ITS#9827 update Argon2 defaults

- switch to argon2id by default (from argon2i) - use OWASP recommended parameters as defaults This only affects builds that use libargon2, e.g. Debian, and not builds that use libsodium as argon2id is already the default there, and better parameters are used References: https://bugs.openldap.org/show_bug.cgi?id=9827 Signed-off-by: François Kooman <fkooman@tuxed.net>
2025-04-12 15:10:31 +08:00 · 2023-08-09 16:39:21 +02:00 · 2023-08-09 16:39:21 +02:00 · d13a07bf94
commit d13a07bf94
parent 9d07c21d76
1 changed files with 5 additions and 5 deletions
--- a/servers/slapd/pwmods/argon2.c
+++ b/servers/slapd/pwmods/argon2.c
@ -29,11 +29,11 @@
 #include <argon2.h>

 /*
- * For now, we hardcode the default values from the argon2 command line tool
- * (as of argon2 release 20161029)
+ * Use OWASP recommended values (retrieved on 2023-08-07)
+ * @see https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
 */
-#define SLAPD_ARGON2_ITERATIONS 3
-#define SLAPD_ARGON2_MEMORY (1 << 12)
+#define SLAPD_ARGON2_ITERATIONS 2
+#define SLAPD_ARGON2_MEMORY 19456
 #define SLAPD_ARGON2_PARALLELISM 1
 #define SLAPD_ARGON2_SALT_LENGTH 16
 #define SLAPD_ARGON2_HASH_LENGTH 32
@ -108,7 +108,7 @@ slapd_argon2_hash(
 	/*
 	 * Do the actual heavy lifting
 	 */
-	if ( argon2i_hash_encoded( iterations, memory, parallelism,
+	if ( argon2id_hash_encoded( iterations, memory, parallelism,
 				passwd->bv_val, passwd->bv_len,
 				salt.bv_val, salt_length, hash_length,
 				p, encoded_length ) == 0 ) {