ITS#9827 update Argon2 defaults

- switch to argon2id by default (from argon2i)
- use OWASP recommended parameters as defaults

This only affects builds that use libargon2, e.g. Debian, and
not builds that use libsodium as argon2id is already the
default there, and better parameters are used

References: https://bugs.openldap.org/show_bug.cgi?id=9827
Signed-off-by: François Kooman <fkooman@tuxed.net>

diff --git a/servers/slapd/pwmods/argon2.c b/servers/slapd/pwmods/argon2.c
index 68d4ad73cdf8e5f359d86c31ba7509109f51200a..a9a19ee81de995e70e6420a72aefa3e247d28326 100644 (file)
--- a/servers/slapd/pwmods/argon2.c
+++ b/servers/slapd/pwmods/argon2.c
@@ -29,11 +29,11 @@
 #include <argon2.h>
 
 /*
- * For now, we hardcode the default values from the argon2 command line tool
- * (as of argon2 release 20161029)
+ * Use OWASP recommended values (retrieved on 2023-08-07)
+ * @see https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
  */
-#define SLAPD_ARGON2_ITERATIONS 3
-#define SLAPD_ARGON2_MEMORY (1 << 12)
+#define SLAPD_ARGON2_ITERATIONS 2
+#define SLAPD_ARGON2_MEMORY 19456
 #define SLAPD_ARGON2_PARALLELISM 1
 #define SLAPD_ARGON2_SALT_LENGTH 16
 #define SLAPD_ARGON2_HASH_LENGTH 32
@@ -108,7 +108,7 @@ slapd_argon2_hash(
        /*
         * Do the actual heavy lifting
         */
-       if ( argon2i_hash_encoded( iterations, memory, parallelism,
+       if ( argon2id_hash_encoded( iterations, memory, parallelism,
                                passwd->bv_val, passwd->bv_len,
                                salt.bv_val, salt_length, hash_length,
                                p, encoded_length ) == 0 ) {