1 /*
2 * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 *
9 * RFC 9106 Argon2 (see https://www.rfc-editor.org/rfc/rfc9106.txt)
10 *
11 */
12
13 #include <stdlib.h>
14 #include <stddef.h>
15 #include <stdarg.h>
16 #include <string.h>
17 #include <openssl/e_os2.h>
18 #include <openssl/evp.h>
19 #include <openssl/objects.h>
20 #include <openssl/crypto.h>
21 #include <openssl/kdf.h>
22 #include <openssl/err.h>
23 #include <openssl/core_names.h>
24 #include <openssl/params.h>
25 #include <openssl/thread.h>
26 #include <openssl/proverr.h>
27 #include "internal/thread.h"
28 #include "internal/numbers.h"
29 #include "internal/endian.h"
30 #include "crypto/evp.h"
31 #include "prov/implementations.h"
32 #include "prov/provider_ctx.h"
33 #include "prov/providercommon.h"
34 #include "prov/blake2.h"
35
36 #if defined(OPENSSL_NO_DEFAULT_THREAD_POOL) && defined(OPENSSL_NO_THREAD_POOL)
37 # define ARGON2_NO_THREADS
38 #endif
39
40 #if !defined(OPENSSL_THREADS)
41 # define ARGON2_NO_THREADS
42 #endif
43
44 #ifndef OPENSSL_NO_ARGON2
45
46 # define ARGON2_MIN_LANES 1u
47 # define ARGON2_MAX_LANES 0xFFFFFFu
48 # define ARGON2_MIN_THREADS 1u
49 # define ARGON2_MAX_THREADS 0xFFFFFFu
50 # define ARGON2_SYNC_POINTS 4u
51 # define ARGON2_MIN_OUT_LENGTH 4u
52 # define ARGON2_MAX_OUT_LENGTH 0xFFFFFFFFu
53 # define ARGON2_MIN_MEMORY (2 * ARGON2_SYNC_POINTS)
54 # define ARGON2_MIN(a, b) ((a) < (b) ? (a) : (b))
55 # define ARGON2_MAX_MEMORY 0xFFFFFFFFu
56 # define ARGON2_MIN_TIME 1u
57 # define ARGON2_MAX_TIME 0xFFFFFFFFu
58 # define ARGON2_MIN_PWD_LENGTH 0u
59 # define ARGON2_MAX_PWD_LENGTH 0xFFFFFFFFu
60 # define ARGON2_MIN_AD_LENGTH 0u
61 # define ARGON2_MAX_AD_LENGTH 0xFFFFFFFFu
62 # define ARGON2_MIN_SALT_LENGTH 8u
63 # define ARGON2_MAX_SALT_LENGTH 0xFFFFFFFFu
64 # define ARGON2_MIN_SECRET 0u
65 # define ARGON2_MAX_SECRET 0xFFFFFFFFu
66 # define ARGON2_BLOCK_SIZE 1024
67 # define ARGON2_QWORDS_IN_BLOCK ((ARGON2_BLOCK_SIZE) / 8)
68 # define ARGON2_OWORDS_IN_BLOCK ((ARGON2_BLOCK_SIZE) / 16)
69 # define ARGON2_HWORDS_IN_BLOCK ((ARGON2_BLOCK_SIZE) / 32)
70 # define ARGON2_512BIT_WORDS_IN_BLOCK ((ARGON2_BLOCK_SIZE) / 64)
71 # define ARGON2_ADDRESSES_IN_BLOCK 128
72 # define ARGON2_PREHASH_DIGEST_LENGTH 64
73 # define ARGON2_PREHASH_SEED_LENGTH \
74 (ARGON2_PREHASH_DIGEST_LENGTH + (2 * sizeof(uint32_t)))
75
76 # define ARGON2_DEFAULT_OUTLEN 64u
77 # define ARGON2_DEFAULT_T_COST 3u
78 # define ARGON2_DEFAULT_M_COST ARGON2_MIN_MEMORY
79 # define ARGON2_DEFAULT_LANES 1u
80 # define ARGON2_DEFAULT_THREADS 1u
81 # define ARGON2_DEFAULT_VERSION ARGON2_VERSION_NUMBER
82
83 # undef G
84 # define G(a, b, c, d) \
85 do { \
86 a = a + b + 2 * mul_lower(a, b); \
87 d = rotr64(d ^ a, 32); \
88 c = c + d + 2 * mul_lower(c, d); \
89 b = rotr64(b ^ c, 24); \
90 a = a + b + 2 * mul_lower(a, b); \
91 d = rotr64(d ^ a, 16); \
92 c = c + d + 2 * mul_lower(c, d); \
93 b = rotr64(b ^ c, 63); \
94 } while ((void)0, 0)
95
96 # undef PERMUTATION_P
97 # define PERMUTATION_P(v0, v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11, \
98 v12, v13, v14, v15) \
99 do { \
100 G(v0, v4, v8, v12); \
101 G(v1, v5, v9, v13); \
102 G(v2, v6, v10, v14); \
103 G(v3, v7, v11, v15); \
104 G(v0, v5, v10, v15); \
105 G(v1, v6, v11, v12); \
106 G(v2, v7, v8, v13); \
107 G(v3, v4, v9, v14); \
108 } while ((void)0, 0)
109
110 # undef PERMUTATION_P_COLUMN
111 # define PERMUTATION_P_COLUMN(x, i) \
112 do { \
113 uint64_t *base = &x[16 * i]; \
114 PERMUTATION_P( \
115 *base, *(base + 1), *(base + 2), *(base + 3), \
116 *(base + 4), *(base + 5), *(base + 6), *(base + 7), \
117 *(base + 8), *(base + 9), *(base + 10), *(base + 11), \
118 *(base + 12), *(base + 13), *(base + 14), *(base + 15) \
119 ); \
120 } while ((void)0, 0)
121
122 # undef PERMUTATION_P_ROW
123 # define PERMUTATION_P_ROW(x, i) \
124 do { \
125 uint64_t *base = &x[2 * i]; \
126 PERMUTATION_P( \
127 *base, *(base + 1), *(base + 16), *(base + 17), \
128 *(base + 32), *(base + 33), *(base + 48), *(base + 49), \
129 *(base + 64), *(base + 65), *(base + 80), *(base + 81), \
130 *(base + 96), *(base + 97), *(base + 112), *(base + 113) \
131 ); \
132 } while ((void)0, 0)
133
134 typedef struct {
135 uint64_t v[ARGON2_QWORDS_IN_BLOCK];
136 } BLOCK;
137
138 typedef enum {
139 ARGON2_VERSION_10 = 0x10,
140 ARGON2_VERSION_13 = 0x13,
141 ARGON2_VERSION_NUMBER = ARGON2_VERSION_13
142 } ARGON2_VERSION;
143
144 typedef enum {
145 ARGON2_D = 0,
146 ARGON2_I = 1,
147 ARGON2_ID = 2
148 } ARGON2_TYPE;
149
150 typedef struct {
151 uint32_t pass;
152 uint32_t lane;
153 uint8_t slice;
154 uint32_t index;
155 } ARGON2_POS;
156
157 typedef struct {
158 void *provctx;
159 uint32_t outlen;
160 uint8_t *pwd;
161 uint32_t pwdlen;
162 uint8_t *salt;
163 uint32_t saltlen;
164 uint8_t *secret;
165 uint32_t secretlen;
166 uint8_t *ad;
