std.crypto.pwhash: Add recommended parameters (#20527)

These parameters according to the OWASP cheat sheet.
This commit is contained in:
Shun Sakai 2024-07-08 05:18:33 +09:00 committed by GitHub
parent c40708a2ce
commit 8f20e81b88
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 14 additions and 0 deletions

View File

@ -91,6 +91,10 @@ pub const Params = struct {
/// Baseline parameters for offline usage using argon2id type /// Baseline parameters for offline usage using argon2id type
pub const sensitive_2id = Self.fromLimits(4, 1073741824); pub const sensitive_2id = Self.fromLimits(4, 1073741824);
/// Recommended parameters for argon2id type according to the
/// [OWASP cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html).
pub const owasp_2id = Self{ .t = 2, .m = 19 * 1024, .p = 1 };
/// Create parameters from ops and mem limits, where mem_limit given in bytes /// Create parameters from ops and mem limits, where mem_limit given in bytes
pub fn fromLimits(ops_limit: u32, mem_limit: usize) Self { pub fn fromLimits(ops_limit: u32, mem_limit: usize) Self {
const m = mem_limit / 1024; const m = mem_limit / 1024;

View File

@ -408,8 +408,14 @@ pub const State = struct {
/// bcrypt parameters /// bcrypt parameters
pub const Params = struct { pub const Params = struct {
const Self = @This();
/// log2 of the number of rounds /// log2 of the number of rounds
rounds_log: u6, rounds_log: u6,
/// Minimum recommended parameters according to the
/// [OWASP cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html).
pub const owasp = Self{ .rounds_log = 10 };
}; };
/// Compute a hash of a password using 2^rounds_log rounds of the bcrypt key stretching function. /// Compute a hash of a password using 2^rounds_log rounds of the bcrypt key stretching function.

View File

@ -141,6 +141,10 @@ pub const Params = struct {
/// Baseline parameters for offline usage /// Baseline parameters for offline usage
pub const sensitive = Self.fromLimits(33554432, 1073741824); pub const sensitive = Self.fromLimits(33554432, 1073741824);
/// Recommended parameters according to the
/// [OWASP cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html).
pub const owasp = Self{ .ln = 17, .r = 8, .p = 1 };
/// Create parameters from ops and mem limits, where mem_limit given in bytes /// Create parameters from ops and mem limits, where mem_limit given in bytes
pub fn fromLimits(ops_limit: u64, mem_limit: usize) Self { pub fn fromLimits(ops_limit: u64, mem_limit: usize) Self {
const ops = @max(32768, ops_limit); const ops = @max(32768, ops_limit);