1 /*
2  * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  *
9  * RFC 9106 Argon2 (see https://www.rfc-editor.org/rfc/rfc9106.txt)
10  *
11  */
12 
13 #include <stdlib.h>
14 #include <stddef.h>
15 #include <stdarg.h>
16 #include <string.h>
17 #include <openssl/e_os2.h>
18 #include <openssl/evp.h>
19 #include <openssl/objects.h>
20 #include <openssl/crypto.h>
21 #include <openssl/kdf.h>
22 #include <openssl/err.h>
23 #include <openssl/core_names.h>
24 #include <openssl/params.h>
25 #include <openssl/thread.h>
26 #include <openssl/proverr.h>
27 #include "internal/thread.h"
28 #include "internal/numbers.h"
29 #include "internal/endian.h"
30 #include "crypto/evp.h"
31 #include "prov/implementations.h"
32 #include "prov/provider_ctx.h"
33 #include "prov/providercommon.h"
34 #include "prov/blake2.h"
35 
36 #if defined(OPENSSL_NO_DEFAULT_THREAD_POOL) && defined(OPENSSL_NO_THREAD_POOL)
37 # define ARGON2_NO_THREADS
38 #endif
39 
40 #if !defined(OPENSSL_THREADS)
41 # define ARGON2_NO_THREADS
42 #endif
43 
44 #ifndef OPENSSL_NO_ARGON2
45 
46 # define ARGON2_MIN_LANES 1u
47 # define ARGON2_MAX_LANES 0xFFFFFFu
48 # define ARGON2_MIN_THREADS 1u
49 # define ARGON2_MAX_THREADS 0xFFFFFFu
50 # define ARGON2_SYNC_POINTS 4u
51 # define ARGON2_MIN_OUT_LENGTH 4u
52 # define ARGON2_MAX_OUT_LENGTH 0xFFFFFFFFu
53 # define ARGON2_MIN_MEMORY (2 * ARGON2_SYNC_POINTS)
54 # define ARGON2_MIN(a, b) ((a) < (b) ? (a) : (b))
55 # define ARGON2_MAX_MEMORY 0xFFFFFFFFu
56 # define ARGON2_MIN_TIME 1u
57 # define ARGON2_MAX_TIME 0xFFFFFFFFu
58 # define ARGON2_MIN_PWD_LENGTH 0u
59 # define ARGON2_MAX_PWD_LENGTH 0xFFFFFFFFu
60 # define ARGON2_MIN_AD_LENGTH 0u
61 # define ARGON2_MAX_AD_LENGTH 0xFFFFFFFFu
62 # define ARGON2_MIN_SALT_LENGTH 8u
63 # define ARGON2_MAX_SALT_LENGTH 0xFFFFFFFFu
64 # define ARGON2_MIN_SECRET 0u
65 # define ARGON2_MAX_SECRET 0xFFFFFFFFu
66 # define ARGON2_BLOCK_SIZE 1024
67 # define ARGON2_QWORDS_IN_BLOCK ((ARGON2_BLOCK_SIZE) / 8)
68 # define ARGON2_OWORDS_IN_BLOCK ((ARGON2_BLOCK_SIZE) / 16)
69 # define ARGON2_HWORDS_IN_BLOCK ((ARGON2_BLOCK_SIZE) / 32)
70 # define ARGON2_512BIT_WORDS_IN_BLOCK ((ARGON2_BLOCK_SIZE) / 64)
71 # define ARGON2_ADDRESSES_IN_BLOCK 128
72 # define ARGON2_PREHASH_DIGEST_LENGTH 64
73 # define ARGON2_PREHASH_SEED_LENGTH \
74     (ARGON2_PREHASH_DIGEST_LENGTH + (2 * sizeof(uint32_t)))
75 
76 # define ARGON2_DEFAULT_OUTLEN 64u
77 # define ARGON2_DEFAULT_T_COST 3u
78 # define ARGON2_DEFAULT_M_COST ARGON2_MIN_MEMORY
79 # define ARGON2_DEFAULT_LANES  1u
80 # define ARGON2_DEFAULT_THREADS 1u
81 # define ARGON2_DEFAULT_VERSION ARGON2_VERSION_NUMBER
82 
83 # undef G
84 # define G(a, b, c, d)                                                        \
85     do {                                                                      \
86         a = a + b + 2 * mul_lower(a, b);                                      \
87         d = rotr64(d ^ a, 32);                                                \
88         c = c + d + 2 * mul_lower(c, d);                                      \
89         b = rotr64(b ^ c, 24);                                                \
90         a = a + b + 2 * mul_lower(a, b);                                      \
91         d = rotr64(d ^ a, 16);                                                \
92         c = c + d + 2 * mul_lower(c, d);                                      \
93         b = rotr64(b ^ c, 63);                                                \
94     } while ((void)0, 0)
95 
96 # undef PERMUTATION_P
97 # define PERMUTATION_P(v0, v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11,      \
98                        v12, v13, v14, v15)                                    \
99     do {                                                                      \
100         G(v0, v4, v8, v12);                                                   \
101         G(v1, v5, v9, v13);                                                   \
102         G(v2, v6, v10, v14);                                                  \
103         G(v3, v7, v11, v15);                                                  \
104         G(v0, v5, v10, v15);                                                  \
105         G(v1, v6, v11, v12);                                                  \
106         G(v2, v7, v8, v13);                                                   \
107         G(v3, v4, v9, v14);                                                   \
108     } while ((void)0, 0)
109 
110 # undef PERMUTATION_P_COLUMN
111 # define PERMUTATION_P_COLUMN(x, i)                                           \
112     do {                                                                      \
113         uint64_t *base = &x[16 * i];                                          \
114         PERMUTATION_P(                                                        \
115             *base,        *(base + 1),  *(base + 2),  *(base + 3),            \
116             *(base + 4),  *(base + 5),  *(base + 6),  *(base + 7),            \
117             *(base + 8),  *(base + 9),  *(base + 10), *(base + 11),           \
118             *(base + 12), *(base + 13), *(base + 14), *(base + 15)            \
119         );                                                                    \
120     } while ((void)0, 0)
121 
122 # undef PERMUTATION_P_ROW
123 # define PERMUTATION_P_ROW(x, i)                                              \
124     do {                                                                      \
125         uint64_t *base = &x[2 * i];                                           \
126         PERMUTATION_P(                                                        \
127             *base,        *(base + 1),  *(base + 16),  *(base + 17),          \
128             *(base + 32), *(base + 33), *(base + 48),  *(base + 49),          \
129             *(base + 64), *(base + 65), *(base + 80),  *(base + 81),          \
130             *(base + 96), *(base + 97), *(base + 112), *(base + 113)          \
131         );                                                                    \
132     } while ((void)0, 0)
133 
134 typedef struct {
135     uint64_t v[ARGON2_QWORDS_IN_BLOCK];
136 } BLOCK;
137 
138 typedef enum {
139     ARGON2_VERSION_10 = 0x10,
140     ARGON2_VERSION_13 = 0x13,
141     ARGON2_VERSION_NUMBER = ARGON2_VERSION_13
142 } ARGON2_VERSION;
143 
144 typedef enum {
145     ARGON2_D  = 0,
146     ARGON2_I  = 1,
147     ARGON2_ID = 2
148 } ARGON2_TYPE;
149 
150 typedef struct {
151     uint32_t pass;
152     uint32_t lane;
153     uint8_t slice;
154     uint32_t index;
155 } ARGON2_POS;
156 
157 typedef struct {
158     void *provctx;
159     uint32_t outlen;
160     uint8_t *pwd;
161     uint32_t pwdlen;
162     uint8_t *salt;
163     uint32_t saltlen;
164     uint8_t *secret;
165     uint32_t secretlen;
166     uint8_t *ad;
167     uint32_t adlen;
168     uint32_t t_cost;
169     uint32_t m_cost;
170     uint32_t lanes;
171     uint32_t threads;
172     uint32_t version;
173     uint32_t early_clean;
174     ARGON2_TYPE type;
175     BLOCK *memory;
176     uint32_t passes;
177     uint32_t memory_blocks;
178     uint32_t segment_length;
179     uint32_t lane_length;
180     OSSL_LIB_CTX *libctx;
181     EVP_MD *md;
182     EVP_MAC *mac;
183     char *propq;
184 } KDF_ARGON2;
185 
186 typedef struct {
187     ARGON2_POS pos;
