From c7763538dee07d92e967f132752f047d78a91e4e Mon Sep 17 00:00:00 2001 From: Quanah Gibson-Mount Date: Mon, 1 Mar 2021 20:41:46 +0000 Subject: [PATCH] ITS#9453 - Make pw argon2 official --- .gitlab-ci.yml | 4 +- build/top.mk | 1 + configure.ac | 74 ++++++++- contrib/slapd-modules/passwd/argon2/Makefile | 70 -------- .../man/man5/slappw-argon2.5 | 14 +- servers/slapd/Makefile.in | 5 +- servers/slapd/pwmods/Makefile.in | 59 +++++++ .../slapd/pwmods/README.argon2 | 8 +- .../slapd/pwmods/argon2.c | 18 +- tests/data/passwd.ldif | 8 + tests/run.in | 3 +- tests/scripts/defines.sh | 1 + tests/scripts/test083-argon2 | 154 ++++++++++++++++++ 13 files changed, 325 insertions(+), 94 deletions(-) delete mode 100644 contrib/slapd-modules/passwd/argon2/Makefile rename contrib/slapd-modules/passwd/argon2/slapd-pw-argon2.5 => doc/man/man5/slappw-argon2.5 (92%) create mode 100644 servers/slapd/pwmods/Makefile.in rename contrib/slapd-modules/passwd/argon2/README => servers/slapd/pwmods/README.argon2 (94%) rename contrib/slapd-modules/passwd/argon2/pw-argon2.c => servers/slapd/pwmods/argon2.c (94%) create mode 100755 tests/scripts/test083-argon2 diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index bdf4594577..6ea33be71c 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -23,7 +23,7 @@ build-openssl-heimdal-lloadd: stage: build script: - apt update - - DEBIAN_FRONTEND=noninteractive apt install -y build-essential python3 gdb procps pkg-config automake libsasl2-dev heimdal-multidev libssl-dev libltdl-dev groff-base unixodbc-dev libwiredtiger-dev libperl-dev heimdal-kdc libsasl2-modules-gssapi-heimdal sasl2-bin libevent-dev + - DEBIAN_FRONTEND=noninteractive apt install -y build-essential python3 gdb procps pkg-config automake libsasl2-dev heimdal-multidev libssl-dev libltdl-dev groff-base unixodbc-dev libwiredtiger-dev libperl-dev heimdal-kdc libsasl2-modules-gssapi-heimdal sasl2-bin libevent-dev libargon2-dev - autoreconf - ./configure --enable-backends=mod --enable-overlays=mod --enable-modules --enable-dynamic --disable-ndb --enable-balancer=mod - make depend @@ -41,7 +41,7 @@ build-gnutls-mit-standalone-lloadd: stage: build script: - apt update - - DEBIAN_FRONTEND=noninteractive apt install -y build-essential python3 gdb procps pkg-config automake libsasl2-dev libltdl-dev groff-base unixodbc-dev libwiredtiger-dev libperl-dev krb5-user krb5-kdc krb5-admin-server libsasl2-modules-gssapi-mit sasl2-bin libgnutls28-dev libevent-dev + - DEBIAN_FRONTEND=noninteractive apt install -y build-essential python3 gdb procps pkg-config automake libsasl2-dev libltdl-dev groff-base unixodbc-dev libwiredtiger-dev libperl-dev krb5-user krb5-kdc krb5-admin-server libsasl2-modules-gssapi-mit sasl2-bin libgnutls28-dev libevent-dev libargon2-dev - autoreconf - ./configure --enable-backends=mod --enable-overlays=mod --disable-autoca --enable-modules --enable-dynamic --disable-ndb --enable-balancer=yes - make depend diff --git