167 uint32_t adlen;
168 uint32_t t_cost;
169 uint32_t m_cost;
170 uint32_t lanes;
171 uint32_t threads;
172 uint32_t version;
173 uint32_t early_clean;
174 ARGON2_TYPE type;
175 BLOCK *memory;
176 uint32_t passes;
177 uint32_t memory_blocks;
178 uint32_t segment_length;
179 uint32_t lane_length;
180 OSSL_LIB_CTX *libctx;
181 EVP_MD *md;
182 EVP_MAC *mac;
183 char *propq;
184 } KDF_ARGON2;
185
186 typedef struct {
187 ARGON2_POS pos;
188 KDF_ARGON2 *ctx;
189 } ARGON2_THREAD_DATA;
190
191 static OSSL_FUNC_kdf_newctx_fn kdf_argon2i_new;
192 static OSSL_FUNC_kdf_newctx_fn kdf_argon2d_new;
193 static OSSL_FUNC_kdf_newctx_fn kdf_argon2id_new;
194 static OSSL_FUNC_kdf_freectx_fn kdf_argon2_free;
195 static OSSL_FUNC_kdf_reset_fn kdf_argon2_reset;
196 static OSSL_FUNC_kdf_derive_fn kdf_argon2_derive;
197 static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_argon2_settable_ctx_params;
198 static OSSL_FUNC_kdf_set_ctx_params_fn kdf_argon2_set_ctx_params;
199
200 static void kdf_argon2_init(KDF_ARGON2 *ctx, ARGON2_TYPE t);
201 static void *kdf_argon2d_new(void *provctx);
202 static void *kdf_argon2i_new(void *provctx);
203 static void *kdf_argon2id_new(void *provctx);
204 static void kdf_argon2_free(void *vctx);
205 static int kdf_argon2_derive(void *vctx, unsigned char *out, size_t outlen,
206 const OSSL_PARAM params[]);
207 static void kdf_argon2_reset(void *vctx);
208 static int kdf_argon2_ctx_set_threads(KDF_ARGON2 *ctx, uint32_t threads);
209 static int kdf_argon2_ctx_set_lanes(KDF_ARGON2 *ctx, uint32_t lanes);
210 static int kdf_argon2_ctx_set_t_cost(KDF_ARGON2 *ctx, uint32_t t_cost);
211 static int kdf_argon2_ctx_set_m_cost(KDF_ARGON2 *ctx, uint32_t m_cost);
212 static int kdf_argon2_ctx_set_out_length(KDF_ARGON2 *ctx, uint32_t outlen);
213 static int kdf_argon2_ctx_set_secret(KDF_ARGON2 *ctx, const OSSL_PARAM *p);
214 static int kdf_argon2_ctx_set_pwd(KDF_ARGON2 *ctx, const OSSL_PARAM *p);
215 static int kdf_argon2_ctx_set_salt(KDF_ARGON2 *ctx, const OSSL_PARAM *p);
216 static int kdf_argon2_ctx_set_ad(KDF_ARGON2 *ctx, const OSSL_PARAM *p);
217 static int kdf_argon2_set_ctx_params(void *vctx, const OSSL_PARAM params[]);
218 static int kdf_argon2_get_ctx_params(void *vctx, OSSL_PARAM params[]);
219 static int kdf_argon2_ctx_set_version(KDF_ARGON2 *ctx, uint32_t version);
220 static const OSSL_PARAM *kdf_argon2_settable_ctx_params(ossl_unused void *ctx,
221 ossl_unused void *p_ctx);
222 static const OSSL_PARAM *kdf_argon2_gettable_ctx_params(ossl_unused void *ctx,
223 ossl_unused void *p_ctx);
224
225 static ossl_inline uint64_t load64(const uint8_t *src);
226 static ossl_inline void store32(uint8_t *dst, uint32_t w);
227 static ossl_inline void store64(uint8_t *dst, uint64_t w);
228 static ossl_inline uint64_t rotr64(const uint64_t w, const unsigned int c);
229 static ossl_inline uint64_t mul_lower(uint64_t x, uint64_t y);
230
231 static void init_block_value(BLOCK *b, uint8_t in);
232 static void copy_block(BLOCK *dst, const BLOCK *src);
233 static void xor_block(BLOCK *dst, const BLOCK *src);
234 static void load_block(BLOCK *dst, const void *input);
235 static void store_block(void *output, const BLOCK *src);
236 static void fill_first_blocks(uint8_t *blockhash, const KDF_ARGON2 *ctx);
237 static void fill_block(const BLOCK *prev, const BLOCK *ref, BLOCK *next,
238 int with_xor);
239
240 static void next_addresses(BLOCK *address_block, BLOCK *input_block,
241 const BLOCK *zero_block);
242 static int data_indep_addressing(const KDF_ARGON2 *ctx, uint32_t pass,
243 uint8_t slice);
244 static uint32_t index_alpha(const KDF_ARGON2 *ctx, uint32_t pass,
245 uint8_t slice, uint32_t index,
246 uint32_t pseudo_rand, int same_lane);
247
248 static void fill_segment(const KDF_ARGON2 *ctx, uint32_t pass, uint32_t lane,
249 uint8_t slice);
250
251 # if !defined(ARGON2_NO_THREADS)
252 static uint32_t fill_segment_thr(void *thread_data);
253 static int fill_mem_blocks_mt(KDF_ARGON2 *ctx);
254 # endif
255
256 static int fill_mem_blocks_st(KDF_ARGON2 *ctx);
257 static ossl_inline int fill_memory_blocks(KDF_ARGON2 *ctx);
258
259 static void initial_hash(uint8_t *blockhash, KDF_ARGON2 *ctx);
260 static int initialize(KDF_ARGON2 *ctx);
261 static void finalize(const KDF_ARGON2 *ctx, void *out);
262
263 static int blake2b(EVP_MD *md, EVP_MAC *mac, void *out, size_t outlen,
264 const void *in, size_t inlen, const void *key,
265 size_t keylen);
266 static int blake2b_long(EVP_MD *md, EVP_MAC *mac, unsigned char *out,
267 size_t outlen, const void *in, size_t inlen);
268
load64(const uint8_t * src)269 static ossl_inline uint64_t load64(const uint8_t *src)
270 {
271 return
272 (((uint64_t)src[0]) << 0)
273 | (((uint64_t)src[1]) << 8)
274 | (((uint64_t)src[2]) << 16)
275 | (((uint64_t)src[3]) << 24)
276 | (((uint64_t)src[4]) << 32)