188     KDF_ARGON2 *ctx;
189 } ARGON2_THREAD_DATA;
190 
191 static OSSL_FUNC_kdf_newctx_fn kdf_argon2i_new;
192 static OSSL_FUNC_kdf_newctx_fn kdf_argon2d_new;
193 static OSSL_FUNC_kdf_newctx_fn kdf_argon2id_new;
194 static OSSL_FUNC_kdf_freectx_fn kdf_argon2_free;
195 static OSSL_FUNC_kdf_reset_fn kdf_argon2_reset;
196 static OSSL_FUNC_kdf_derive_fn kdf_argon2_derive;
197 static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_argon2_settable_ctx_params;
198 static OSSL_FUNC_kdf_set_ctx_params_fn kdf_argon2_set_ctx_params;
199 
200 static void kdf_argon2_init(KDF_ARGON2 *ctx, ARGON2_TYPE t);
201 static void *kdf_argon2d_new(void *provctx);
202 static void *kdf_argon2i_new(void *provctx);
203 static void *kdf_argon2id_new(void *provctx);
204 static void kdf_argon2_free(void *vctx);
205 static int kdf_argon2_derive(void *vctx, unsigned char *out, size_t outlen,
206                              const OSSL_PARAM params[]);
207 static void kdf_argon2_reset(void *vctx);
208 static int kdf_argon2_ctx_set_threads(KDF_ARGON2 *ctx, uint32_t threads);
209 static int kdf_argon2_ctx_set_lanes(KDF_ARGON2 *ctx, uint32_t lanes);
210 static int kdf_argon2_ctx_set_t_cost(KDF_ARGON2 *ctx, uint32_t t_cost);
211 static int kdf_argon2_ctx_set_m_cost(KDF_ARGON2 *ctx, uint32_t m_cost);
212 static int kdf_argon2_ctx_set_out_length(KDF_ARGON2 *ctx, uint32_t outlen);
213 static int kdf_argon2_ctx_set_secret(KDF_ARGON2 *ctx, const OSSL_PARAM *p);
214 static int kdf_argon2_ctx_set_pwd(KDF_ARGON2 *ctx, const OSSL_PARAM *p);
215 static int kdf_argon2_ctx_set_salt(KDF_ARGON2 *ctx, const OSSL_PARAM *p);
216 static int kdf_argon2_ctx_set_ad(KDF_ARGON2 *ctx, const OSSL_PARAM *p);
217 static int kdf_argon2_set_ctx_params(void *vctx, const OSSL_PARAM params[]);
218 static int kdf_argon2_get_ctx_params(void *vctx, OSSL_PARAM params[]);
219 static int kdf_argon2_ctx_set_version(KDF_ARGON2 *ctx, uint32_t version);
220 static const OSSL_PARAM *kdf_argon2_settable_ctx_params(ossl_unused void *ctx,
221                                                         ossl_unused void *p_ctx);
222 static const OSSL_PARAM *kdf_argon2_gettable_ctx_params(ossl_unused void *ctx,
223                                                         ossl_unused void *p_ctx);
224 
225 static ossl_inline uint64_t load64(const uint8_t *src);
226 static ossl_inline void store32(uint8_t *dst, uint32_t w);
227 static ossl_inline void store64(uint8_t *dst, uint64_t w);
228 static ossl_inline uint64_t rotr64(const uint64_t w, const unsigned int c);
229 static ossl_inline uint64_t mul_lower(uint64_t x, uint64_t y);
230 
231 static void init_block_value(BLOCK *b, uint8_t in);
232 static void copy_block(BLOCK *dst, const BLOCK *src);
233 static void xor_block(BLOCK *dst, const BLOCK *src);
234 static void load_block(BLOCK *dst, const void *input);
235 static void store_block(void *output, const BLOCK *src);
236 static void fill_first_blocks(uint8_t *blockhash, const KDF_ARGON2 *ctx);
237 static void fill_block(const BLOCK *prev, const BLOCK *ref, BLOCK *next,
238                        int with_xor);
239 
240 static void next_addresses(BLOCK *address_block, BLOCK *input_block,
241                            const BLOCK *zero_block);
242 static int data_indep_addressing(const KDF_ARGON2 *ctx, uint32_t pass,
243                                  uint8_t slice);
244 static uint32_t index_alpha(const KDF_ARGON2 *ctx, uint32_t pass,
245                             uint8_t slice, uint32_t index,
246                             uint32_t pseudo_rand, int same_lane);
247 
248 static void fill_segment(const KDF_ARGON2 *ctx, uint32_t pass, uint32_t lane,
249                          uint8_t slice);
250 
251 # if !defined(ARGON2_NO_THREADS)
252 static uint32_t fill_segment_thr(void *thread_data);
253 static int fill_mem_blocks_mt(KDF_ARGON2 *ctx);
254 # endif
255 
256 static int fill_mem_blocks_st(KDF_ARGON2 *ctx);
257 static ossl_inline int fill_memory_blocks(KDF_ARGON2 *ctx);
258 
259 static void initial_hash(uint8_t *blockhash, KDF_ARGON2 *ctx);
260 static int initialize(KDF_ARGON2 *ctx);
261 static void finalize(const KDF_ARGON2 *ctx, void *out);
262 
263 static int blake2b(EVP_MD *md, EVP_MAC *mac, void *out, size_t outlen,
264                    const void *in, size_t inlen, const void *key,
265                    size_t keylen);
266 static int blake2b_long(EVP_MD *md, EVP_MAC *mac, unsigned char *out,
267                         size_t outlen, const void *in, size_t inlen);
268 
load64(const uint8_t * src)269 static ossl_inline uint64_t load64(const uint8_t *src)
270 {
271     return
272       (((uint64_t)src[0]) << 0)
273     | (((uint64_t)src[1]) << 8)
274     | (((uint64_t)src[2]) << 16)
275     | (((uint64_t)src[3]) << 24)
276     | (((uint64_t)src[4]) << 32)
277     | (((uint64_t)src[5]) << 40)
278     | (((uint64_t)src[6]) << 48)
279     | (((uint64_t)src[7]) << 56);
280 }
281 
store32(uint8_t * dst,uint32_t w)282 static ossl_inline void store32(uint8_t *dst, uint32_t w)
283 {
284     dst[0] = (uint8_t)(w >> 0);
285     dst[1] = (uint8_t)(w >> 8);
286     dst[2] = (uint8_t)(w >> 16);
287     dst[3] = (uint8_t)(w >> 24);
288 }
289 
store64(uint8_t * dst,uint64_t w)290 static ossl_inline void store64(uint8_t *dst, uint64_t w)
291 {
292     dst[0] = (uint8_t)(w >> 0);
293     dst[1] = (uint8_t)(w >> 8);
294     dst[2] = (uint8_t)(w >> 16);
295     dst[3] = (uint8_t)(w >> 24);
296     dst[4] = (uint8_t)(w >> 32);
297     dst[5] = (uint8_t)(w >> 40);
298     dst[6] = (uint8_t)(w >> 48);
299     dst[7] = (uint8_t)(w >> 56);
300 }
301 
rotr64(const uint64_t w,const unsigned int c)302 static ossl_inline uint64_t rotr64(const uint64_t w, const unsigned int c)
303 {
304     return (w >> c) | (w << (64 - c));
305 }
306 
mul_lower(uint64_t x,uint64_t y)307 static ossl_inline uint64_t mul_lower(uint64_t x, uint64_t y)
308 {
309     const uint64_t m = 0xFFFFFFFFUL;
310     return (x & m) * (y & m);
311 }
312 
init_block_value(BLOCK * b,uint8_t in)313 static void init_block_value(BLOCK *b, uint8_t in)
314 {
315     memset(b->v, in, sizeof(b->v));
316 }
317 
copy_block(BLOCK * dst,const BLOCK * src)318 static void copy_block(BLOCK *dst, const BLOCK *src)
319 {
320     memcpy(dst->v, src->v, sizeof(uint64_t) * ARGON2_QWORDS_IN_BLOCK);
321 }
322 
xor_block(BLOCK * dst,const BLOCK * src)323 static void xor_block(BLOCK *dst, const BLOCK *src)
324 {
325     int i;
326 
327     for (i = 0; i < ARGON2_QWORDS_IN_BLOCK; ++i)
328         dst->v[i] ^= src->v[i];
329 }
330 
load_block(BLOCK * dst,const void * input)331 static void load_block(BLOCK *dst, const void *input)
332 {
333     unsigned i;
334 
335     for (i = 0; i < ARGON2_QWORDS_IN_BLOCK; ++i)
336         dst->v[i] = load64((const uint8_t *)input + i * sizeof(dst->v[i]));
337 }
338 
store_block(void * output,const BLOCK * src)339 static void store_block(void *output, const BLOCK *src)
340 {
341     unsigned i;
342 
343     for (i = 0; i < ARGON2_QWORDS_IN_BLOCK; ++i)
344         store64((uint8_t *)output + i * sizeof(src->v[i]), src->v[i]);
345 }
346 
fill_first_blocks(uint8_t * blockhash,const KDF_ARGON2 * ctx)347 static void fill_first_blocks(uint8_t *blockhash, const KDF_ARGON2 *ctx)
348 {
349     uint32_t l;
350     uint8_t blockhash_bytes[ARGON2_BLOCK_SIZE];
351 
352     /*
353      * Make the first and second block in each lane as G(H0||0||i)
354      * or G(H0||1||i).
