func__);
+            fprintf(stderr, "%s: crypto_hash_sha256 failed\n", __func__);
             goto end;
         }
 
@@ -269,6 +274,37 @@ end:
     return ret;
 }
 
+static int compare_pwd_argon2id(const char *const salt,
+    const char *const password, const char *const exp_password)
+{
+    return !!crypto_pwhash_str_verify(exp_password, password, strlen(password));
+}
+
+static int compare_pwd(const char *const method, const char *const salt,
+    const char *const password, const char *const exp_password)
+{
+    static const struct m
+    {
+        const char *s;
+        int (*fn)(const char *, const char *, const char *);
+    } methods[] =
+    {
+        {.s = "sha256", .fn = compare_pwd_sha256},
+        {.s = "argon2id", .fn = compare_pwd_argon2id}
+    };
+
+    for (size_t i = 0; i < sizeof methods / sizeof *methods; i++)
+    {
+        const struct m *const m = &methods[i];
+
+        if (!strcmp(m->s, method))
+            return m->fn(salt, password, exp_password);
+    }
+
+    fprintf(stderr, "%s: unknown method: %s\n", __func__, method);
+    return -1;
+}
+
 int auth_login(const struct auth *const a, const char *const user,
     const char *const password, char **const cookie)
 {
@@ -308,19 +344,16 @@ int auth_login(const struct auth *const a, const char *const user,
         const cJSON *const n = cJSON_GetObjectItem(u, "name"),
             *const s = cJSON_GetObjectItem(u, "salt"),
             *const p = cJSON_GetObjectItem(u, "password"),
-            *const k = cJSON_GetObjectItem(u, "key");
-        const char *name, *salt, *pwd, *key;
+            *const k = cJSON_GetObjectItem(u, "key"),
+            *const m = cJSON_GetObjectItem(u, "method");
+        const char *name, *pwd, *key,
+            *const salt = s ? cJSON_GetStringValue(s) : NULL;
 
         if (!n || !(name = cJSON_GetStringValue(n)))
         {
             fprintf(stderr, "%s: missing username\n", __func__);
             goto end;
         }
-        else if (!s || !(salt = cJSON_GetStringValue(s)))
-        {
-            fprintf(stderr, "%s: missing salt\n", __func__);
-            goto end;
-        }
         else if (!p || !(pwd = cJSON_GetStringValue(p)))
         {
             fprintf(stderr, "%s: missing password\n", __func__);
@@ -333,14 +366,30 @@ int auth_login(const struct auth *const a, const char *const user,
         }
         else if (!strcmp(name, user))
         {
-            const int res = compare_pwd(salt, password, pwd);
+            int res;
 
-            if (res < 0)
+            if (m)
             {
-                fprintf(stderr, "%s: compare_pwd failed\n", __func__);
+                const char *const method = cJSON_GetStringValue(m);
+
+                if (!method)
+                {
+                    fprintf(stderr, "%s: missing method\n", __func__);
+                    goto end;
+                }
+                else if ((res = compare_pwd(method, salt, password, pwd)) < 0)
+                {
+                    fprintf(stderr, "%s: compare_pwd failed\n", __func__);
+                    goto end;
+                }
+            }
+            else if ((res = compare_pwd_sha256(salt, password, pwd)) < 0)
+            {
+                fprintf(stderr, "%s: compare_pwd_sha256 failed\n", __func__);
                 goto end;
             }
-            else if (!res)
+
+            if (!res)
             {
                 if (generate_cookie(name, key, cookie))
                 {
-- 
cgit v1.2.3