277 | (((uint64_t)src[5]) << 40)
278 | (((uint64_t)src[6]) << 48)
279 | (((uint64_t)src[7]) << 56);
280 }
281
store32(uint8_t * dst,uint32_t w)282 static ossl_inline void store32(uint8_t *dst, uint32_t w)
283 {
284 dst[0] = (uint8_t)(w >> 0);
285 dst[1] = (uint8_t)(w >> 8);
286 dst[2] = (uint8_t)(w >> 16);
287 dst[3] = (uint8_t)(w >> 24);
288 }
289
store64(uint8_t * dst,uint64_t w)290 static ossl_inline void store64(uint8_t *dst, uint64_t w)
291 {
292 dst[0] = (uint8_t)(w >> 0);
293 dst[1] = (uint8_t)(w >> 8);
294 dst[2] = (uint8_t)(w >> 16);
295 dst[3] = (uint8_t)(w >> 24);
296 dst[4] = (uint8_t)(w >> 32);
297 dst[5] = (uint8_t)(w >> 40);
298 dst[6] = (uint8_t)(w >> 48);
299 dst[7] = (uint8_t)(w >> 56);
300 }
301
rotr64(const uint64_t w,const unsigned int c)302 static ossl_inline uint64_t rotr64(const uint64_t w, const unsigned int c)
303 {
304 return (w >> c) | (w << (64 - c));
305 }
306
mul_lower(uint64_t x,uint64_t y)307 static ossl_inline uint64_t mul_lower(uint64_t x, uint64_t y)
308 {
309 const uint64_t m = 0xFFFFFFFFUL;
310 return (x & m) * (y & m);
311 }
312
init_block_value(BLOCK * b,uint8_t in)313 static void init_block_value(BLOCK *b, uint8_t in)
314 {
315 memset(b->v, in, sizeof(b->v));
316 }
317
copy_block(BLOCK * dst,const BLOCK * src)318 static void copy_block(BLOCK *dst, const BLOCK *src)
319 {
320 memcpy(dst->v, src->v, sizeof(uint64_t) * ARGON2_QWORDS_IN_BLOCK);
321 }
322
xor_block(BLOCK * dst,const BLOCK * src)323 static void xor_block(BLOCK *dst, const BLOCK *src)
324 {
325 int i;
326
327 for (i = 0; i < ARGON2_QWORDS_IN_BLOCK; ++i)
328 dst->v[i] ^= src->v[i];
329 }
330
load_block(BLOCK * dst,const void * input)331 static void load_block(BLOCK *dst, const void *input)
332 {
333 unsigned i;
334
335 for (i = 0; i < ARGON2_QWORDS_IN_BLOCK; ++i)
336 dst->v[i] = load64((const uint8_t *)input + i * sizeof(dst->v[i]));
337 }
338
store_block(void * output,const BLOCK * src)339 static void store_block(void *output, const BLOCK *src)
340 {
341 unsigned i;
342
343 for (i = 0; i < ARGON2_QWORDS_IN_BLOCK; ++i)
344 store64((uint8_t *)output + i * sizeof(src->v[i]), src->v[i]);
345 }
346
fill_first_blocks(uint8_t * blockhash,const KDF_ARGON2 * ctx)347 static void fill_first_blocks(uint8_t *blockhash, const KDF_ARGON2 *ctx)
348 {
349 uint32_t l;
350 uint8_t blockhash_bytes[ARGON2_BLOCK_SIZE];
351
352 /*
353 * Make the first and second block in each lane as G(H0||0||i)
354 * or G(H0||1||i).
355 */
356 for (l = 0; l < ctx->lanes; ++l) {
357 store32(blockhash + ARGON2_PREHASH_DIGEST_LENGTH, 0);
358 store32(blockhash + ARGON2_PREHASH_DIGEST_LENGTH + 4, l);
359 blake2b_long(ctx->md, ctx->mac, blockhash_bytes, ARGON2_BLOCK_SIZE,
360 blockhash, ARGON2_PREHASH_SEED_LENGTH);
361 load_block(&ctx->memory[l * ctx->lane_length + 0],
362 blockhash_bytes);
363 store32(blockhash + ARGON2_PREHASH_DIGEST_LENGTH, 1);
364 blake2b_long(ctx->md, ctx->mac, blockhash_bytes, ARGON2_BLOCK_SIZE,
365 blockhash, ARGON2_PREHASH_SEED_LENGTH);
366 load_block(&ctx->memory[l * ctx->lane_length + 1],
367 blockhash_bytes);
368 }
369 OPENSSL_cleanse(blockhash_bytes, ARGON2_BLOCK_SIZE);
370 }
371
fill_block(const BLOCK * prev,const BLOCK * ref,BLOCK * next,int with_xor)372 static void fill_block(const BLOCK *prev, const BLOCK *ref,
373 BLOCK *next, int with_xor)
374 {
375 BLOCK blockR, tmp;
376 unsigned i;
377
378 copy_block(&blockR, ref);
379 xor_block(&blockR, prev);
380 copy_block(&tmp, &blockR);
381
382 if (with_xor)
383 xor_block(&tmp, next);
384
385 for (i = 0; i < 8; ++i)
386 PERMUTATION_P_COLUMN(blockR.v, i);
387
388 for (i = 0; i < 8; ++i)
389 PERMUTATION_P_ROW(blockR.v, i);
390
391 copy_block(next, &tmp);
392 xor_block(next, &blockR);
393 }
394
next_addresses(BLOCK * address_block,BLOCK * input_block,const BLOCK * zero_block)395 static void next_addresses(BLOCK *address_block, BLOCK *input_block,
396 const BLOCK *zero_block)
397 {
398 input_block->v[6]++;
399 fill_block(zero_block, input_block, address_block, 0);
400 fill_block(zero_block, address_block, address_block, 0);
401 }
402
data_indep_addressing(const KDF_ARGON2 * ctx,uint32_t pass,uint8_t slice)403 static int data_indep_addressing(const KDF_ARGON2 *ctx, uint32_t pass,
404 uint8_t slice)
405 {
406 switch (ctx->type) {
407 case ARGON2_I:
408 return 1;
409 case ARGON2_ID:
410 return (pass == 0) && (slice < ARGON2_SYNC_POINTS / 2);
411 case ARGON2_D:
412 default:
413 return 0;
414 }
415 }
416
417 /*
418 * Pass 0 (pass = 0):
419 * This lane: all already finished segments plus already constructed blocks
420 * in this segment
421 * Other lanes: all already finished segments
422 *
423 * Pass 1+:
424 * This lane: (SYNC_POINTS - 1) last segments plus already constructed
425 * blocks in this segment
426 * Other lanes: (SYNC_POINTS - 1) last segments
427 */