355      */
356     for (l = 0; l < ctx->lanes; ++l) {
357         store32(blockhash + ARGON2_PREHASH_DIGEST_LENGTH, 0);
358         store32(blockhash + ARGON2_PREHASH_DIGEST_LENGTH + 4, l);
359         blake2b_long(ctx->md, ctx->mac, blockhash_bytes, ARGON2_BLOCK_SIZE,
360                      blockhash, ARGON2_PREHASH_SEED_LENGTH);
361         load_block(&ctx->memory[l * ctx->lane_length + 0],
362                    blockhash_bytes);
363         store32(blockhash + ARGON2_PREHASH_DIGEST_LENGTH, 1);
364         blake2b_long(ctx->md, ctx->mac, blockhash_bytes, ARGON2_BLOCK_SIZE,
365                      blockhash, ARGON2_PREHASH_SEED_LENGTH);
366         load_block(&ctx->memory[l * ctx->lane_length + 1],
367                    blockhash_bytes);
368     }
369     OPENSSL_cleanse(blockhash_bytes, ARGON2_BLOCK_SIZE);
370 }
371 
fill_block(const BLOCK * prev,const BLOCK * ref,BLOCK * next,int with_xor)372 static void fill_block(const BLOCK *prev, const BLOCK *ref,
373                        BLOCK *next, int with_xor)
374 {
375     BLOCK blockR, tmp;
376     unsigned i;
377 
378     copy_block(&blockR, ref);
379     xor_block(&blockR, prev);
380     copy_block(&tmp, &blockR);
381 
382     if (with_xor)
383         xor_block(&tmp, next);
384 
385     for (i = 0; i < 8; ++i)
386         PERMUTATION_P_COLUMN(blockR.v, i);
387 
388     for (i = 0; i < 8; ++i)
389         PERMUTATION_P_ROW(blockR.v, i);
390 
391     copy_block(next, &tmp);
392     xor_block(next, &blockR);
393 }
394 
next_addresses(BLOCK * address_block,BLOCK * input_block,const BLOCK * zero_block)395 static void next_addresses(BLOCK *address_block, BLOCK *input_block,
396                            const BLOCK *zero_block)
397 {
398     input_block->v[6]++;
399     fill_block(zero_block, input_block, address_block, 0);
400     fill_block(zero_block, address_block, address_block, 0);
401 }
402 
data_indep_addressing(const KDF_ARGON2 * ctx,uint32_t pass,uint8_t slice)403 static int data_indep_addressing(const KDF_ARGON2 *ctx, uint32_t pass,
404                                  uint8_t slice)
405 {
406     switch (ctx->type) {
407     case ARGON2_I:
408         return 1;
409     case ARGON2_ID:
410         return (pass == 0) && (slice < ARGON2_SYNC_POINTS / 2);
411     case ARGON2_D:
412     default:
413         return 0;
414     }
415 }
416 
417 /*
418  * Pass 0 (pass = 0):
419  * This lane: all already finished segments plus already constructed blocks
420  *            in this segment
421  * Other lanes: all already finished segments
422  *
423  * Pass 1+:
424  * This lane: (SYNC_POINTS - 1) last segments plus already constructed
425  *            blocks in this segment
426  * Other lanes: (SYNC_POINTS - 1) last segments
427  */
index_alpha(const KDF_ARGON2 * ctx,uint32_t pass,uint8_t slice,uint32_t index,uint32_t pseudo_rand,int same_lane)428 static uint32_t index_alpha(const KDF_ARGON2 *ctx, uint32_t pass,
429                             uint8_t slice, uint32_t index,
430                             uint32_t pseudo_rand, int same_lane)
431 {
432     uint32_t ref_area_sz;
433     uint64_t rel_pos;
434     uint32_t start_pos, abs_pos;
435 
436     start_pos = 0;
437     switch (pass) {
438     case 0:
439         if (slice == 0)
440             ref_area_sz = index - 1;
441         else if (same_lane)
442             ref_area_sz = slice * ctx->segment_length + index - 1;
443         else
444             ref_area_sz = slice * ctx->segment_length +
445                 ((index == 0) ? (-1) : 0);
446         break;
447     default:
448         if (same_lane)
449             ref_area_sz = ctx->lane_length - ctx->segment_length + index - 1;
450         else
451             ref_area_sz = ctx->lane_length - ctx->segment_length +
452                 ((index == 0) ? (-1) : 0);
453         if (slice != ARGON2_SYNC_POINTS - 1)
454             start_pos = (slice + 1) * ctx->segment_length;
455         break;
456     }
457 
458     rel_pos = pseudo_rand;
459     rel_pos = rel_pos * rel_pos >> 32;
460     rel_pos = ref_area_sz - 1 - (ref_area_sz * rel_pos >> 32);
461     abs_pos = (start_pos + rel_pos) % ctx->lane_length;
462 
463     return abs_pos;
464 }
465 
fill_segment(const KDF_ARGON2 * ctx,uint32_t pass,uint32_t lane,uint8_t slice)466 static void fill_segment(const KDF_ARGON2 *ctx, uint32_t pass, uint32_t lane,
467                          uint8_t slice)
468 {
469     BLOCK *ref_block = NULL, *curr_block = NULL;
470     BLOCK address_block, input_block, zero_block;
471     uint64_t rnd, ref_index, ref_lane;
472     uint32_t prev_offset;
473     uint32_t start_idx;
474     uint32_t j;
475     uint32_t curr_offset; /* Offset of the current block */
476 
477     memset(&input_block, 0, sizeof(BLOCK));
478 
479     if (ctx == NULL)
480         return;
481 
482     if (data_indep_addressing(ctx, pass, slice)) {
483         init_block_value(&zero_block, 0);
484         init_block_value(&input_block, 0);
485 
486         input_block.v[0] = pass;
487         input_block.v[1] = lane;
488         input_block.v[2] = slice;
489         input_block.v[3] = ctx->memory_blocks;
490         input_block.v[4] = ctx->passes;
491         input_block.v[5] = ctx->type;
492     }
493 
494     start_idx = 0;
495 
496     /* We've generated the first two blocks. Generate the 1st block of addrs. */
497     if ((pass == 0) && (slice == 0)) {
498         start_idx = 2;
499         if (data_indep_addressing(ctx, pass, slice))
500             next_addresses(&address_block, &input_block, &zero_block);
501     }
502 
503     curr_offset = lane * ctx->lane_length + slice * ctx->segment_length
504         + start_idx;
505 
506     if ((curr_offset % ctx->lane_length) == 0)
507         prev_offset = curr_offset + ctx->lane_length - 1;
508     else
509         prev_offset = curr_offset - 1;
510 
511     for (j = start_idx; j < ctx->segment_length; ++j, ++curr_offset, ++prev_offset) {
512         if (curr_offset % ctx->lane_length == 1)
513             prev_offset = curr_offset - 1;
514 
515         /* Taking pseudo-random value from the previous block. */
516         if (data_indep_addressing(ctx, pass, slice)) {
517             if (j % ARGON2_ADDRESSES_IN_BLOCK == 0)
518                 next_addresses(&address_block, &input_block, &zero_block);
519             rnd = address_block.v[j % ARGON2_ADDRESSES_IN_BLOCK];
520         } else {
521             rnd = ctx->memory[prev_offset].v[0];
522         }
523 
524         /* Computing the lane of the reference block */
525         ref_lane = ((rnd >> 32)) % ctx->lanes;
526         /* Can not reference other lanes yet */
527         if ((pass == 0) && (slice == 0))
528             ref_lane = lane;
529 
530         /* Computing the number of possible reference block within the lane. */
531         ref_index = index_alpha(ctx, pass, slice, j, rnd & 0xFFFFFFFF,
532                                 ref_lane == lane);
533 
534         /* Creating a new block */
535         ref_block = ctx->memory + ctx->lane_length * ref_lane + ref_index;
536         curr_block = ctx->memory + curr_offset;
537         if (ARGON2_VERSION_10 == ctx->version) {
538             /* Version 1.2.1 and earlier: overwrite, not XOR */
539             fill_block(ctx->memory + prev_offset, ref_block, curr_block, 0);
