Add support for Argon2 password hashing

[mmd-osm]

See openstreetmap/openstreetmap-website#3353

TODOs:

• Add argon2 verify_password in https://github.com/zerebubuth/openstreetmap-cgimap/blob/master/src/basicauth.cpp
• Add test cases: https://github.com/zerebubuth/openstreetmap-cgimap/blob/master/test/test_basicauth.cpp
• Update https://github.com/zerebubuth/openstreetmap-cgimap/blob/master/Dockerfile
• Add libargon2-dev https://github.com/zerebubuth/openstreetmap-cgimap/blob/ubuntu/focal/debian/control
• Update lib install instructions https://github.com/zerebubuth/openstreetmap-cgimap/blob/master/README#L55
• Update configure.ac w/ libargon2
• End-to-end test Rails port -> cgimap
• Deploy libargon2-dev on errol
• Add libargon2-1 in Dockerfile
• New release 0.8.6
• Building new PPA, https://launchpad.net/~mmd-osm/+archive/ubuntu/cgimap-806-focal
• Test PPA

Test package on ubuntu 20.04 container: deps ok.

 openstreetmap-cgimap --help
CGImap 0.8.6: Allowed options:
  --help                        display this help and exit
  --daemon                      run as a daemon
  --instances arg (=5)          number of daemon instances to run
  --pidfile arg                 file to write pid to

• Copy PPA over to https://launchpad.net/~mmd-osm/+archive/ubuntu/cgimap

[tomhughes]

The libargon2 in Ubuntu (from https://github.com/P-H-C/phc-winner-argon2) should do everything that's needed I think.

[tomhughes]

I think you just need to use argon2_verify though I'm not sure why it needs to be passed the type as that is in the encoded password, unless the ruby bindings are adding that to what the library produces?

[mmd-osm]

I don't think argon2_verify will work when using a secret (PEPPER). The function interface doesn't expose a parameter for the secret. OTOH argon2_verify_ctx depends on decode_string() down the road which isn't exposed by the library and needs to be reimplemented (according to some issue I've found on the argon2 issue tracker). Probably the Ruby library did something similar in https://github.com/technion/ruby-argon2/blob/master/ext/argon2_wrap/argon_wrap.c#L101-L167

I'm not super excited about those workarounds and additional dependencies, and it might take a while to sort this all out.

[mmd-osm]

So the Ruby gem is using a local copy of the argon2 C library in https://github.com/technion/ruby-argon2/tree/master/ext to include the "decode_string" function straight from the source code. The Ubuntu package you've mentioned only exposes argon2.h, which is the official API (see https://packages.debian.org/sid/amd64/libargon2-dev/filelist). Directly including any security related source code raises a few red flags here.

Related issue: P-H-C/phc-winner-argon2#314

Regarding the type, I think the expectation is to parse the "$argon2..:" hash value and figure out for yourself what the respective type is. Again, this is a big no go. To me, the hash value should be an opaque string. How about providing the hash and a password to some function and have the library figure out the rest, obviously using the official API?

https://github.com/technion/ruby-argon2/blob/master/ext/argon2_wrap/argon_wrap.c#L125-L136

[tzapzoor]

Hey @mmd-osm. Was playing around with this project's Dockerfile in the master branch and noticed that you also need to install libargon2-0 via apt otherwise you get this error libargon2.so.0: cannot open shared object file: No such file or directory.

[mmd-osm]

Yes, that's spot on, will do.

[mmd-osm]

I added libargon2-1 instead, seems to work ok here.

[mmd-osm]

Fix pushed as e1dd56e