index_alpha(const KDF_ARGON2 * ctx,uint32_t pass,uint8_t slice,uint32_t index,uint32_t pseudo_rand,int same_lane)428 static uint32_t index_alpha(const KDF_ARGON2 *ctx, uint32_t pass,
429 uint8_t slice, uint32_t index,
430 uint32_t pseudo_rand, int same_lane)
431 {
432 uint32_t ref_area_sz;
433 uint64_t rel_pos;
434 uint32_t start_pos, abs_pos;
435
436 start_pos = 0;
437 switch (pass) {
438 case 0:
439 if (slice == 0)
440 ref_area_sz = index - 1;
441 else if (same_lane)
442 ref_area_sz = slice * ctx->segment_length + index - 1;
443 else
444 ref_area_sz = slice * ctx->segment_length +
445 ((index == 0) ? (-1) : 0);
446 break;
447 default:
448 if (same_lane)
449 ref_area_sz = ctx->lane_length - ctx->segment_length + index - 1;
450 else
451 ref_area_sz = ctx->lane_length - ctx->segment_length +
452 ((index == 0) ? (-1) : 0);
453 if (slice != ARGON2_SYNC_POINTS - 1)
454 start_pos = (slice + 1) * ctx->segment_length;
455 break;
456 }
457
458 rel_pos = pseudo_rand;
459 rel_pos = rel_pos * rel_pos >> 32;
460 rel_pos = ref_area_sz - 1 - (ref_area_sz * rel_pos >> 32);
461 abs_pos = (start_pos + rel_pos) % ctx->lane_length;
462
463 return abs_pos;
464 }
465
fill_segment(const KDF_ARGON2 * ctx,uint32_t pass,uint32_t lane,uint8_t slice)466 static void fill_segment(const KDF_ARGON2 *ctx, uint32_t pass, uint32_t lane,
467 uint8_t slice)
468 {
469 BLOCK *ref_block = NULL, *curr_block = NULL;
470 BLOCK address_block, input_block, zero_block;
471 uint64_t rnd, ref_index, ref_lane;
472 uint32_t prev_offset;
473 uint32_t start_idx;
474 uint32_t j;
475 uint32_t curr_offset; /* Offset of the current block */
476
477 memset(&input_block, 0, sizeof(BLOCK));
478
479 if (ctx == NULL)
480 return;
481
482 if (data_indep_addressing(ctx, pass, slice)) {
483 init_block_value(&zero_block, 0);
484 init_block_value(&input_block, 0);
485
486 input_block.v[0] = pass;
487 input_block.v[1] = lane;
488 input_block.v[2] = slice;
489 input_block.v[3] = ctx->memory_blocks;
490 input_block.v[4] = ctx->passes;
491 input_block.v[5] = ctx->type;
492 }
493
494 start_idx = 0;
495
496 /* We've generated the first two blocks. Generate the 1st block of addrs. */
497 if ((pass == 0) && (slice == 0)) {
498 start_idx = 2;
499 if (data_indep_addressing(ctx, pass, slice))
500 next_addresses(&address_block, &input_block, &zero_block);
501 }
502
503 curr_offset = lane * ctx->lane_length + slice * ctx->segment_length
504 + start_idx;
505
506 if ((curr_offset % ctx->lane_length) == 0)
507 prev_offset = curr_offset + ctx->lane_length - 1;
508 else
509 prev_offset = curr_offset - 1;
510
511 for (j = start_idx; j < ctx->segment_length; ++j, ++curr_offset, ++prev_offset) {
512 if (curr_offset % ctx->lane_length == 1)
513 prev_offset = curr_offset - 1;
514
515 /* Taking pseudo-random value from the previous block. */
516 if (data_indep_addressing(ctx, pass, slice)) {
517 if (j % ARGON2_ADDRESSES_IN_BLOCK == 0)
518 next_addresses(&address_block, &input_block, &zero_block);
519 rnd = address_block.v[j % ARGON2_ADDRESSES_IN_BLOCK];
520 } else {
521 rnd = ctx->memory[prev_offset].v[0];
522 }
523
524 /* Computing the lane of the reference block */
525 ref_lane = ((rnd >> 32)) % ctx->lanes;
526 /* Can not reference other lanes yet */
527 if ((pass == 0) && (slice == 0))
528 ref_lane = lane;
529
530 /* Computing the number of possible reference block within the lane. */
531 ref_index = index_alpha(ctx, pass, slice, j, rnd & 0xFFFFFFFF,
532 ref_lane == lane);
533
534 /* Creating a new block */
535 ref_block = ctx->memory + ctx->lane_length * ref_lane + ref_index;
536 curr_block = ctx->memory + curr_offset;
537 if (ARGON2_VERSION_10 == ctx->version) {
538 /* Version 1.2.1 and earlier: overwrite, not XOR */
539 fill_block(ctx->memory + prev_offset, ref_block, curr_block, 0);
540 continue;
541 }
542
543 fill_block(ctx->memory + prev_offset, ref_block, curr_block,
544 pass == 0 ? 0 : 1);
545 }
546 }
547
548 # if !defined(ARGON2_NO_THREADS)
549
fill_segment_thr(void * thread_data)550 static uint32_t fill_segment_thr(void *thread_data)
551 {
552 ARGON2_THREAD_DATA *my_data;
553
554 my_data = (ARGON2_THREAD_DATA *) thread_data;
555 fill_segment(my_data->ctx, my_data->pos.pass, my_data->pos.lane,
556 my_data->pos.slice);
557
558 return 0;
559 }
560
fill_mem_blocks_mt(KDF_ARGON2 * ctx)561 static int fill_mem_blocks_mt(KDF_ARGON2 *ctx)
562 {
563 uint32_t r, s, l, ll;
564 void **t;
565 ARGON2_THREAD_DATA *t_data;
566
567 t = OPENSSL_zalloc(sizeof(void *)*ctx->lanes);
568 t_data = OPENSSL_zalloc(ctx->lanes * sizeof(ARGON2_THREAD_DATA));
569
570 if (t == NULL || t_data == NULL)
571 goto fail;
572
573 for (r = 0; r < ctx->passes; ++r) {
574 for (s = 0; s < ARGON2_SYNC_POINTS; ++s) {
575 for (l = 0; l < ctx->lanes; ++l) {
576 ARGON2_POS p;
577 if (l >= ctx->threads) {
578 if (ossl_crypto_thread_join(t[l - ctx->threads], NULL) == 0)
