[password] increase the number of argon2 iterations (#4556)

To get this test to pass on my Ryzen 7950X running Linux 6.5.6, I had to
bump up the number of argon2 iterations all the way up from 13 to 23.
See this comment thread for more benchmarks against gimlets etc.

Fixes #4555.

Author: sunshowers

nexus/db-queries/src/db/datastore/rack.rs

@@ -1101,10 +1101,10 @@ mod test {
                     DNS_ZONE
                 ),
                 recovery_user_id: "test-user".parse().unwrap(),
-                // empty string password
-                recovery_user_password_hash: "$argon2id$v=19$m=98304,t=13,\
-                p=1$d2t2UHhOdWt3NkYyY1l3cA$pIvmXrcTk/\
-                nsUzWvBQIeuMJk96ijye/oIXHCj15xg+M"
+                // Generated via `cargo run --example argon2 -- --input ""`.
+                recovery_user_password_hash: "$argon2id$v=19$m=98304,t=23,\
+                    p=1$E4DE+f6Yduuy0nSubo5qtg$57JDYGov3SZoEZnLyZZBHOACH95s\
+                    8aOpG22zBoWZ2S4"
                     .parse()
                     .unwrap(),
                 dns_update: DnsVersionUpdateBuilder::new(

passwords/examples/argon2.rs

@@ -57,6 +57,7 @@ fn main() -> anyhow::Result<()> {
     println!("  'm' cost: {} KiB", cli.m_cost);
     println!("  'p' cost: {} (degree of parallelism)", cli.p_cost);
     println!("  't' cost: {} (number of iterations)", cli.t_cost);
+    println!("password hash: {}", password_hash);
     println!(
         "output size override: {}",
         OUTPUT_SIZE_OVERRIDE

passwords/src/lib.rs

@@ -34,7 +34,7 @@ use thiserror::Error;
 // output length.
 const ARGON2_ALGORITHM: argon2::Algorithm = argon2::Algorithm::Argon2id;
 pub const ARGON2_COST_M_KIB: u32 = 96 * 1024;
-pub const ARGON2_COST_T: u32 = 13;
+pub const ARGON2_COST_T: u32 = 23;
 pub const ARGON2_COST_P: u32 = 1;
 
 // Maximum password length, intended to prevent denial of service attacks.  See
@@ -589,62 +589,66 @@ mod test {
             parse_phc_hash("dummy").unwrap_err(),
             "password hash: password hash string missing field"
         );
-        // This input was generated from argon2.online using the empty string as
-        // input.
+        // This input was generated via `cargo run --example argon2 -- --input ""`.
         let _ = parse_phc_hash(
-            "$argon2id$v=19$m=98304,t=13,p=1$MDEyMzQ1Njc4OTAxMjM0NQ\
-            $tFRlFMnzazQduuAkXOEi6k9g88nwBbUV8rJI0PjT8/I",
+            "$argon2id$v=19$m=98304,t=23,\
+             p=1$E4DE+f6Yduuy0nSubo5qtg$57JDYGov3SZoEZnLyZZBHOACH95s\
+             8aOpG22zBoWZ2S4",
         )
         .unwrap();
 
