From 10e42591ac72285736d5cc4ee5e7c2f68dbf1e4b Mon Sep 17 00:00:00 2001
From: Xavier Del Campo Romero <xavi92@disroot.org>
Date: Wed, 8 Oct 2025 13:50:52 +0200
Subject: Replace OpenSSL with libsodium and argon2id

The SHA256-based password hashing algorithm used by slcl(1) and
usergen(1) is considered insecure against several kinds of attacks,
including brute force attacks. [1]

Therefore, a stronger password hashing algorithm based on the Argon2id
key derivation function is now used by default. While OpenSSL does
support Argon2id, it is only supported by very recent versions [2],
which are still not packaged by most distributions as of the time of
this writing. [3]

As an alternative to OpenSSL, libsodium [4] had several benefits:

- It provides easy-to-use functions for password hashing, base64
encoding/decoding and other cryptographic primitives used by slcl(1)
and usergen(1).

- It is packaged by most distributions [5], and most often only the patch
version differs, which ensures good compatibility across distributions.

Unfortunately, and as opposed to OpenSSL, libsodium does not come with
command-line tools. Therefore, usergen(1) had to be rewritten in C.

In order to maintain backwards compatiblity with existing databases,
slcl(1) and usergen(1) shall support the insecure, SHA256-based password
hashing algorithm. However, Argon2id shall now be the default choice for
usergen(1).

[1]: https://security.stackexchange.com/questions/195563/why-is-sha-256-not-good-for-passwords
[2]: https://docs.openssl.org/3.3/man7/EVP_KDF-ARGON2/
[3]: https://repology.org/project/openssl/versions
[4]: https://www.libsodium.org/
[5]: https://repology.org/project/libsodium/versions
---
 main.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

(limited to 'main.c')

diff --git a/main.c b/main.c
index 436c50d..1b70542 100644
--- a/main.c
+++ b/main.c
@@ -18,6 +18,7 @@
 #include <openssl/err.h>
 #include <openssl/rand.h>
 #include <dynstr.h>
+#include <sodium.h>
 #include <dirent.h>
 #include <libgen.h>
 #include <fcntl.h>
@@ -522,13 +523,9 @@ static char *create_symlink(const char *const dir, const char *user)
     dynstr_init(&abs);
     dynstr_init(&rel);
 
-    if (RAND_bytes(buf, sizeof buf) != 1)
-    {
-        fprintf(stderr, "%s: RAND_bytes failed with %lu\n",
-            __func__, ERR_get_error());
-        goto end;
-    }
-    else if (hex_encode(buf, dbuf, sizeof buf, sizeof dbuf))
+    randombytes_buf(buf, sizeof buf);
+
+    if (hex_encode(buf, dbuf, sizeof buf, sizeof dbuf))
     {
         fprintf(stderr, "%s: hex_encode failed\n", __func__);
         goto end;
@@ -2650,7 +2647,12 @@ int main(int argc, char *argv[])
 
     dynstr_init(&ua.d);
 
-    if (parse_args(argc, argv, &dir, &port, &tmpdir, &ua.fifo)
+    if (sodium_init())
+    {
+        fprintf(stderr, "%s: sodium_init failed\n", __func__);
+        goto end;
+    }
+    else if (parse_args(argc, argv, &dir, &port, &tmpdir, &ua.fifo)
         || init_dirs(dir)
         || ensure_style(dir)
         || !(ua.a = auth_alloc(dir))
-- 
cgit v1.2.3