579 goto fail;
580 if (ossl_crypto_thread_clean(t[l - ctx->threads]) == 0)
581 goto fail;
582 t[l] = NULL;
583 }
584
585 p.pass = r;
586 p.lane = l;
587 p.slice = (uint8_t)s;
588 p.index = 0;
589
590 t_data[l].ctx = ctx;
591 memcpy(&(t_data[l].pos), &p, sizeof(ARGON2_POS));
592 t[l] = ossl_crypto_thread_start(ctx->libctx, &fill_segment_thr,
593 (void *) &t_data[l]);
594 if (t[l] == NULL) {
595 for (ll = 0; ll < l; ++ll) {
596 if (ossl_crypto_thread_join(t[ll], NULL) == 0)
597 goto fail;
598 if (ossl_crypto_thread_clean(t[ll]) == 0)
599 goto fail;
600 t[ll] = NULL;
601 }
602 goto fail;
603 }
604 }
605 for (l = ctx->lanes - ctx->threads; l < ctx->lanes; ++l) {
606 if (ossl_crypto_thread_join(t[l], NULL) == 0)
607 goto fail;
608 if (ossl_crypto_thread_clean(t[l]) == 0)
609 goto fail;
610 t[l] = NULL;
611 }
612 }
613 }
614
615 OPENSSL_free(t_data);
616 OPENSSL_free(t);
617
618 return 1;
619
620 fail:
621 if (t_data != NULL)
622 OPENSSL_free(t_data);
623 if (t != NULL)
624 OPENSSL_free(t);
625 return 0;
626 }
627
628 # endif /* !defined(ARGON2_NO_THREADS) */
629
fill_mem_blocks_st(KDF_ARGON2 * ctx)630 static int fill_mem_blocks_st(KDF_ARGON2 *ctx)
631 {
632 uint32_t r, s, l;
633
634 for (r = 0; r < ctx->passes; ++r)
635 for (s = 0; s < ARGON2_SYNC_POINTS; ++s)
636 for (l = 0; l < ctx->lanes; ++l)
637 fill_segment(ctx, r, l, s);
638 return 1;
639 }
640
fill_memory_blocks(KDF_ARGON2 * ctx)641 static ossl_inline int fill_memory_blocks(KDF_ARGON2 *ctx)
642 {
643 # if !defined(ARGON2_NO_THREADS)
644 return ctx->threads == 1 ? fill_mem_blocks_st(ctx) : fill_mem_blocks_mt(ctx);
645 # else
646 return ctx->threads == 1 ? fill_mem_blocks_st(ctx) : 0;
647 # endif
648 }
649
initial_hash(uint8_t * blockhash,KDF_ARGON2 * ctx)650 static void initial_hash(uint8_t *blockhash, KDF_ARGON2 *ctx)
651 {
652 EVP_MD_CTX *mdctx;
653 uint8_t value[sizeof(uint32_t)];
654 unsigned int tmp;
655 uint32_t args[7];
656
657 if (ctx == NULL || blockhash == NULL)
658 return;
659
660 args[0] = ctx->lanes;
661 args[1] = ctx->outlen;
662 args[2] = ctx->m_cost;
663 args[3] = ctx->t_cost;
664 args[4] = ctx->version;
665 args[5] = (uint32_t) ctx->type;
666 args[6] = ctx->pwdlen;
667
668 mdctx = EVP_MD_CTX_create();
669 if (mdctx == NULL || EVP_DigestInit_ex(mdctx, ctx->md, NULL) != 1)
670 goto fail;
671
672 for (tmp = 0; tmp < sizeof(args) / sizeof(uint32_t); ++tmp) {
673 store32((uint8_t *) &value, args[tmp]);
674 if (EVP_DigestUpdate(mdctx, &value, sizeof(value)) != 1)
675 goto fail;
676 }
677
678 if (ctx->pwd != NULL) {
679 if (EVP_DigestUpdate(mdctx, ctx->pwd, ctx->pwdlen) != 1)
680 goto fail;
681 if (ctx->early_clean) {
682 OPENSSL_cleanse(ctx->pwd, ctx->pwdlen);
683 ctx->pwdlen = 0;
684 }
685 }
686
687 store32((uint8_t *) &value, ctx->saltlen);
688
689 if (EVP_DigestUpdate(mdctx, &value, sizeof(value)) != 1)
690 goto fail;
691
692 if (ctx->salt != NULL)
693 if (EVP_DigestUpdate(mdctx, ctx->salt, ctx->saltlen) != 1)
694 goto fail;
695
696 store32((uint8_t *) &value, ctx->secretlen);
697 if (EVP_DigestUpdate(mdctx, &value, sizeof(value)) != 1)
698 goto fail;
699
700 if (ctx->secret != NULL) {
701 if (EVP_DigestUpdate(mdctx, ctx->secret, ctx->secretlen) != 1)
702 goto fail;
703 if (ctx->early_clean) {
704 OPENSSL_cleanse(ctx->secret, ctx->secretlen);
705 ctx->secretlen = 0;
706 }
707 }
708
709 store32((uint8_t *) &value, ctx->adlen);
710 if (EVP_DigestUpdate(mdctx, &value, sizeof(value)) != 1)
711 goto fail;
712
713 if (ctx->ad != NULL)
714 if (EVP_DigestUpdate(mdctx, ctx->ad, ctx->adlen) != 1)
715 goto fail;
716
717 tmp = ARGON2_PREHASH_DIGEST_LENGTH;
718 if (EVP_DigestFinal_ex(mdctx, blockhash, &tmp) != 1)
719 goto fail;
720
721 fail:
722 EVP_MD_CTX_destroy(mdctx);
723 }
724
initialize(KDF_ARGON2 * ctx)725 static int initialize(KDF_ARGON2 *ctx)
726 {
727 uint8_t blockhash[ARGON2_PREHASH_SEED_LENGTH];
728
729 if (ctx == NULL)
730 return 0;
731
732 if (ctx->memory_blocks * sizeof(BLOCK) / sizeof(BLOCK) != ctx->memory_blocks)
733 return 0;
734
735 if (ctx->type != ARGON2_D)
736 ctx->memory = OPENSSL_secure_zalloc(ctx->memory_blocks *
737 sizeof(BLOCK));
738 else
739 ctx->memory = OPENSSL_zalloc(ctx->memory_blocks *
740 sizeof(BLOCK));
741
742 if (ctx->memory == NULL) {
743 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_MEMORY_SIZE,
744 "cannot allocate required memory");
745 return 0;
746 }
747
748 initial_hash(blockhash, ctx);
749 OPENSSL_cleanse(blockhash + ARGON2_PREHASH_DIGEST_LENGTH,
750 ARGON2_PREHASH_SEED_LENGTH - ARGON2_PREHASH_DIGEST_LENGTH);
751 fill_first_blocks(blockhash, ctx);
752 OPENSSL_cleanse(blockhash, ARGON2_PREHASH_SEED_LENGTH);
753
754 return 1;
755 }
756
finalize(const KDF_ARGON2 * ctx,void * out)757 static void finalize(const KDF_ARGON2 *ctx, void *out)
758 {
759 BLOCK blockhash;
760 uint8_t blockhash_bytes[ARGON2_BLOCK_SIZE];