540             continue;
541         }
542 
543         fill_block(ctx->memory + prev_offset, ref_block, curr_block,
544                    pass == 0 ? 0 : 1);
545     }
546 }
547 
548 # if !defined(ARGON2_NO_THREADS)
549 
fill_segment_thr(void * thread_data)550 static uint32_t fill_segment_thr(void *thread_data)
551 {
552     ARGON2_THREAD_DATA *my_data;
553 
554     my_data = (ARGON2_THREAD_DATA *) thread_data;
555     fill_segment(my_data->ctx, my_data->pos.pass, my_data->pos.lane,
556                  my_data->pos.slice);
557 
558     return 0;
559 }
560 
fill_mem_blocks_mt(KDF_ARGON2 * ctx)561 static int fill_mem_blocks_mt(KDF_ARGON2 *ctx)
562 {
563     uint32_t r, s, l, ll;
564     void **t;
565     ARGON2_THREAD_DATA *t_data;
566 
567     t = OPENSSL_zalloc(sizeof(void *)*ctx->lanes);
568     t_data = OPENSSL_zalloc(ctx->lanes * sizeof(ARGON2_THREAD_DATA));
569 
570     if (t == NULL || t_data == NULL)
571         goto fail;
572 
573     for (r = 0; r < ctx->passes; ++r) {
574         for (s = 0; s < ARGON2_SYNC_POINTS; ++s) {
575             for (l = 0; l < ctx->lanes; ++l) {
576                 ARGON2_POS p;
577                 if (l >= ctx->threads) {
578                     if (ossl_crypto_thread_join(t[l - ctx->threads], NULL) == 0)
579                         goto fail;
580                     if (ossl_crypto_thread_clean(t[l - ctx->threads]) == 0)
581                         goto fail;
582                     t[l] = NULL;
583                 }
584 
585                 p.pass = r;
586                 p.lane = l;
587                 p.slice = (uint8_t)s;
588                 p.index = 0;
589 
590                 t_data[l].ctx = ctx;
591                 memcpy(&(t_data[l].pos), &p, sizeof(ARGON2_POS));
592                 t[l] = ossl_crypto_thread_start(ctx->libctx, &fill_segment_thr,
593                                                 (void *) &t_data[l]);
594                 if (t[l] == NULL) {
595                     for (ll = 0; ll < l; ++ll) {
596                         if (ossl_crypto_thread_join(t[ll], NULL) == 0)
597                             goto fail;
598                         if (ossl_crypto_thread_clean(t[ll]) == 0)
599                             goto fail;
600                         t[ll] = NULL;
601                     }
602                     goto fail;
603                 }
604             }
605             for (l = ctx->lanes - ctx->threads; l < ctx->lanes; ++l) {
606                 if (ossl_crypto_thread_join(t[l], NULL) == 0)
607                     goto fail;
608                 if (ossl_crypto_thread_clean(t[l]) == 0)
609                     goto fail;
610                 t[l] = NULL;
611             }
612         }
613     }
614 
615     OPENSSL_free(t_data);
616     OPENSSL_free(t);
617 
618     return 1;
619 
620 fail:
621     if (t_data != NULL)
622         OPENSSL_free(t_data);
623     if (t != NULL)
624         OPENSSL_free(t);
625     return 0;
626 }
627 
628 # endif /* !defined(ARGON2_NO_THREADS) */
629 
fill_mem_blocks_st(KDF_ARGON2 * ctx)630 static int fill_mem_blocks_st(KDF_ARGON2 *ctx)
631 {
632     uint32_t r, s, l;
633 
634     for (r = 0; r < ctx->passes; ++r)
635         for (s = 0; s < ARGON2_SYNC_POINTS; ++s)
636             for (l = 0; l < ctx->lanes; ++l)
637                 fill_segment(ctx, r, l, s);
638     return 1;
639 }
640 
fill_memory_blocks(KDF_ARGON2 * ctx)641 static ossl_inline int fill_memory_blocks(KDF_ARGON2 *ctx)
642 {
643 # if !defined(ARGON2_NO_THREADS)
644     return ctx->threads == 1 ? fill_mem_blocks_st(ctx) : fill_mem_blocks_mt(ctx);
645 # else
646     return ctx->threads == 1 ? fill_mem_blocks_st(ctx) : 0;
647 # endif
648 }
649 
initial_hash(uint8_t * blockhash,KDF_ARGON2 * ctx)650 static void initial_hash(uint8_t *blockhash, KDF_ARGON2 *ctx)
651 {
652     EVP_MD_CTX *mdctx;
653     uint8_t value[sizeof(uint32_t)];
654     unsigned int tmp;
655     uint32_t args[7];
656 
657     if (ctx == NULL || blockhash == NULL)
658         return;
659 
660     args[0] = ctx->lanes;
661     args[1] = ctx->outlen;
662     args[2] = ctx->m_cost;
663     args[3] = ctx->t_cost;
664     args[4] = ctx->version;
665     args[5] = (uint32_t) ctx->type;
666     args[6] = ctx->pwdlen;
667 
668     mdctx = EVP_MD_CTX_create();
669     if (mdctx == NULL || EVP_DigestInit_ex(mdctx, ctx->md, NULL) != 1)
670         goto fail;
671 
672     for (tmp = 0; tmp < sizeof(args) / sizeof(uint32_t); ++tmp) {
673         store32((uint8_t *) &value, args[tmp]);
674         if (EVP_DigestUpdate(mdctx, &value, sizeof(value)) != 1)
675             goto fail;
676     }
677 
678     if (ctx->pwd != NULL) {
679         if (EVP_DigestUpdate(mdctx, ctx->pwd, ctx->pwdlen) != 1)
680             goto fail;
681         if (ctx->early_clean) {
682             OPENSSL_cleanse(ctx->pwd, ctx->pwdlen);
683             ctx->pwdlen = 0;
684         }
685     }
686 
687     store32((uint8_t *) &value, ctx->saltlen);
688 
689     if (EVP_DigestUpdate(mdctx, &value, sizeof(value)) != 1)
690         goto fail;
691 
692     if (ctx->salt != NULL)
693         if (EVP_DigestUpdate(mdctx, ctx->salt, ctx->saltlen) != 1)
694             goto fail;
695 
696     store32((uint8_t *) &value, ctx->secretlen);
697     if (EVP_DigestUpdate(mdctx, &value, sizeof(value)) != 1)
698         goto fail;
699 
700     if (ctx->secret != NULL) {
701         if (EVP_DigestUpdate(mdctx, ctx->secret, ctx->secretlen) != 1)
702             goto fail;
703         if (ctx->early_clean) {
704             OPENSSL_cleanse(ctx->secret, ctx->secretlen);
705             ctx->secretlen = 0;
706         }
707     }
708 
709     store32((uint8_t *) &value, ctx->adlen);
710     if (EVP_DigestUpdate(mdctx, &value, sizeof(value)) != 1)
711         goto fail;
712 
713     if (ctx->ad != NULL)
714         if (EVP_DigestUpdate(mdctx, ctx->ad, ctx->adlen) != 1)
715             goto fail;
716 
717     tmp = ARGON2_PREHASH_DIGEST_LENGTH;
718     if (EVP_DigestFinal_ex(mdctx, blockhash, &tmp) != 1)
719         goto fail;
720 
721 fail:
722     EVP_MD_CTX_destroy(mdctx);
723 }
724 
initialize(KDF_ARGON2 * ctx)725 static int initialize(KDF_ARGON2 *ctx)
726 {
727     uint8_t blockhash[ARGON2_PREHASH_SEED_LENGTH];
728 
729     if (ctx == NULL)
730         return 0;
731 
732     if (ctx->memory_blocks * sizeof(BLOCK) / sizeof(BLOCK) != ctx->memory_blocks)
733         return 0;
734 
735     if (ctx->type != ARGON2_D)
736         ctx->memory = OPENSSL_secure_zalloc(ctx->memory_blocks *
737                                             sizeof(BLOCK));
738     else
739         ctx->memory = OPENSSL_zalloc(ctx->memory_blocks *
740                                      sizeof(BLOCK));
741 
742     if (ctx->memory == NULL) {
743         ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_MEMORY_SIZE,
744                        "cannot allocate required memory");
745         return 0;
746     }
747 
748     initial_hash(blockhash, ctx);
749     OPENSSL_cleanse(blockhash + ARGON2_PREHASH_DIGEST_LENGTH,
750                     ARGON2_PREHASH_SEED_LENGTH - ARGON2_PREHASH_DIGEST_LENGTH);
751     fill_first_blocks(blockhash, ctx);
752     OPENSSL_cleanse(blockhash, ARGON2_PREHASH_SEED_LENGTH);
753 
754     return 1;
755 }
756 
finalize(const KDF_ARGON2 * ctx,void * out)757 static void finalize(const KDF_ARGON2 *ctx, void *out)
