ITS#9827 update Argon2 defaults

- switch to argon2id by default (from argon2i)
- use OWASP recommended parameters as defaults

This only affects builds that use libargon2, e.g. Debian, and
not builds that use libsodium as argon2id is already the
default there, and better parameters are used

References: https://bugs.openldap.org/show_bug.cgi?id=9827
Signed-off-by: François Kooman <fkooman@tuxed.net>

diff --git a/servers/slapd/pwmods/argon2.c b/servers/slapd/pwmods/argon2.c
index f3f7b4cbfb1a6d5adb4768b0c88eafb9a0005203..7c672714dc0fc931946701dfca9c30451b34296d 100644 (file)
--- a/servers/slapd/pwmods/argon2.c
+++ b/servers/slapd/pwmods/argon2.c
@@ -29,11 +29,11 @@
 #include <argon2.h>
 
 /*
- * For now, we hardcode the default values from the argon2 command line tool
- * (as of argon2 release 20161029)
+ * Use OWASP recommended values (retrieved on 2023-08-07)
+ * @see https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
  */
-#define SLAPD_ARGON2_ITERATIONS 3
-#define SLAPD_ARGON2_MEMORY (1 << 12)
+#define SLAPD_ARGON2_ITERATIONS 2
+#define SLAPD_ARGON2_MEMORY 19456
 #define SLAPD_ARGON2_PARALLELISM 1
 #define SLAPD_ARGON2_SALT_LENGTH 16
 #define SLAPD_ARGON2_HASH_LENGTH 32
@@ -108,7 +108,7 @@ slapd_argon2_hash(
        /*
         * Do the actual heavy lifting
         */
-       if ( argon2i_hash_encoded( iterations, memory, parallelism,
+       if ( argon2id_hash_encoded( iterations, memory, parallelism,
                                passwd->bv_val, passwd->bv_len,
                                salt.bv_val, salt_length, hash_length,
                                p, encoded_length ) == 0 ) {