[server][auth][argon2] Use logarithmic memory parameter, set better defaults

2026-01-05 19:21:23 -06:00 · 2025-07-13 19:37:43 +05:30
parent 9064814b16
commit 6ca9dbc198
2 changed files with 5 additions and 5 deletions
--- a/server/internal/auth/crypt/argon2/argon2.go
+++ b/server/internal/auth/crypt/argon2/argon2.go
@@ -11,7 +11,7 @@ import (
 )

 type Config struct {
-	Memory      uint32 `koanf:"memory"`
+	Memory      uint8  `koanf:"memory"`
 	Iterations  uint32 `koanf:"iterations"`
 	Parallelism uint8  `koanf:"parallelism"`
 	Salt        uint32 `koanf:"salt"`
@@ -33,7 +33,7 @@ func (a argon) GenerateEncodedHash(password string) (string, error) {
 		return "", err
 	}

-	key := argon2.IDKey([]byte(password), salt, p.Iterations, p.Memory, p.Parallelism, p.Key)
+	key := argon2.IDKey([]byte(password), salt, p.Iterations, 1<<p.Memory, p.Parallelism, p.Key)

 	b64Salt := base64.RawStdEncoding.EncodeToString(salt)
 	b64Hash := base64.RawStdEncoding.EncodeToString(key)
@@ -51,7 +51,7 @@ func VerifyEncodedHash(password string, hashParts []string) (bool, error) {
 	}

 	// Derive the key from the provided password using the same parameters.
-	computedHash := argon2.IDKey([]byte(password), salt, p.Iterations, p.Memory, p.Parallelism, p.Key)
+	computedHash := argon2.IDKey([]byte(password), salt, p.Iterations, 1<<p.Memory, p.Parallelism, p.Key)

 	if subtle.ConstantTimeCompare(storedHash, computedHash) == 1 {
 		return true, nil
--- a/server/internal/command/config.defaults.yml
+++ b/server/internal/command/config.defaults.yml
@@ -27,8 +27,8 @@ auth:
    crypt:
      hash: argon2
      argon2: 
-        memory: 2048
-        iterations: 6
+        memory: 18
+        iterations: 4
        parallelism: 4
        salt: 32
        key: 32