758 {
759     BLOCK blockhash;
760     uint8_t blockhash_bytes[ARGON2_BLOCK_SIZE];
761     uint32_t last_block_in_lane;
762     uint32_t l;
763 
764     if (ctx == NULL)
765         return;
766 
767     copy_block(&blockhash, ctx->memory + ctx->lane_length - 1);
768 
769     /* XOR the last blocks */
770     for (l = 1; l < ctx->lanes; ++l) {
771         last_block_in_lane = l * ctx->lane_length + (ctx->lane_length - 1);
772         xor_block(&blockhash, ctx->memory + last_block_in_lane);
773     }
774 
775     /* Hash the result */
776     store_block(blockhash_bytes, &blockhash);
777     blake2b_long(ctx->md, ctx->mac, out, ctx->outlen, blockhash_bytes,
778                  ARGON2_BLOCK_SIZE);
779     OPENSSL_cleanse(blockhash.v, ARGON2_BLOCK_SIZE);
780     OPENSSL_cleanse(blockhash_bytes, ARGON2_BLOCK_SIZE);
781 
782     if (ctx->type != ARGON2_D)
783         OPENSSL_secure_clear_free(ctx->memory,
784                                   ctx->memory_blocks * sizeof(BLOCK));
785     else
786         OPENSSL_clear_free(ctx->memory,
787                            ctx->memory_blocks * sizeof(BLOCK));
788 }
789 
blake2b_mac(EVP_MAC * mac,void * out,size_t outlen,const void * in,size_t inlen,const void * key,size_t keylen)790 static int blake2b_mac(EVP_MAC *mac, void *out, size_t outlen, const void *in,
791                        size_t inlen, const void *key, size_t keylen)
792 {
793     int ret = 0;
794     size_t par_n = 0, out_written;
795     EVP_MAC_CTX *ctx = NULL;
796     OSSL_PARAM par[3];
797 
798     if ((ctx = EVP_MAC_CTX_new(mac)) == NULL)
799         goto fail;
800 
801     par[par_n++] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,
802                                                      (void *) key, keylen);
803     par[par_n++] = OSSL_PARAM_construct_size_t(OSSL_MAC_PARAM_SIZE, &outlen);
804     par[par_n++] = OSSL_PARAM_construct_end();
805 
806     ret = EVP_MAC_CTX_set_params(ctx, par) == 1
807         && EVP_MAC_init(ctx, NULL, 0, NULL) == 1
808         && EVP_MAC_update(ctx, in, inlen) == 1
809         && EVP_MAC_final(ctx, out, (size_t *) &out_written, outlen) == 1;
810 
811 fail:
812     EVP_MAC_CTX_free(ctx);
813     return ret;
814 }
815 
blake2b_md(EVP_MD * md,void * out,size_t outlen,const void * in,size_t inlen)816 static int blake2b_md(EVP_MD *md, void *out, size_t outlen, const void *in,
817                       size_t inlen)
818 {
819     int ret = 0;
820     EVP_MD_CTX *ctx = NULL;
821     OSSL_PARAM par[2];
822 
823     if ((ctx = EVP_MD_CTX_create()) == NULL)
824         return 0;
825 
826     par[0] = OSSL_PARAM_construct_size_t(OSSL_DIGEST_PARAM_SIZE, &outlen);
827     par[1] = OSSL_PARAM_construct_end();
828 
829     ret = EVP_DigestInit_ex2(ctx, md, par) == 1
830         && EVP_DigestUpdate(ctx, in, inlen) == 1
831         && EVP_DigestFinal_ex(ctx, out, NULL) == 1;
832 
833     EVP_MD_CTX_free(ctx);
834     return ret;
835 }
836 
blake2b(EVP_MD * md,EVP_MAC * mac,void * out,size_t outlen,const void * in,size_t inlen,const void * key,size_t keylen)837 static int blake2b(EVP_MD *md, EVP_MAC *mac, void *out, size_t outlen,
838                    const void *in, size_t inlen, const void *key, size_t keylen)
839 {
840     if (out == NULL || outlen == 0)
841         return 0;
842 
843     if (key == NULL || keylen == 0)
844         return blake2b_md(md, out, outlen, in, inlen);
845 
846     return blake2b_mac(mac, out, outlen, in, inlen, key, keylen);
847 }
848 
blake2b_long(EVP_MD * md,EVP_MAC * mac,unsigned char * out,size_t outlen,const void * in,size_t inlen)849 static int blake2b_long(EVP_MD *md, EVP_MAC *mac, unsigned char *out,
850                         size_t outlen, const void *in, size_t inlen)
851 {
852     int ret = 0;
853     EVP_MD_CTX *ctx = NULL;
854     uint32_t outlen_curr;
855     uint8_t outbuf[BLAKE2B_OUTBYTES];
856     uint8_t inbuf[BLAKE2B_OUTBYTES];
857     uint8_t outlen_bytes[sizeof(uint32_t)] = {0};
858     OSSL_PARAM par[2];
859     size_t outlen_md;
860 
861     if (out == NULL || outlen == 0)
862         return 0;
863 
864     /* Ensure little-endian byte order */
865     store32(outlen_bytes, (uint32_t)outlen);
866 
867     if ((ctx = EVP_MD_CTX_create()) == NULL)
868         return 0;
869 
870     outlen_md = (outlen <= BLAKE2B_OUTBYTES) ? outlen : BLAKE2B_OUTBYTES;
871     par[0] = OSSL_PARAM_construct_size_t(OSSL_DIGEST_PARAM_SIZE, &outlen_md);
872     par[1] = OSSL_PARAM_construct_end();
873 
874     ret = EVP_DigestInit_ex2(ctx, md, par) == 1
875         && EVP_DigestUpdate(ctx, outlen_bytes, sizeof(outlen_bytes)) == 1
876         && EVP_DigestUpdate(ctx, in, inlen) == 1
877         && EVP_DigestFinal_ex(ctx, (outlen > BLAKE2B_OUTBYTES) ? outbuf : out,
878                               NULL) == 1;
879 
880     if (ret == 0)
881         goto fail;
882 
883     if (outlen > BLAKE2B_OUTBYTES) {
884         memcpy(out, outbuf, BLAKE2B_OUTBYTES / 2);
885         out += BLAKE2B_OUTBYTES / 2;
886         outlen_curr = (uint32_t) outlen - BLAKE2B_OUTBYTES / 2;
887 
888         while (outlen_curr > BLAKE2B_OUTBYTES) {
889             memcpy(inbuf, outbuf, BLAKE2B_OUTBYTES);
890             if (blake2b(md, mac, outbuf, BLAKE2B_OUTBYTES, inbuf,
891                         BLAKE2B_OUTBYTES, NULL, 0) != 1)
892                 goto fail;
893             memcpy(out, outbuf, BLAKE2B_OUTBYTES / 2);
894             out += BLAKE2B_OUTBYTES / 2;
895             outlen_curr -= BLAKE2B_OUTBYTES / 2;
896         }
897 
898         memcpy(inbuf, outbuf, BLAKE2B_OUTBYTES);
899         if (blake2b(md, mac, outbuf, outlen_curr, inbuf, BLAKE2B_OUTBYTES,
900                     NULL, 0) != 1)
901             goto fail;
902         memcpy(out, outbuf, outlen_curr);
903     }
904     ret = 1;
905 
906 fail:
907     EVP_MD_CTX_free(ctx);
908     return ret;
909 }
910 
kdf_argon2_init(KDF_ARGON2 * c,ARGON2_TYPE type)911 static void kdf_argon2_init(KDF_ARGON2 *c, ARGON2_TYPE type)
912 {
913     OSSL_LIB_CTX *libctx;
914 
915     libctx = c->libctx;
916     memset(c, 0, sizeof(*c));
917 
918     c->libctx = libctx;
919     c->outlen = ARGON2_DEFAULT_OUTLEN;
920     c->t_cost = ARGON2_DEFAULT_T_COST;
921     c->m_cost = ARGON2_DEFAULT_M_COST;
922     c->lanes = ARGON2_DEFAULT_LANES;
923     c->threads = ARGON2_DEFAULT_THREADS;
924     c->version = ARGON2_DEFAULT_VERSION;
925     c->type = type;
926 }
927 
kdf_argon2d_new(void * provctx)928 static void *kdf_argon2d_new(void *provctx)
929 {
930     KDF_ARGON2 *ctx;
931 
932     if (!ossl_prov_is_running())
933         return NULL;
934 
935     ctx = OPENSSL_zalloc(sizeof(*ctx));
936     if (ctx == NULL) {
937         ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
938         return NULL;
939     }
940 
941     ctx->libctx = PROV_LIBCTX_OF(provctx);
942 
943     kdf_argon2_init(ctx, ARGON2_D);
944     return ctx;
945 }
946 
kdf_argon2i_new(void * provctx)947 static void *kdf_argon2i_new(void *provctx)
948 {
949     KDF_ARGON2 *ctx;
950 
951     if (!ossl_prov_is_running())
952         return NULL;
953 
954     ctx = OPENSSL_zalloc(sizeof(*ctx));
955     if (ctx == NULL) {
956         ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
957         return NULL;
958     }
959 
960     ctx->libctx = PROV_LIBCTX_OF(provctx);