761 uint32_t last_block_in_lane;
762 uint32_t l;
763
764 if (ctx == NULL)
765 return;
766
767 copy_block(&blockhash, ctx->memory + ctx->lane_length - 1);
768
769 /* XOR the last blocks */
770 for (l = 1; l < ctx->lanes; ++l) {
771 last_block_in_lane = l * ctx->lane_length + (ctx->lane_length - 1);
772 xor_block(&blockhash, ctx->memory + last_block_in_lane);
773 }
774
775 /* Hash the result */
776 store_block(blockhash_bytes, &blockhash);
777 blake2b_long(ctx->md, ctx->mac, out, ctx->outlen, blockhash_bytes,
778 ARGON2_BLOCK_SIZE);
779 OPENSSL_cleanse(blockhash.v, ARGON2_BLOCK_SIZE);
780 OPENSSL_cleanse(blockhash_bytes, ARGON2_BLOCK_SIZE);
781
782 if (ctx->type != ARGON2_D)
783 OPENSSL_secure_clear_free(ctx->memory,
784 ctx->memory_blocks * sizeof(BLOCK));
785 else
786 OPENSSL_clear_free(ctx->memory,
787 ctx->memory_blocks * sizeof(BLOCK));
788 }
789
blake2b_mac(EVP_MAC * mac,void * out,size_t outlen,const void * in,size_t inlen,const void * key,size_t keylen)790 static int blake2b_mac(EVP_MAC *mac, void *out, size_t outlen, const void *in,
791 size_t inlen, const void *key, size_t keylen)
792 {
793 int ret = 0;
794 size_t par_n = 0, out_written;
795 EVP_MAC_CTX *ctx = NULL;
796 OSSL_PARAM par[3];
797
798 if ((ctx = EVP_MAC_CTX_new(mac)) == NULL)
799 goto fail;
800
801 par[par_n++] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,
802 (void *) key, keylen);
803 par[par_n++] = OSSL_PARAM_construct_size_t(OSSL_MAC_PARAM_SIZE, &outlen);
804 par[par_n++] = OSSL_PARAM_construct_end();
805
806 ret = EVP_MAC_CTX_set_params(ctx, par) == 1
807 && EVP_MAC_init(ctx, NULL, 0, NULL) == 1
808 && EVP_MAC_update(ctx, in, inlen) == 1
809 && EVP_MAC_final(ctx, out, (size_t *) &out_written, outlen) == 1;
810
811 fail:
812 EVP_MAC_CTX_free(ctx);
813 return ret;
814 }
815
blake2b_md(EVP_MD * md,void * out,size_t outlen,const void * in,size_t inlen)816 static int blake2b_md(EVP_MD *md, void *out, size_t outlen, const void *in,
817 size_t inlen)
818 {
819 int ret = 0;
820 EVP_MD_CTX *ctx = NULL;
821 OSSL_PARAM par[2];
822
823 if ((ctx = EVP_MD_CTX_create()) == NULL)
824 return 0;
825
826 par[0] = OSSL_PARAM_construct_size_t(OSSL_DIGEST_PARAM_SIZE, &outlen);
827 par[1] = OSSL_PARAM_construct_end();
828
829 ret = EVP_DigestInit_ex2(ctx, md, par) == 1
830 && EVP_DigestUpdate(ctx, in, inlen) == 1
831 && EVP_DigestFinal_ex(ctx, out, NULL) == 1;
832
833 EVP_MD_CTX_free(ctx);
834 return ret;
835 }
836
blake2b(EVP_MD * md,EVP_MAC * mac,void * out,size_t outlen,const void * in,size_t inlen,const void * key,size_t keylen)837 static int blake2b(EVP_MD *md, EVP_MAC *mac, void *out, size_t outlen,
838 const void *in, size_t inlen, const void *key, size_t keylen)
839 {
840 if (out == NULL || outlen == 0)
841 return 0;
842
843 if (key == NULL || keylen == 0)
844 return blake2b_md(md, out, outlen, in, inlen);
845
846 return blake2b_mac(mac, out, outlen, in, inlen, key, keylen);
847 }
848
blake2b_long(EVP_MD * md,EVP_MAC * mac,unsigned char * out,size_t outlen,const void * in,size_t inlen)849 static int blake2b_long(EVP_MD *md, EVP_MAC *mac, unsigned char *out,
850 size_t outlen, const void *in, size_t inlen)
851 {
852 int ret = 0;
853 EVP_MD_CTX *ctx = NULL;
854 uint32_t outlen_curr;
855 uint8_t outbuf[BLAKE2B_OUTBYTES];
856 uint8_t inbuf[BLAKE2B_OUTBYTES];
857 uint8_t outlen_bytes[sizeof(uint32_t)] = {0};
858 OSSL_PARAM par[2];
859 size_t outlen_md;
860
861 if (out == NULL || outlen == 0)
862 return 0;
863
864 /* Ensure little-endian byte order */
865 store32(outlen_bytes, (uint32_t)outlen);
866
867 if ((ctx = EVP_MD_CTX_create()) == NULL)
868 return 0;
869
870 outlen_md = (outlen <= BLAKE2B_OUTBYTES) ? outlen : BLAKE2B_OUTBYTES;
871 par[0] = OSSL_PARAM_construct_size_t(OSSL_DIGEST_PARAM_SIZE, &outlen_md);
872 par[1] = OSSL_PARAM_construct_end();
873
874 ret = EVP_DigestInit_ex2(ctx, md, par) == 1
875 && EVP_DigestUpdate(ctx, outlen_bytes, sizeof(outlen_bytes)) == 1
876 && EVP_DigestUpdate(ctx, in, inlen) == 1
877 && EVP_DigestFinal_ex(ctx, (outlen > BLAKE2B_OUTBYTES) ? outbuf : out,
878 NULL) == 1;
879
880 if (ret == 0)
881 goto fail;
882
883 if (outlen > BLAKE2B_OUTBYTES) {
884 memcpy(out, outbuf, BLAKE2B_OUTBYTES / 2);
885 out += BLAKE2B_OUTBYTES / 2;
886 outlen_curr = (uint32_t) outlen - BLAKE2B_OUTBYTES / 2;
887
888 while (outlen_curr > BLAKE2B_OUTBYTES) {
889 memcpy(inbuf, outbuf, BLAKE2B_OUTBYTES);
890 if (blake2b(md, mac, outbuf, BLAKE2B_OUTBYTES, inbuf,
891 BLAKE2B_OUTBYTES, NULL, 0) != 1)
892 goto fail;
893 memcpy(out, outbuf, BLAKE2B_OUTBYTES / 2);
894 out += BLAKE2B_OUTBYTES / 2;
895 outlen_curr -= BLAKE2B_OUTBYTES / 2;
896 }
897
898 memcpy(inbuf, outbuf, BLAKE2B_OUTBYTES);
899 if (blake2b(md, mac, outbuf, outlen_curr, inbuf, BLAKE2B_OUTBYTES,
900 NULL, 0) != 1)
901 goto fail;
902 memcpy(out, outbuf, outlen_curr);
903 }
904 ret = 1;