         // The following inputs were constructed by taking the valid hash above
         // and adjusting the string by hand.
         assert_eq!(
             parse_phc_hash(
-                "$argon2i$v=19$m=98304,t=13,p=1$MDEyMzQ1Njc4OTAxMjM0NQ\
-                $tFRlFMnzazQduuAkXOEi6k9g88nwBbUV8rJI0PjT8/I"
+                "$argon2i$v=19$m=98304,t=23,\
+                 p=1$E4DE+f6Yduuy0nSubo5qtg$57JDYGov3SZoEZnLyZZBHOACH95s\
+                 8aOpG22zBoWZ2S4",
             )
             .unwrap_err(),
             "password hash: algorithm: expected argon2id, found argon2i"
         );
         assert_eq!(
             parse_phc_hash(
-                "$argon2id$v=19$m=98304,t=13,p=1$\
-                $tFRlFMnzazQduuAkXOEi6k9g88nwBbUV8rJI0PjT8/I"
+                "$argon2id$v=19$m=98304,t=23,p=1$\
+                 $57JDYGov3SZoEZnLyZZBHOACH95s8aOpG22zBoWZ2S4",
             )
             .unwrap_err(),
             // sic
             "password hash: salt invalid: value to short",
         );
         assert_eq!(
             parse_phc_hash(
-                "$argon2id$v=19$m=98304,t=13,p=1$MDEyMzQ1Njc\
-                $tFRlFMnzazQduuAkXOEi6k9g88nwBbUV8rJI0PjT8/I"
+                "$argon2id$v=19$m=98304,t=23,p=1$E4DE+f6Ydu$\
+                 57JDYGov3SZoEZnLyZZBHOACH95s8aOpG22zBoWZ2S4",
             )
             .unwrap_err(),
             "password hash: salt: expected at least 16 bytes",
         );
         assert_eq!(
             parse_phc_hash(
-                "$argon2id$v=19$m=4096,t=13,p=1$MDEyMzQ1Njc4OTAxMjM0NQ\
-                $tFRlFMnzazQduuAkXOEi6k9g88nwBbUV8rJI0PjT8/I"
+                "$argon2id$v=19$m=4096,t=23,\
+                 p=1$E4DE+f6Yduuy0nSubo5qtg$57JDYGov3SZoEZnLyZZBHOACH95s\
+                 8aOpG22zBoWZ2S4",
             )
             .unwrap_err(),
             "password hash: parameter 'm': expected at least 98304 (KiB), \
             found 4096"
         );
         assert_eq!(
             parse_phc_hash(
-                "$argon2id$v=19$m=98304,t=12,p=1$MDEyMzQ1Njc4OTAxMjM0NQ\
-                $tFRlFMnzazQduuAkXOEi6k9g88nwBbUV8rJI0PjT8/I"
+                "$argon2id$v=19$m=98304,t=22,\
+                 p=1$E4DE+f6Yduuy0nSubo5qtg$57JDYGov3SZoEZnLyZZBHOACH95s\
+                 8aOpG22zBoWZ2S4",
             )
             .unwrap_err(),
-            "password hash: parameter 't': expected at least 13, found 12"
+            "password hash: parameter 't': expected at least 23, found 22"
         );
         assert_eq!(
             parse_phc_hash(
-                "$argon2id$v=19$m=98304,t=13,p=0$MDEyMzQ1Njc4OTAxMjM0NQ\
-                $tFRlFMnzazQduuAkXOEi6k9g88nwBbUV8rJI0PjT8/I"
+                "$argon2id$v=19$m=98304,t=23,\
+                 p=0$E4DE+f6Yduuy0nSubo5qtg$57JDYGov3SZoEZnLyZZBHOACH95s\
+                 8aOpG22zBoWZ2S4",
             )
             .unwrap_err(),
             // sic

sled-agent/src/rack_setup/plan/service.rs

@@ -1223,7 +1223,12 @@ mod tests {
             recovery_silo: RecoverySiloConfig {
                 silo_name: "recovery".parse().unwrap(),
                 user_name: "recovery".parse().unwrap(),
-                user_password_hash: "$argon2id$v=19$m=98304,t=13,p=1$RUlWc0ZxaHo0WFdrN0N6ZQ$S8p52j85GPvMhR/ek3GL0el/oProgTwWpHJZ8lsQQoY".parse().unwrap(),
+                // Generated via `cargo run --example argon2`.
+                user_password_hash: "$argon2id$v=19$m=98304,t=23,\
+                    p=1$Naz/hHpgS8GXQqT8Zm0Nog$ucAKOsMiq70xtAEaLCY\
+                    unjEgDyjSnuXaKTfmMKpKQIA"
+                    .parse()
+                    .unwrap(),
             },
             rack_network_config: RackNetworkConfig {
                 rack_subnet: Ipv6Net::host_net(Ipv6Addr::LOCALHOST),