961 
962     kdf_argon2_init(ctx, ARGON2_I);
963     return ctx;
964 }
965 
kdf_argon2id_new(void * provctx)966 static void *kdf_argon2id_new(void *provctx)
967 {
968     KDF_ARGON2 *ctx;
969 
970     if (!ossl_prov_is_running())
971         return NULL;
972 
973     ctx = OPENSSL_zalloc(sizeof(*ctx));
974     if (ctx == NULL) {
975         ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
976         return NULL;
977     }
978 
979     ctx->libctx = PROV_LIBCTX_OF(provctx);
980 
981     kdf_argon2_init(ctx, ARGON2_ID);
982     return ctx;
983 }
984 
kdf_argon2_free(void * vctx)985 static void kdf_argon2_free(void *vctx)
986 {
987     KDF_ARGON2 *ctx = (KDF_ARGON2 *)vctx;
988 
989     if (ctx == NULL)
990         return;
991 
992     if (ctx->pwd != NULL)
993         OPENSSL_clear_free(ctx->pwd, ctx->pwdlen);
994 
995     if (ctx->salt != NULL)
996         OPENSSL_clear_free(ctx->salt, ctx->saltlen);
997 
998     if (ctx->secret != NULL)
999         OPENSSL_clear_free(ctx->secret, ctx->secretlen);
1000 
1001     if (ctx->ad != NULL)
1002         OPENSSL_clear_free(ctx->ad, ctx->adlen);
1003 
1004     EVP_MD_free(ctx->md);
1005     EVP_MAC_free(ctx->mac);
1006 
1007     OPENSSL_free(ctx->propq);
1008 
1009     memset(ctx, 0, sizeof(*ctx));
1010 
1011     OPENSSL_free(ctx);
1012 }
1013 
kdf_argon2_derive(void * vctx,unsigned char * out,size_t outlen,const OSSL_PARAM params[])1014 static int kdf_argon2_derive(void *vctx, unsigned char *out, size_t outlen,
1015                              const OSSL_PARAM params[])
1016 {
1017     KDF_ARGON2 *ctx;
1018     uint32_t memory_blocks, segment_length;
1019 
1020     ctx = (KDF_ARGON2 *)vctx;
1021 
1022     if (!ossl_prov_is_running() || !kdf_argon2_set_ctx_params(vctx, params))
1023         return 0;
1024 
1025     if (ctx->mac == NULL)
1026         ctx->mac = EVP_MAC_fetch(ctx->libctx, "blake2bmac", ctx->propq);
1027     if (ctx->mac == NULL) {
1028         ERR_raise_data(ERR_LIB_PROV, PROV_R_MISSING_MAC,
1029                        "cannot fetch blake2bmac");
1030         return 0;
1031     }
1032 
1033     if (ctx->md == NULL)
1034         ctx->md = EVP_MD_fetch(ctx->libctx, "blake2b512", ctx->propq);
1035     if (ctx->md == NULL) {
1036         ERR_raise_data(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST,
1037                        "cannot fetch blake2b512");
1038         return 0;
1039     }
1040 
1041     if (ctx->salt == NULL || ctx->saltlen == 0) {
1042         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SALT);
1043         return 0;
1044     }
1045 
1046     if (outlen != ctx->outlen) {
1047         if (OSSL_PARAM_locate((OSSL_PARAM *)params, "size") != NULL) {
1048             ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
1049             return 0;
1050         }
1051         if (!kdf_argon2_ctx_set_out_length(ctx, (uint32_t) outlen))
1052             return 0;
1053     }
1054 
1055     switch (ctx->type) {
1056     case ARGON2_D:
1057     case ARGON2_I:
1058     case ARGON2_ID:
1059         break;
1060     default:
1061         ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_MODE, "invalid Argon2 type");
1062         return 0;
1063     }
1064 
1065     if (ctx->threads > 1) {
1066 # ifdef ARGON2_NO_THREADS
1067         ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_THREAD_POOL_SIZE,
1068                        "requested %u threads, single-threaded mode supported only",
1069                        ctx->threads);
1070         return 0;
1071 # else
1072         if (ctx->threads > ossl_get_avail_threads(ctx->libctx)) {
1073             ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_THREAD_POOL_SIZE,
1074                            "requested %u threads, available: %u",
1075                            ctx->threads, ossl_get_avail_threads(ctx->libctx));
1076             return 0;
1077         }
1078 # endif
1079         if (ctx->threads > ctx->lanes) {
1080             ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_THREAD_POOL_SIZE,
1081                            "requested more threads (%u) than lanes (%u)",
1082                            ctx->threads, ctx->lanes);
1083             return 0;
1084         }
1085     }
1086 
1087     if (ctx->m_cost < 8 * ctx->lanes) {
1088         ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_MEMORY_SIZE,
1089                        "m_cost must be greater or equal than 8 times the number of lanes");
1090         return 0;
1091     }
1092 
1093     memory_blocks = ctx->m_cost;
1094     if (memory_blocks < 2 * ARGON2_SYNC_POINTS * ctx->lanes)
1095         memory_blocks = 2 * ARGON2_SYNC_POINTS * ctx->lanes;
1096 
1097     /* Ensure that all segments have equal length */
1098     segment_length = memory_blocks / (ctx->lanes * ARGON2_SYNC_POINTS);
1099     memory_blocks = segment_length * (ctx->lanes * ARGON2_SYNC_POINTS);
1100 
1101     ctx->memory = NULL;
1102     ctx->memory_blocks = memory_blocks;
1103     ctx->segment_length = segment_length;
1104     ctx->passes = ctx->t_cost;
1105     ctx->lane_length = segment_length * ARGON2_SYNC_POINTS;
1106 
1107     if (initialize(ctx) != 1)
1108         return 0;
1109 
1110     if (fill_memory_blocks(ctx) != 1)
1111         return 0;
1112 
1113     finalize(ctx, out);
1114 
1115     return 1;
1116 }
1117 
kdf_argon2_reset(void * vctx)1118 static void kdf_argon2_reset(void *vctx)
1119 {
1120     OSSL_LIB_CTX *libctx;
1121     KDF_ARGON2 *ctx;
1122     ARGON2_TYPE type;
1123 
1124     ctx = (KDF_ARGON2 *) vctx;
1125     type = ctx->type;
1126     libctx = ctx->libctx;
1127 
1128     EVP_MD_free(ctx->md);
1129     EVP_MAC_free(ctx->mac);
1130 
1131     OPENSSL_free(ctx->propq);
1132 
1133     if (ctx->pwd != NULL)
1134         OPENSSL_clear_free(ctx->pwd, ctx->pwdlen);
1135 
1136     if (ctx->salt != NULL)
1137         OPENSSL_clear_free(ctx->salt, ctx->saltlen);
1138 
1139     if (ctx->secret != NULL)
1140         OPENSSL_clear_free(ctx->secret, ctx->secretlen);
1141 
1142     if (ctx->ad != NULL)
1143         OPENSSL_clear_free(ctx->ad, ctx->adlen);
1144 
1145     memset(ctx, 0, sizeof(*ctx));
1146     ctx->libctx = libctx;
1147     kdf_argon2_init(ctx, type);
1148 }
1149 
kdf_argon2_ctx_set_threads(KDF_ARGON2 * ctx,uint32_t threads)1150 static int kdf_argon2_ctx_set_threads(KDF_ARGON2 *ctx, uint32_t threads)
1151 {
1152     if (threads < ARGON2_MIN_THREADS) {
1153         ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_THREAD_POOL_SIZE,
1154                        "min threads: %u", ARGON2_MIN_THREADS);
1155         return 0;
1156     }
1157 
1158     if (threads > ARGON2_MAX_THREADS) {
1159         ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_THREAD_POOL_SIZE,
1160                        "max threads: %u", ARGON2_MAX_THREADS);
1161         return 0;
1162     }
1163 
1164     ctx->threads = threads;
1165     return 1;
1166 }
1167 
kdf_argon2_ctx_set_lanes(KDF_ARGON2 * ctx,uint32_t lanes)1168 static int kdf_argon2_ctx_set_lanes(KDF_ARGON2 *ctx, uint32_t lanes)
1169 {
1170     if (lanes > ARGON2_MAX_LANES) {
1171         ERR_raise_data(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER,
1172                        "max lanes: %u", ARGON2_MAX_LANES);
1173         return 0;
1174     }
1175 
1176     if (lanes < ARGON2_MIN_LANES) {