905
906 fail:
907 EVP_MD_CTX_free(ctx);
908 return ret;
909 }
910
kdf_argon2_init(KDF_ARGON2 * c,ARGON2_TYPE type)911 static void kdf_argon2_init(KDF_ARGON2 *c, ARGON2_TYPE type)
912 {
913 OSSL_LIB_CTX *libctx;
914
915 libctx = c->libctx;
916 memset(c, 0, sizeof(*c));
917
918 c->libctx = libctx;
919 c->outlen = ARGON2_DEFAULT_OUTLEN;
920 c->t_cost = ARGON2_DEFAULT_T_COST;
921 c->m_cost = ARGON2_DEFAULT_M_COST;
922 c->lanes = ARGON2_DEFAULT_LANES;
923 c->threads = ARGON2_DEFAULT_THREADS;
924 c->version = ARGON2_DEFAULT_VERSION;
925 c->type = type;
926 }
927
kdf_argon2d_new(void * provctx)928 static void *kdf_argon2d_new(void *provctx)
929 {
930 KDF_ARGON2 *ctx;
931
932 if (!ossl_prov_is_running())
933 return NULL;
934
935 ctx = OPENSSL_zalloc(sizeof(*ctx));
936 if (ctx == NULL) {
937 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
938 return NULL;
939 }
940
941 ctx->libctx = PROV_LIBCTX_OF(provctx);
942
943 kdf_argon2_init(ctx, ARGON2_D);
944 return ctx;
945 }
946
kdf_argon2i_new(void * provctx)947 static void *kdf_argon2i_new(void *provctx)
948 {
949 KDF_ARGON2 *ctx;
950
951 if (!ossl_prov_is_running())
952 return NULL;
953
954 ctx = OPENSSL_zalloc(sizeof(*ctx));
955 if (ctx == NULL) {
956 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
957 return NULL;
958 }
959
960 ctx->libctx = PROV_LIBCTX_OF(provctx);
961
962 kdf_argon2_init(ctx, ARGON2_I);
963 return ctx;
964 }
965
kdf_argon2id_new(void * provctx)966 static void *kdf_argon2id_new(void *provctx)
967 {
968 KDF_ARGON2 *ctx;
969
970 if (!ossl_prov_is_running())
971 return NULL;
972
973 ctx = OPENSSL_zalloc(sizeof(*ctx));
974 if (ctx == NULL) {
975 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
976 return NULL;
977 }
978
979 ctx->libctx = PROV_LIBCTX_OF(provctx);
980
981 kdf_argon2_init(ctx, ARGON2_ID);
982 return ctx;
983 }
984
kdf_argon2_free(void * vctx)985 static void kdf_argon2_free(void *vctx)
986 {
987 KDF_ARGON2 *ctx = (KDF_ARGON2 *)vctx;
988
989 if (ctx == NULL)
990 return;
991
992 if (ctx->pwd != NULL)
993 OPENSSL_clear_free(ctx->pwd, ctx->pwdlen);
994
995 if (ctx->salt != NULL)
996 OPENSSL_clear_free(ctx->salt, ctx->saltlen);
997
998 if (ctx->secret != NULL)
999 OPENSSL_clear_free(ctx->secret, ctx->secretlen);
1000
1001 if (ctx->ad != NULL)
1002 OPENSSL_clear_free(ctx->ad, ctx->adlen);
1003
1004 EVP_MD_free(ctx->md);
1005 EVP_MAC_free(ctx->mac);
1006
1007 OPENSSL_free(ctx->propq);
1008
1009 memset(ctx, 0, sizeof(*ctx));
1010
1011 OPENSSL_free(ctx);
1012 }
1013
kdf_argon2_derive(void * vctx,unsigned char * out,size_t outlen,const OSSL_PARAM params[])1014 static int kdf_argon2_derive(void *vctx, unsigned char *out, size_t outlen,
1015 const OSSL_PARAM params[])
1016 {
1017 KDF_ARGON2 *ctx;
1018 uint32_t memory_blocks, segment_length;
1019
1020 ctx = (KDF_ARGON2 *)vctx;
1021
1022 if (!ossl_prov_is_running() || !kdf_argon2_set_ctx_params(vctx, params))
1023 return 0;
1024
1025 if (ctx->mac == NULL)
1026 ctx->mac = EVP_MAC_fetch(ctx->libctx, "blake2bmac", ctx->propq);
1027 if (ctx->mac == NULL) {
1028 ERR_raise_data(ERR_LIB_PROV, PROV_R_MISSING_MAC,
1029 "cannot fetch blake2bmac");
1030 return 0;
1031 }
1032
1033 if (ctx->md == NULL)
1034 ctx->md = EVP_MD_fetch(ctx->libctx, "blake2b512", ctx->propq);
1035 if (ctx->md == NULL) {
1036 ERR_raise_data(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST,
1037 "cannot fetch blake2b512");
1038 return 0;
1039 }
1040
1041 if (ctx->salt == NULL || ctx->saltlen == 0) {
1042 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SALT);
1043 return 0;
1044 }
1045
1046 if (outlen != ctx->outlen) {
1047 if (OSSL_PARAM_locate((OSSL_PARAM *)params, "size") != NULL) {
1048 ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
1049 return 0;
1050 }
1051 if (!kdf_argon2_ctx_set_out_length(ctx, (uint32_t) outlen))
1052 return 0;
1053 }
1054
1055 switch (ctx->type) {
1056 case ARGON2_D:
1057 case ARGON2_I:
1058 case ARGON2_ID:
1059 break;
1060 default:
1061 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_MODE, "invalid Argon2 type");
1062 return 0;
1063 }
1064
1065 if (ctx->threads > 1) {
1066 # ifdef ARGON2_NO_THREADS
1067 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_THREAD_POOL_SIZE,
1068 "requested %u threads, single-threaded mode supported only",
1069 ctx->threads);
1070 return 0;
1071 # else
1072 if (ctx->threads > ossl_get_avail_threads(ctx->libctx)) {
1073 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_THREAD_POOL_SIZE,
1074 "requested %u threads, available: %u",
1075 ctx->threads, ossl_get_avail_threads(ctx->libctx));
1076 return 0;
1077 }
1078 # endif
1079 if (ctx->threads > ctx->lanes) {
1080 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_THREAD_POOL_SIZE,
1081 "requested more threads (%u) than lanes (%u)",
1082 ctx->threads, ctx->lanes);
1083 return 0;
1084 }
1085 }