sled-agent/src/sim/server.rs

@@ -514,10 +514,14 @@ pub async fn run_standalone_server(
         // individuals running this program who then want to log in as this
         // user.  For more on what's supported, see the API docs for this
         // type and the specific constraints in the nexus-passwords crate.
-        user_password_hash: "$argon2id$v=19$m=98304,t=13,p=1$\
-        RUlWc0ZxaHo0WFdrN0N6ZQ$S8p52j85GPvMhR/ek3GL0el/oProgTwWpHJZ8lsQQoY"
-            .parse()
-            .unwrap(),
+        //
+        // The hash was generated via:
+        // `cargo run --example argon2 -- --input oxide`.
+        user_password_hash:
+            "$argon2id$v=19$m=98304,t=23,p=1$Effh/p6M2ZKdnpJFeGqtGQ$\
+             ZtUwcVODAvUAVK6EQ5FJMv+GMlUCo9PQQsy9cagL+EU"
+                .parse()
+                .unwrap(),
     };
 
     let mut crucible_datasets = vec![];

sled-agent/types/src/rack_init.rs

@@ -486,7 +486,12 @@ mod tests {
             recovery_silo: RecoverySiloConfig {
                 silo_name: "recovery".parse().unwrap(),
                 user_name: "recovery".parse().unwrap(),
-                user_password_hash: "$argon2id$v=19$m=98304,t=13,p=1$RUlWc0ZxaHo0WFdrN0N6ZQ$S8p52j85GPvMhR/ek3GL0el/oProgTwWpHJZ8lsQQoY".parse().unwrap(),
+                // Generated via `cargo run --example argon2 -- --input oxide`.
+                user_password_hash:
+                    "$argon2id$v=19$m=98304,t=23,p=1$Effh/p6M2ZKdnpJFeGqtGQ$\
+                     ZtUwcVODAvUAVK6EQ5FJMv+GMlUCo9PQQsy9cagL+EU"
+                        .parse()
+                        .unwrap(),
             },
             rack_network_config: RackNetworkConfig {
                 rack_subnet: Ipv6Net::host_net(Ipv6Addr::LOCALHOST),
@@ -607,11 +612,11 @@ mod tests {
                 user_name: "dummy".parse().unwrap(),
                 // This is a hash for the password "oxide".  It doesn't matter,
                 // though; it's not used.
-                user_password_hash: "$argon2id$v=19$m=98304,t=13,p=1$\
-                    RUlWc0ZxaHo0WFdrN0N6ZQ$S8p52j85GPvMhR/\
-                    ek3GL0el/oProgTwWpHJZ8lsQQoY"
-                    .parse()
-                    .unwrap(),
+                user_password_hash:
+                    "$argon2id$v=19$m=98304,t=23,p=1$Effh/p6M2ZKdnpJFeGqtGQ$\
+                     ZtUwcVODAvUAVK6EQ5FJMv+GMlUCo9PQQsy9cagL+EU"
+                        .parse()
+                        .unwrap(),
             },
             rack_network_config: RackNetworkConfig {
                 rack_subnet: Ipv6Net::new(

smf/sled-agent/gimlet-standalone/config-rss.toml

@@ -144,4 +144,4 @@ user_name = "recovery"
 # (2) the end-to-end tests, which use this password to log in to a
 # newly-initialized rack.  For more on what's supported, see the API docs for
 # this type and the specific constraints in the omicron-passwords crate.
-user_password_hash = "$argon2id$v=19$m=98304,t=13,p=1$RUlWc0ZxaHo0WFdrN0N6ZQ$S8p52j85GPvMhR/ek3GL0el/oProgTwWpHJZ8lsQQoY"
+user_password_hash = "$argon2id$v=19$m=98304,t=23,p=1$Effh/p6M2ZKdnpJFeGqtGQ$ZtUwcVODAvUAVK6EQ5FJMv+GMlUCo9PQQsy9cagL+EU"

smf/sled-agent/non-gimlet/config-rss.toml

@@ -159,4 +159,4 @@ user_name = "recovery"
 # individuals running this program who then want to log in as this user.  For
 # more on what's supported, see the API docs for this type and the specific
 # constraints in the omicron-passwords crate.
-user_password_hash = "$argon2id$v=19$m=98304,t=13,p=1$RUlWc0ZxaHo0WFdrN0N6ZQ$S8p52j85GPvMhR/ek3GL0el/oProgTwWpHJZ8lsQQoY"
+user_password_hash = "$argon2id$v=19$m=98304,t=23,p=1$Effh/p6M2ZKdnpJFeGqtGQ$ZtUwcVODAvUAVK6EQ5FJMv+GMlUCo9PQQsy9cagL+EU"