1177         ERR_raise_data(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER,
1178                        "min lanes: %u", ARGON2_MIN_LANES);
1179         return 0;
1180     }
1181 
1182     ctx->lanes = lanes;
1183     return 1;
1184 }
1185 
kdf_argon2_ctx_set_t_cost(KDF_ARGON2 * ctx,uint32_t t_cost)1186 static int kdf_argon2_ctx_set_t_cost(KDF_ARGON2 *ctx, uint32_t t_cost)
1187 {
1188     /* ARGON2_MAX_MEMORY == max m_cost value, so skip check  */
1189 
1190     if (t_cost < ARGON2_MIN_TIME) {
1191         ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_ITERATION_COUNT,
1192                        "min: %u", ARGON2_MIN_TIME);
1193         return 0;
1194     }
1195 
1196     ctx->t_cost = t_cost;
1197     return 1;
1198 }
1199 
kdf_argon2_ctx_set_m_cost(KDF_ARGON2 * ctx,uint32_t m_cost)1200 static int kdf_argon2_ctx_set_m_cost(KDF_ARGON2 *ctx, uint32_t m_cost)
1201 {
1202     /* ARGON2_MAX_MEMORY == max m_cost value, so skip check */
1203 
1204     if (m_cost < ARGON2_MIN_MEMORY) {
1205         ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_MEMORY_SIZE, "min: %u",
1206                        ARGON2_MIN_MEMORY);
1207         return 0;
1208     }
1209 
1210     ctx->m_cost = m_cost;
1211     return 1;
1212 }
1213 
kdf_argon2_ctx_set_out_length(KDF_ARGON2 * ctx,uint32_t outlen)1214 static int kdf_argon2_ctx_set_out_length(KDF_ARGON2 *ctx, uint32_t outlen)
1215 {
1216     /*
1217      * ARGON2_MAX_OUT_LENGTH == max outlen value, so upper bounds checks
1218      * are always satisfied; to suppress compiler if statement tautology
1219      * warnings, these checks are skipped.
1220      */
1221 
1222     if (outlen < ARGON2_MIN_OUT_LENGTH) {
1223         ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH, "min: %u",
1224                        ARGON2_MIN_OUT_LENGTH);
1225         return 0;
1226     }
1227 
1228     ctx->outlen = outlen;
1229     return 1;
1230 }
1231 
kdf_argon2_ctx_set_secret(KDF_ARGON2 * ctx,const OSSL_PARAM * p)1232 static int kdf_argon2_ctx_set_secret(KDF_ARGON2 *ctx, const OSSL_PARAM *p)
1233 {
1234     size_t buflen;
1235 
1236     if (p->data == NULL)
1237         return 0;
1238 
1239     if (ctx->secret != NULL) {
1240         OPENSSL_clear_free(ctx->secret, ctx->secretlen);
1241         ctx->secret = NULL;
1242         ctx->secretlen = 0U;
1243     }
1244 
1245     if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->secret, 0, &buflen))
1246         return 0;
1247 
1248     if (buflen > ARGON2_MAX_SECRET) {
1249         OPENSSL_free(ctx->secret);
1250         ctx->secret = NULL;
1251         ctx->secretlen = 0U;
1252         return 0;
1253     }
1254 
1255     ctx->secretlen = (uint32_t) buflen;
1256     return 1;
1257 }
1258 
kdf_argon2_ctx_set_pwd(KDF_ARGON2 * ctx,const OSSL_PARAM * p)1259 static int kdf_argon2_ctx_set_pwd(KDF_ARGON2 *ctx, const OSSL_PARAM *p)
1260 {
1261     size_t buflen;
1262 
1263     if (p->data == NULL)
1264         return 0;
1265 
1266     if (ctx->pwd != NULL) {
1267         OPENSSL_clear_free(ctx->pwd, ctx->pwdlen);
1268         ctx->pwd = NULL;
1269         ctx->pwdlen = 0U;
1270     }
1271 
1272     if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->pwd, 0, &buflen))
1273         return 0;
1274 
1275     if (buflen > ARGON2_MAX_PWD_LENGTH) {
1276         ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH, "max: %u",
1277                        ARGON2_MAX_PWD_LENGTH);
1278         goto fail;
1279     }
1280 
1281     ctx->pwdlen = (uint32_t) buflen;
1282     return 1;
1283 
1284 fail:
1285     OPENSSL_free(ctx->pwd);
1286     ctx->pwd = NULL;
1287     ctx->pwdlen = 0U;
1288     return 0;
1289 }
1290 
kdf_argon2_ctx_set_salt(KDF_ARGON2 * ctx,const OSSL_PARAM * p)1291 static int kdf_argon2_ctx_set_salt(KDF_ARGON2 *ctx, const OSSL_PARAM *p)
1292 {
1293     size_t buflen;
1294 
1295     if (p->data == NULL)
1296         return 0;
1297 
1298     if (ctx->salt != NULL) {
1299         OPENSSL_clear_free(ctx->salt, ctx->saltlen);
1300         ctx->salt = NULL;
1301         ctx->saltlen = 0U;
1302     }
1303 
1304     if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->salt, 0, &buflen))
1305         return 0;
1306 
1307     if (buflen < ARGON2_MIN_SALT_LENGTH) {
1308         ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH, "min: %u",
1309                        ARGON2_MIN_SALT_LENGTH);
1310         goto fail;
1311     }
1312 
1313     if (buflen > ARGON2_MAX_SALT_LENGTH) {
1314         ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH, "max: %u",
1315                        ARGON2_MAX_SALT_LENGTH);
1316         goto fail;
1317     }
1318 
1319     ctx->saltlen = (uint32_t) buflen;
1320     return 1;
1321 
1322 fail:
1323     OPENSSL_free(ctx->salt);
1324     ctx->salt = NULL;
1325     ctx->saltlen = 0U;
1326     return 0;
1327 }
1328 
kdf_argon2_ctx_set_ad(KDF_ARGON2 * ctx,const OSSL_PARAM * p)1329 static int kdf_argon2_ctx_set_ad(KDF_ARGON2 *ctx, const OSSL_PARAM *p)
1330 {
1331     size_t buflen;
1332 
1333     if (p->data == NULL)
1334         return 0;
1335 
1336     if (ctx->ad != NULL) {
1337         OPENSSL_clear_free(ctx->ad, ctx->adlen);
1338         ctx->ad = NULL;
1339         ctx->adlen = 0U;
1340     }
1341 
1342     if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->ad, 0, &buflen))
1343         return 0;
1344 
1345     if (buflen > ARGON2_MAX_AD_LENGTH) {
1346         OPENSSL_free(ctx->ad);
1347         ctx->ad = NULL;
1348         ctx->adlen = 0U;
1349         return 0;
1350     }
1351 
1352     ctx->adlen = (uint32_t) buflen;
1353     return 1;
1354 }
1355 
kdf_argon2_ctx_set_flag_early_clean(KDF_ARGON2 * ctx,uint32_t f)1356 static void kdf_argon2_ctx_set_flag_early_clean(KDF_ARGON2 *ctx, uint32_t f)
1357 {
1358     ctx->early_clean = !!(f);
1359 }
1360 
kdf_argon2_ctx_set_version(KDF_ARGON2 * ctx,uint32_t version)1361 static int kdf_argon2_ctx_set_version(KDF_ARGON2 *ctx, uint32_t version)
1362 {
1363     switch (version) {
1364     case ARGON2_VERSION_10:
1365     case ARGON2_VERSION_13:
1366         ctx->version = version;
1367         return 1;
1368     default:
1369         ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_MODE,
1370                        "invalid Argon2 version");
1371         return 0;
1372     }
1373 }
1374 
set_property_query(KDF_ARGON2 * ctx,const char * propq)1375 static int set_property_query(KDF_ARGON2 *ctx, const char *propq)
1376 {
1377     OPENSSL_free(ctx->propq);
1378     ctx->propq = NULL;
1379     if (propq != NULL) {
1380         ctx->propq = OPENSSL_strdup(propq);
1381         if (ctx->propq == NULL)
1382             return 0;
1383     }
1384     EVP_MD_free(ctx->md);
1385     ctx->md = NULL;
1386     EVP_MAC_free(ctx->mac);
1387     ctx->mac = NULL;
1388     return 1;
1389 }
1390 
kdf_argon2_set_ctx_params(void * vctx,const OSSL_PARAM params[])1391 static int kdf_argon2_set_ctx_params(void *vctx, const OSSL_PARAM params[])
1392 {
1393     const OSSL_PARAM *p;
1394     KDF_ARGON2 *ctx;
1395     uint32_t u32_value;
1396 
1397     if (ossl_param_is_empty(params))
1398         return 1;
1399 
1400     ctx = (KDF_ARGON2 *) vctx;
1401     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL)
1402         if (!kdf_argon2_ctx_set_pwd(ctx, p))
1403             return 0;
1404 