a/build/top.mk b/build/top.mk index 2c4dce3967..f542ded3c4 100644 --- a/build/top.mk +++ b/build/top.mk @@ -191,6 +191,7 @@ AC_LIBS = @LIBS@ SASL_LIBS = @SASL_LIBS@ TLS_LIBS = @TLS_LIBS@ AUTH_LIBS = @AUTH_LIBS@ +ARGON2_LIBS = @ARGON2_LIBS@ SECURITY_LIBS = $(SASL_LIBS) $(TLS_LIBS) $(AUTH_LIBS) MODULES_CPPFLAGS = @SLAPD_MODULES_CPPFLAGS@ diff --git a/configure.ac b/configure.ac index 284bc5b93b..21e07d197f 100644 --- a/configure.ac +++ b/configure.ac @@ -363,6 +363,8 @@ Overlays="accesslog \ unique \ valsort" +Pwmods="argon2" + AC_ARG_ENABLE(xxslapoverlays,[ SLAPD Overlay Options:]) @@ -413,6 +415,16 @@ OL_ARG_ENABLE(unique, [AS_HELP_STRING([--enable-unique], [Attribute Uniqueness o OL_ARG_ENABLE(valsort, [AS_HELP_STRING([--enable-valsort], [Value Sorting overlay])], no, [no yes mod], ol_enable_overlays) +dnl ---------------------------------------------------------------- +dnl PASSWORD MODULE OPTIONS +AC_ARG_ENABLE(pwmodoptions,[ +SLAPD Password Module Options:]) +OL_ARG_ENABLE(argon2, [AS_HELP_STRING([--enable-argon2], [Argon2 password hashing module])], + no, [no yes], ol_enable_pwmodules) +OL_ARG_WITH(argon2, + [AS_HELP_STRING([--with-argon2], [with argon2 support library auto|libsodum|libargon2])], + auto, [auto libsodium libargon2 yes no] ) + dnl ---------------------------------------------------------------- dnl BALANCER OPTIONS AC_ARG_ENABLE(balanceroptions,[ @@ -442,7 +454,7 @@ if test $ol_enable_slapd = no ; then fi done - for i in $Backends $Overlays; do + for i in $Backends $Overlays $Pwmods; do eval "ol_tmp=\$ol_enable_$i" if test $ol_tmp != no ; then AC_MSG_WARN([slapd disabled, ignoring --enable-$i argument]) @@ -467,6 +479,13 @@ else fi done + for i in $Pwmods; do + eval "ol_tmp=\$ol_enable_$i" + if test -n "$ol_tmp" && test "$ol_tmp" = yes ; then + AC_MSG_ERROR([--enable-$i=yes requires --enable-modules]) + fi + done + ol_any_backend=no for i in $Backends; do eval "ol_tmp=\$ol_enable_$i" @@ -582,9 +601,13 @@ BUILD_TRANSLUCENT=no BUILD_UNIQUE=no BUILD_VALSORT=no +BUILD_PW_ARGON2=no + SLAPD_STATIC_OVERLAYS= SLAPD_DYNAMIC_OVERLAYS= +SLAPD_DYNAMIC_PWMODS= + SLAPD_MODULES_LDFLAGS= SLAPD_MODULES_CPPFLAGS= @@ -2971,6 +2994,50 @@ if test "$ol_enable_valsort" != no ; then AC_DEFINE_UNQUOTED(SLAPD_OVER_VALSORT,$MFLAG,[define for Value Sorting overlay]) fi +ol_link_argon2=no +if test "$ol_enable_argon2" = "yes" ; then + if test $ol_with_argon2 = libargon2 || test $ol_with_argon2 = auto; then + AC_CHECK_HEADERS(argon2.h) + if test $ac_cv_header_argon2_h = yes ; then + AC_CHECK_LIB(argon2, argon2i_hash_encoded, + [have_argon2=yes], [have_argon2=no], + [-largon2]) + fi + if test "$have_argon2" = "yes" ; then + ol_with_argon2=libargon2 + ol_link_argon2=yes + AC_DEFINE(HAVE_LIBARGON2, 1, + [define if you have libargon2]) + ARGON2_LIBS="-largon2" + fi + fi + if test $ol_with_argon2 = libsodium || test $ol_with_argon2 = auto; then + AC_CHECK_HEADERS(sodium.h) + if test $ac_cv_header_sodium_h = yes ; then + AC_CHECK_LIB(sodium, crypto_pwhash_str_alg, + [have_argon2=yes], [have_argon2=no], + [-lsodium]) + fi + if test "$have_argon2" = "yes" ; then + ol_with_argon2=libsodium + ol_link_argon2=yes + AC_DEFINE(HAVE_LIBSODIUM, 1, + [define if you have libsodium]) + ARGON2_LIBS="-lsodium" + fi + fi + + if test "$ol_link_argon2" = no ; then + AC_MSG_ERROR([--enable_argon2=$ol_enable_argon2 requires --with-argon2]) + fi + + BUILD_PW_ARGON2=$ol_enable_argon2 + if test "$ol_enable_argon2" = "yes" ; then + SLAPD_DYNAMIC_PWMODS="$SLAPD_DYNAMIC_PWDMODS argon2.la" + fi + AC_DEFINE_UNQUOTED(SLAPD_PWMOD_PW_ARGON2,$SLAPD_MOD_DYNAMIC,[define for Argon2 Password hashing module]) +fi + if test "$ol_enable_balancer" != no \ -a "$ol_with_threads" != no \ -a "$have_libevent" = yes ; then @@ -3057,6 +3124,8 @@ dnl overlays AC_SUBST(BUILD_UNIQUE) AC_SUBST(BUILD_VALSORT) AC_SUBST(BUILD_BALANCER) +dnl pwmods + AC_SUBST(BUILD_PW_ARGON2) AC_SUBST(LDAP_LIBS) AC_SUBST(CLIENT_LIBS) @@ -3077,6 +3146,7 @@ AC_SUBST(SLAPD_STATIC_BACKENDS) AC_SUBST(SLAPD_DYNAMIC_BACKENDS) AC_SUBST(SLAPD_STATIC_OVERLAYS) AC_SUBST(SLAPD_DYNAMIC_OVERLAYS) +AC_SUBST(SLAPD_DYNAMIC_PWMODS) AC_SUBST(PERL_CPPFLAGS) AC_SUBST(SLAPD_PERL_LDFLAGS) @@ -3089,6 +3159,7 @@ AC_SUBST(MODULES_LIBS) AC_SUBST(SLAPI_LIBS) AC_SUBST(LIBSLAPI) AC_SUBST(AUTH_LIBS) +AC_SUBST(ARGON2_LIBS) AC_SUBST(SLAPD_SLP_LIBS) AC_SUBST(SLAPD_GMP_LIBS) @@ -3148,6 +3219,7 @@ AC_CONFIG_FILES([Makefile:build/top.mk:Makefile.in:build/dir.mk] [servers/slapd/shell-backends/Makefile:build/top.mk:servers/slapd/shell-backends/Makefile.in:build/srv.mk] [servers/slapd/slapi/Makefile:build/top.mk:servers/slapd/slapi/Makefile.in:build/lib.mk:build/lib-shared.mk] [servers/slapd/overlays/Makefile:build/top.mk:servers/slapd/overlays/Makefile.in:build/lib.mk] +[servers/slapd/pwmods/Makefile:build/top.mk:servers/slapd/pwmods/Makefile.in:build/lib.mk] [servers/lloadd/Makefile:build/top.mk:servers/lloadd/Makefile.in] [servers/lloadd/Makefile.server:servers/lloadd/Makefile_server.in:build/srv.mk] [servers/lloadd/Makefile.module:servers/lloadd/Makefile_module.in:build/mod.mk] diff --git a/contrib/slapd-modules/passwd/argon2/Makefile b/contrib/slapd-modules/passwd/argon2/Makefile deleted file mode 100644 index d33116a315..0000000000 --- a/contrib/slapd-modules/passwd/argon2/Makefile +++ /dev/null @@ -1,70 +0,0 @@ -# $OpenLDAP$ - -LDAP_SRC = ../../../.. -LDAP_BUILD = ../../../.. -LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd -LDAP_LIB = $(LDAP_BUILD)/libraries/libldap/libldap.la \ - $(LDAP_BUILD)/libraries/liblber/liblber.la - -LIBTOOL = $(LDAP_BUILD)/libtool -INSTALL = /usr/bin/install -CC = gcc -OPT = -g -O2 -Wall -#DEFS = -DSLAPD_ARGON2_DEBUG - -INCS = $(LDAP_INC) -LIBS = $(LDAP_LIB) - -implementation = sodium - -ifeq ($(implementation),argon2) -LIBS += -largon2 -DEFS += -DSLAPD_ARGON2_USE_ARGON2 -else ifeq ($(implementation),sodium) -LIBS += -lsodium -DEFS += -DSLAPD_ARGON2_USE_SODIUM -else -$(error Unsupported implementation $(implementation)) -endif - -PROGRAMS = pw-argon2.la -MANPAGES = slapd-pw-argon2.5 -LTVER = 0:0:0 - -prefix=/usr/local -exec_prefix=$(prefix) -ldap_subdir=/openldap - -libdir=$(exec_prefix)/lib -libexecdir=$(exec_prefix)/libexec -moduledir = $(libexecdir)$(ldap_subdir) -mandir = $(exec_prefix)/share/man -man5dir = $(mandir)/man5 - -.SUFFIXES: .c .o .lo - -.c.lo: - $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< - -all: $(PROGRAMS) - -pw-argon2.la: pw-argon2.lo - $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ - -rpath $(moduledir) -module -o $@ $? $(LIBS) - -clean: - rm -rf *.o *.lo *.la .libs - -install: install-lib install-man FORCE - -install-lib: $(PROGRAMS) - mkdir -p $(DESTDIR)$(moduledir) - for p in $(PROGRAMS) ; do \ - $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ - done - -install-man: $(MANPAGES) - mkdir -p $(DESTDIR)$(man5dir) - $(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir) - -FORCE: diff --git a/contrib/slapd-modules/passwd/argon2/slapd-pw-argon2.5 b/doc/man/man5/slappw-argon2.5 similarity index 92% rename from contrib/slapd-modules/passwd/argon2/slapd-pw-argon2.5 rename to doc/man/man5/slappw-argon2.5 index 23cc87a273..8ec53b2ace 100644 --- a/contrib/slapd-modules/passwd/argon2/slapd-pw-argon2.5 +++ b/doc/man/man5/slappw-argon2.5 @@ -1,20 +1,20 @@ -.TH SLAPD-PW-ARGON2 5 "RELEASEDATE" "OpenLDAP LDVERSION" +.TH SLAPPW-ARGON2 5 "RELEASEDATE" "OpenLDAP LDVERSION" .\" Copyright 2020-2021 The OpenLDAP Foundation All Rights Reserved. .\" Copying restrictions apply. See COPYRIGHT/LICENSE. .\" $OpenLDAP$ .SH NAME -slapd-pw-argon2 \- Argon2 password module to slapd +slappw\-argon2 \- Argon2 password module to slapd .SH SYNOPSIS ETCDIR/slapd.conf .RS .LP -.B moduleload pw-argon2 +.B moduleload argon2 .RI [ ] .RE .SH DESCRIPTION .LP The -.B pw-argon2 +.B argon2 module to .BR slapd (8) provides support for the use of the key derivation function Argon2, @@ -27,7 +27,7 @@ for use in slapd. .SH CONFIGURATION The -.B pw-argon2 +.B argon2 module does not need any configuration, but it can be configured by giving the following parameters: .TP @@ -72,11 +72,11 @@ The relevant option/value is: .RS .LP .B \-o -.BR module\-load = pw-argon2 +.BR module\-load = argon2 .LP .RE Depending on -.BR pw-argon2 's +.BR argon2 's location, you may also need: .RS .LP diff --git a/servers/slapd/Makefile.in b/servers/slapd/Makefile.in index ad2be71c2b..cf58cda4f2 100644 --- a/servers/slapd/Makefile.in +++ b/servers/slapd/Makefile.in @@ -280,6 +280,9 @@ dummy $(SLAPD_DYNAMIC_BACKENDS): slapd dynamic_overlays: slapd cd overlays && $(MAKE) $(MFLAGS) dynamic +dynamic_pwmods: slapd + cd pwmods && $(MAKE) $(MFLAGS) dynamic + # # In Windows, dynamic backends have to be built after slapd. For this # reason, we only build static backends now and dynamic backends later. @@ -382,7 +385,7 @@ install-slapd: FORCE fi; \ done -all-cffiles: slapd $(SLAPD_DYNAMIC_BACKENDS) dynamic_overlays +all-cffiles: slapd $(SLAPD_DYNAMIC_BACKENDS) dynamic_overlays dynamic_pwmods @if test $(PLAT) = NT; then \ sysconfdir=`cygpath -w $(sysconfdir) | \ $(SED) -e 's/\\\\/\\\\\\\\\\\\\\\\/g'`; \ diff --git a/servers/slapd/pwmods/Makefile.in b/servers/slapd/pwmods/Makefile.in new file mode 100644 index 0000000000..8871abae8d --- /dev/null +++ b/servers/slapd/pwmods/Makefile.in @@ -0,0 +1,59 @@ +# Makefile.in for overlays +# $OpenLDAP$ +## This work is part of OpenLDAP Software . +## +## Copyright 2003-2021 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## . + +SRCS = argon2.c + +LTONLY_MOD = $(LTONLY_mod) +LDAP_INCDIR= ../../../include +LDAP_LIBDIR= ../../../libraries + +MOD_DEFS = -DSLAPD_IMPORT + +shared_LDAP_LIBS = $(LDAP_LIBLDAP_LA) $(LDAP_LIBLBER_LA) +NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) +UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) + +LIBRARY = dummyvalue +PROGRAMS = @SLAPD_DYNAMIC_PWMODS@ + +XINCPATH = -I.. -I$(srcdir)/.. +XDEFS = $(MODULES_CPPFLAGS) + +dynamic: $(PROGRAMS) + +argon2.la : argon2.lo version.lo + $(LTLINK_MOD) -module -o $@ argon2.lo version.lo $(ARGON2_LIBS) $(LINK_LIBS) $(MODULES_LIBS) + +install-local: $(PROGRAMS) + @if test -n "$?" ; then \ + $(MKDIR) $(DESTDIR)$(moduledir); \ + $(LTINSTALL) $(INSTALLFLAGS) -m 755 $? $(DESTDIR)$(moduledir);\ + fi + +MKDEPFLAG = -l + +.SUFFIXES: .c .o .lo + +.c.lo: + $(LTCOMPILE_MOD) $< + +# Must fixup depends for non-libtool objects +depend-local: depend-common + @if test -n "$(OBJS)"; then \ + OBJ2=`echo $(OBJS) $(OBJDEP) | $(SED) -e 's/\.o//g'`; \ + SCR=''; for i in $$OBJ2; do SCR="$$SCR -e s/^$$i.lo:/$$i.o:/"; done; \ + mv Makefile Makefile.bak; $(SED) $$SCR Makefile.bak > Makefile && \ + $(RM) Makefile.bak; fi + diff --git a/contrib/slapd-modules/passwd/argon2/README b/servers/slapd/pwmods/README.argon2 similarity index 94% rename from contrib/slapd-modules/passwd/argon2/README rename to servers/slapd/pwmods/README.argon2 index 13ba69fe12..cdb2d200b7 100644 --- a/contrib/slapd-modules/passwd/argon2/README +++ b/servers/slapd/pwmods/README.argon2 @@ -1,7 +1,7 @@ Argon2 OpenLDAP support ---------------------- -pw-argon2.c provides support for ARGON2 hashed passwords in OpenLDAP. For +argon2.c provides support for ARGON2 hashed passwords in OpenLDAP. For instance, one could have the LDAP attribute: userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHQ$DKlexoEJUoZTmkAAC3SaMWk30El9/RvVhlqGo6afIng @@ -22,13 +22,13 @@ For initial testing you might also want to edit DEFS to define SLAPD_ARGON2_DEBUG, which enables logging to stderr (don't leave this on in production, as it prints passwords in cleartext). -2) Run 'make' to produce pw-argon2.so +2) Run 'make' to produce argon2.so -3) Copy pw-argon2.so somewhere permanent. +3) Copy argon2.so somewhere permanent. 