1405     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL)
1406         if (!kdf_argon2_ctx_set_salt(ctx, p))
1407             return 0;
1408 
1409     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL)
1410         if (!kdf_argon2_ctx_set_secret(ctx, p))
1411             return 0;
1412 
1413     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_ARGON2_AD)) != NULL)
1414         if (!kdf_argon2_ctx_set_ad(ctx, p))
1415             return 0;
1416 
1417     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
1418         if (!OSSL_PARAM_get_uint32(p, &u32_value))
1419             return 0;
1420         if (!kdf_argon2_ctx_set_out_length(ctx, u32_value))
1421             return 0;
1422     }
1423 
1424     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_ITER)) != NULL) {
1425         if (!OSSL_PARAM_get_uint32(p, &u32_value))
1426             return 0;
1427         if (!kdf_argon2_ctx_set_t_cost(ctx, u32_value))
1428             return 0;
1429     }
1430 
1431     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_THREADS)) != NULL) {
1432         if (!OSSL_PARAM_get_uint32(p, &u32_value))
1433             return 0;
1434         if (!kdf_argon2_ctx_set_threads(ctx, u32_value))
1435             return 0;
1436     }
1437 
1438     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_ARGON2_LANES)) != NULL) {
1439         if (!OSSL_PARAM_get_uint32(p, &u32_value))
1440             return 0;
1441         if (!kdf_argon2_ctx_set_lanes(ctx, u32_value))
1442             return 0;
1443     }
1444 
1445     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_ARGON2_MEMCOST)) != NULL) {
1446         if (!OSSL_PARAM_get_uint32(p, &u32_value))
1447             return 0;
1448         if (!kdf_argon2_ctx_set_m_cost(ctx, u32_value))
1449             return 0;
1450     }
1451 
1452     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_EARLY_CLEAN)) != NULL) {
1453         if (!OSSL_PARAM_get_uint32(p, &u32_value))
1454             return 0;
1455         kdf_argon2_ctx_set_flag_early_clean(ctx, u32_value);
1456     }
1457 
1458     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_ARGON2_VERSION)) != NULL) {
1459         if (!OSSL_PARAM_get_uint32(p, &u32_value))
1460             return 0;
1461         if (!kdf_argon2_ctx_set_version(ctx, u32_value))
1462             return 0;
1463     }
1464 
1465     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PROPERTIES)) != NULL) {
1466         if (p->data_type != OSSL_PARAM_UTF8_STRING
1467             || !set_property_query(ctx, p->data))
1468             return 0;
1469     }
1470 
1471     return 1;
1472 }
1473 
kdf_argon2_settable_ctx_params(ossl_unused void * ctx,ossl_unused void * p_ctx)1474 static const OSSL_PARAM *kdf_argon2_settable_ctx_params(ossl_unused void *ctx,
1475                                                         ossl_unused void *p_ctx)
1476 {
1477     static const OSSL_PARAM known_settable_ctx_params[] = {
1478         OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PASSWORD, NULL, 0),
1479         OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0),
1480         OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SECRET, NULL, 0),
1481         OSSL_PARAM_octet_string(OSSL_KDF_PARAM_ARGON2_AD, NULL, 0),
1482         OSSL_PARAM_uint32(OSSL_KDF_PARAM_SIZE, NULL),
1483         OSSL_PARAM_uint32(OSSL_KDF_PARAM_ITER, NULL),
1484         OSSL_PARAM_uint32(OSSL_KDF_PARAM_THREADS, NULL),
1485         OSSL_PARAM_uint32(OSSL_KDF_PARAM_ARGON2_LANES, NULL),
1486         OSSL_PARAM_uint32(OSSL_KDF_PARAM_ARGON2_MEMCOST, NULL),
1487         OSSL_PARAM_uint32(OSSL_KDF_PARAM_EARLY_CLEAN, NULL),
1488         OSSL_PARAM_uint32(OSSL_KDF_PARAM_ARGON2_VERSION, NULL),
1489         OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0),
1490         OSSL_PARAM_END
1491     };
1492 
1493     return known_settable_ctx_params;
1494 }
1495 
kdf_argon2_get_ctx_params(void * vctx,OSSL_PARAM params[])1496 static int kdf_argon2_get_ctx_params(void *vctx, OSSL_PARAM params[])
1497 {
1498     OSSL_PARAM *p;
1499 
1500     (void) vctx;
1501     if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
1502         return OSSL_PARAM_set_size_t(p, SIZE_MAX);
1503 
1504     return -2;
1505 }
1506 
kdf_argon2_gettable_ctx_params(ossl_unused void * ctx,ossl_unused void * p_ctx)1507 static const OSSL_PARAM *kdf_argon2_gettable_ctx_params(ossl_unused void *ctx,
1508                                                         ossl_unused void *p_ctx)
1509 {
1510     static const OSSL_PARAM known_gettable_ctx_params[] = {
1511         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
1512         OSSL_PARAM_END
1513     };
1514 
1515     return known_gettable_ctx_params;
1516 }
1517 
1518 const OSSL_DISPATCH ossl_kdf_argon2i_functions[] = {
1519     { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_argon2i_new },
1520     { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_argon2_free },
1521     { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_argon2_reset },
1522     { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_argon2_derive },
1523     { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
1524       (void(*)(void))kdf_argon2_settable_ctx_params },
1525     { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_argon2_set_ctx_params },
1526     { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
1527       (void(*)(void))kdf_argon2_gettable_ctx_params },
1528     { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_argon2_get_ctx_params },
1529     OSSL_DISPATCH_END
1530 };
1531 
1532 const OSSL_DISPATCH ossl_kdf_argon2d_functions[] = {
1533     { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_argon2d_new },
1534     { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_argon2_free },
1535     { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_argon2_reset },
1536     { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_argon2_derive },
1537     { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
1538       (void(*)(void))kdf_argon2_settable_ctx_params },
1539     { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_argon2_set_ctx_params },
1540     { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
1541       (void(*)(void))kdf_argon2_gettable_ctx_params },
1542     { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_argon2_get_ctx_params },
1543     OSSL_DISPATCH_END
1544 };
1545 
1546 const OSSL_DISPATCH ossl_kdf_argon2id_functions[] = {
1547     { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_argon2id_new },
1548     { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_argon2_free },
1549     { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_argon2_reset },
1550     { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_argon2_derive },
1551     { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
1552       (void(*)(void))kdf_argon2_settable_ctx_params },
1553     { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_argon2_set_ctx_params },
1554     { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
1555       (void(*)(void))kdf_argon2_gettable_ctx_params },
1556     { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_argon2_get_ctx_params },
1557     OSSL_DISPATCH_END
1558 };
1559 
1560 #endif
1561