4) Edit your slapd.conf (eg. /etc/ldap/slapd.conf), and add: -moduleload ...path/to/pw-argon2.so +moduleload ...path/to/argon2.so 5) Restart slapd. diff --git a/contrib/slapd-modules/passwd/argon2/pw-argon2.c b/servers/slapd/pwmods/argon2.c similarity index 94% rename from contrib/slapd-modules/passwd/argon2/pw-argon2.c rename to servers/slapd/pwmods/argon2.c index 94c9e462f4..1e0142116f 100644 --- a/contrib/slapd-modules/passwd/argon2/pw-argon2.c +++ b/servers/slapd/pwmods/argon2.c @@ -1,4 +1,4 @@ -/* pw-argon2.c - Password module for argon2 */ +/* argon2.c - Password module for argon2 */ /* $OpenLDAP$ */ /* This work is part of OpenLDAP Software . * @@ -15,6 +15,7 @@ */ #include "portable.h" +#ifdef SLAPD_PWMOD_PW_ARGON2 #include "ac/string.h" #include "lber_pvt.h" #include "lutil.h" @@ -22,7 +23,7 @@ #include #include -#ifdef SLAPD_ARGON2_USE_ARGON2 +#ifdef HAVE_LIBARGON2 #include /* @@ -35,7 +36,7 @@ #define SLAPD_ARGON2_SALT_LENGTH 16 #define SLAPD_ARGON2_HASH_LENGTH 32 -#else /* !SLAPD_ARGON2_USE_ARGON2 */ +#else /* !HAVE_LIBARGON2 */ #include /* @@ -71,7 +72,7 @@ slapd_argon2_hash( char *p; int rc = LUTIL_PASSWD_ERR; -#ifdef SLAPD_ARGON2_USE_ARGON2 +#ifdef HAVE_LIBARGON2 struct berval salt; size_t encoded_length; @@ -114,7 +115,7 @@ slapd_argon2_hash( hash->bv_len = scheme->bv_len + encoded_length; ber_memfree( salt.bv_val ); -#else /* !SLAPD_ARGON2_USE_ARGON2 */ +#else /* !HAVE_LIBARGON2 */ /* Not exposed by libsodium salt_length = SLAPD_ARGON2_SALT_LENGTH; hash_length = SLAPD_ARGON2_HASH_LENGTH; @@ -153,7 +154,7 @@ slapd_argon2_verify( { int rc = LUTIL_PASSWD_ERR; -#ifdef SLAPD_ARGON2_USE_ARGON2 +#ifdef HAVE_LIBARGON2 if ( strncmp( passwd->bv_val, "$argon2i$", STRLENOF("$argon2i$") ) == 0 ) { rc = argon2i_verify( passwd->bv_val, cred->bv_val, cred->bv_len ); } else if ( strncmp( passwd->bv_val, "$argon2d$", STRLENOF("$argon2d$") ) == 0 ) { @@ -161,7 +162,7 @@ slapd_argon2_verify( } else if ( strncmp( passwd->bv_val, "$argon2id$", STRLENOF("$argon2id$") ) == 0 ) { rc = argon2id_verify( passwd->bv_val, cred->bv_val, cred->bv_len ); } -#else /* !SLAPD_ARGON2_USE_ARGON2 */ +#else /* !HAVE_LIBARGON2 */ rc = crypto_pwhash_str_verify( passwd->bv_val, cred->bv_val, cred->bv_len ); #endif @@ -175,7 +176,7 @@ int init_module( int argc, char *argv[] ) { int i; -#ifndef SLAPD_ARGON2_USE_ARGON2 +#ifdef HAVE_LIBSODIUM if ( sodium_init() == -1 ) { return -1; } @@ -218,3 +219,4 @@ int init_module( int argc, char *argv[] ) return lutil_passwd_add( (struct berval *)&slapd_argon2_scheme, slapd_argon2_verify, slapd_argon2_hash ); } +#endif /* SLAPD_OVER_PW_ARGON2 */ diff --git a/tests/data/passwd.ldif b/tests/data/passwd.ldif index 528957ee6b..1f9ecbbc72 100644 --- a/tests/data/passwd.ldif +++ b/tests/data/passwd.ldif @@ -27,3 +27,11 @@ objectclass: person cn: ssha sn: ssha userpassword: secret + +dn: cn=argon2,dc=example,dc=com +objectclass: person +cn: argon2 +sn: argon2 +userPassword:: e0FSR09OMn0kYXJnb24yaSR2PTE5JG09NDA5Nix0PTMscD0xJHZTc1orVnZjM + UhoZzc0WFNrdVZLOFEkd1B2UUc0blFMS2xaSkRGU0tna2k0L2NYejNLT2lOYXpwL2VDWkFWOFlt + Zw== diff --git a/tests/run.in b/tests/run.in index e45b537e61..ca0c1d81e1 100644 --- a/tests/run.in +++ b/tests/run.in @@ -41,6 +41,7 @@ AC_sql=sql@BUILD_SQL@ # overlays AC_accesslog=accesslog@BUILD_ACCESSLOG@ +AC_argon2=argon2@BUILD_PW_ARGON2@ AC_autoca=autoca@BUILD_AUTOCA@ AC_constraint=constraint@BUILD_CONSTRAINT@ AC_dds=dds@BUILD_DDS@ @@ -76,7 +77,7 @@ if test "${AC_asyncmeta}" = "asyncmetamod" && test "${AC_LIBS_DYNAMIC}" = "stati AC_meta="asyncmetano" fi export AC_ldap AC_mdb AC_meta AC_asyncmeta AC_monitor AC_null AC_perl AC_relay AC_sql \ - AC_accesslog AC_autoca AC_constraint AC_dds AC_dynlist AC_memberof \ + AC_accesslog AC_argon2 AC_autoca AC_constraint AC_dds AC_dynlist AC_memberof \ AC_pcache AC_ppolicy AC_refint AC_remoteauth \ AC_retcode AC_rwm AC_unique AC_syncprov AC_translucent \ AC_valsort \ diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh index 3510364f41..c1c767b13b 100755 --- a/tests/scripts/defines.sh +++ b/tests/scripts/defines.sh @@ -29,6 +29,7 @@ BACKSQL=${AC_sql-sqlno} # overlays ACCESSLOG=${AC_accesslog-accesslogno} +ARGON2=${AC_argon2-argon2no} AUTOCA=${AC_autoca-autocano} CONSTRAINT=${AC_constraint-constraintno} DDS=${AC_dds-ddsno} diff --git a/tests/scripts/test083-argon2 b/tests/scripts/test083-argon2 new file mode 100755 index 0000000000..ecfb06bb6b --- /dev/null +++ b/tests/scripts/test083-argon2 @@ -0,0 +1,154 @@ +#!/bin/sh +# $OpenLDAP$ +## This work is part of OpenLDAP Software . +## +## Copyright 2021 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## . + +echo "running defines.sh" +. $SRCDIR/scripts/defines.sh + +if test $ARGON2 = argon2no; then + echo "argon2 overlay not available, test skipped" + exit 0 +fi + +USERDN="cn=argon2,$BASEDN" + +CONFDIR=$TESTDIR/slapd.d +mkdir -p $TESTDIR $CONFDIR $DBDIR1 + +$SLAPPASSWD -g -n >$CONFIGPWF + +cat > $TESTDIR/config.ldif <> $TESTDIR/config.ldif <> $TESTDIR/config.ldif <> $TESTDIR/config.ldif <> $TESTDIR/config.ldif < $LOG1 2>&1 & +PID=$! +if test $WAIT != 0 ; then + echo PID $PID + read foo +fi +KILLPIDS="$PID" +sleep 1 + +echo "Using ldapsearch to check that slapd is running..." +for i in 0 1 2 3 4 5; do + $LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \ + 'objectclass=*' > /dev/null 2>&1 + RC=$? + if test $RC = 0 ; then + break + fi + echo "Waiting 5 seconds for slapd to start..." + sleep 5 +done +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Adding basic structure..." +$LDAPADD -D "$MANAGERDN" -H $URI1 -w $PASSWD -f $LDIFPASSWD >/dev/null 2>&1 +RC=$? +if test $RC != 0 ; then + echo "ldapadd failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $PID + exit $RC +fi + +BINDPW=secret +echo "Testing ldapwhoami as ${USERDN}..." +$LDAPWHOAMI -H $URI1 -D "$USERDN" -w $BINDPW + +RC=$? +if test $RC != 0 ; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +test $KILLSERVERS != no && kill -HUP $PID + +echo ">>>>> Test succeeded" + +test $KILLSERVERS != no && wait + +exit 0