1086
1087 if (ctx->m_cost < 8 * ctx->lanes) {
1088 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_MEMORY_SIZE,
1089 "m_cost must be greater or equal than 8 times the number of lanes");
1090 return 0;
1091 }
1092
1093 memory_blocks = ctx->m_cost;
1094 if (memory_blocks < 2 * ARGON2_SYNC_POINTS * ctx->lanes)
1095 memory_blocks = 2 * ARGON2_SYNC_POINTS * ctx->lanes;
1096
1097 /* Ensure that all segments have equal length */
1098 segment_length = memory_blocks / (ctx->lanes * ARGON2_SYNC_POINTS);
1099 memory_blocks = segment_length * (ctx->lanes * ARGON2_SYNC_POINTS);
1100
1101 ctx->memory = NULL;
1102 ctx->memory_blocks = memory_blocks;
1103 ctx->segment_length = segment_length;
1104 ctx->passes = ctx->t_cost;
1105 ctx->lane_length = segment_length * ARGON2_SYNC_POINTS;
1106
1107 if (initialize(ctx) != 1)
1108 return 0;
1109
1110 if (fill_memory_blocks(ctx) != 1)
1111 return 0;
1112
1113 finalize(ctx, out);
1114
1115 return 1;
1116 }
1117
kdf_argon2_reset(void * vctx)1118 static void kdf_argon2_reset(void *vctx)
1119 {
1120 OSSL_LIB_CTX *libctx;
1121 KDF_ARGON2 *ctx;
1122 ARGON2_TYPE type;
1123
1124 ctx = (KDF_ARGON2 *) vctx;
1125 type = ctx->type;
1126 libctx = ctx->libctx;
1127
1128 EVP_MD_free(ctx->md);
1129 EVP_MAC_free(ctx->mac);
1130
1131 OPENSSL_free(ctx->propq);
1132
1133 if (ctx->pwd != NULL)
1134 OPENSSL_clear_free(ctx->pwd, ctx->pwdlen);
1135
1136 if (ctx->salt != NULL)
1137 OPENSSL_clear_free(ctx->salt, ctx->saltlen);
1138
1139 if (ctx->secret != NULL)
1140 OPENSSL_clear_free(ctx->secret, ctx->secretlen);
1141
1142 if (ctx->ad != NULL)
1143 OPENSSL_clear_free(ctx->ad, ctx->adlen);
1144
1145 memset(ctx, 0, sizeof(*ctx));
1146 ctx->libctx = libctx;
1147 kdf_argon2_init(ctx, type);
1148 }
1149
kdf_argon2_ctx_set_threads(KDF_ARGON2 * ctx,uint32_t threads)1150 static int kdf_argon2_ctx_set_threads(KDF_ARGON2 *ctx, uint32_t threads)
1151 {
1152 if (threads < ARGON2_MIN_THREADS) {
1153 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_THREAD_POOL_SIZE,
1154 "min threads: %u", ARGON2_MIN_THREADS);
1155 return 0;
1156 }
1157
1158 if (threads > ARGON2_MAX_THREADS) {
1159 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_THREAD_POOL_SIZE,
1160 "max threads: %u", ARGON2_MAX_THREADS);
1161 return 0;
1162 }
1163
1164 ctx->threads = threads;
1165 return 1;
1166 }
1167
kdf_argon2_ctx_set_lanes(KDF_ARGON2 * ctx,uint32_t lanes)1168 static int kdf_argon2_ctx_set_lanes(KDF_ARGON2 *ctx, uint32_t lanes)
1169 {
1170 if (lanes > ARGON2_MAX_LANES) {
1171 ERR_raise_data(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER,
1172 "max lanes: %u", ARGON2_MAX_LANES);
1173 return 0;
1174 }
1175
1176 if (lanes < ARGON2_MIN_LANES) {
1177 ERR_raise_data(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER,
1178 "min lanes: %u", ARGON2_MIN_LANES);
1179 return 0;
1180 }
1181
1182 ctx->lanes = lanes;
1183 return 1;
1184 }
1185
kdf_argon2_ctx_set_t_cost(KDF_ARGON2 * ctx,uint32_t t_cost)1186 static int kdf_argon2_ctx_set_t_cost(KDF_ARGON2 *ctx, uint32_t t_cost)
1187 {
1188 /* ARGON2_MAX_MEMORY == max m_cost value, so skip check */
1189
1190 if (t_cost < ARGON2_MIN_TIME) {
1191 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_ITERATION_COUNT,
1192 "min: %u", ARGON2_MIN_TIME);
1193 return 0;
1194 }
1195
1196 ctx->t_cost = t_cost;
1197 return 1;
1198 }
1199
kdf_argon2_ctx_set_m_cost(KDF_ARGON2 * ctx,uint32_t m_cost)1200 static int kdf_argon2_ctx_set_m_cost(KDF_ARGON2 *ctx, uint32_t m_cost)
1201 {
1202 /* ARGON2_MAX_MEMORY == max m_cost value, so skip check */
1203
1204 if (m_cost < ARGON2_MIN_MEMORY) {
1205 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_MEMORY_SIZE, "min: %u",
1206 ARGON2_MIN_MEMORY);
1207 return 0;
1208 }
1209
1210 ctx->m_cost = m_cost;
1211 return 1;
1212 }
1213
kdf_argon2_ctx_set_out_length(KDF_ARGON2 * ctx,uint32_t outlen)1214 static int kdf_argon2_ctx_set_out_length(KDF_ARGON2 *ctx, uint32_t outlen)
1215 {
1216 /*
1217 * ARGON2_MAX_OUT_LENGTH == max outlen value, so upper bounds checks
1218 * are always satisfied; to suppress compiler if statement tautology
1219 * warnings, these checks are skipped.
1220 */
1221
1222 if (outlen < ARGON2_MIN_OUT_LENGTH) {
1223 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH, "min: %u",
1224 ARGON2_MIN_OUT_LENGTH);
1225 return 0;
1226 }
1227
1228 ctx->outlen = outlen;
1229 return 1;
1230 }
1231
kdf_argon2_ctx_set_secret(KDF_ARGON2 * ctx,const OSSL_PARAM * p)1232 static int kdf_argon2_ctx_set_secret(KDF_ARGON2 *ctx, const OSSL_PARAM *p)
1233 {
1234 size_t buflen;
1235
1236 if (p->data == NULL)
1237 return 0;
1238
1239 if (ctx->secret != NULL) {
1240 OPENSSL_clear_free(ctx->secret, ctx->secretlen);
1241 ctx->secret = NULL;
1242 ctx->secretlen = 0U;
1243 }
1244
1245 if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->secret, 0, &buflen))
1246 return 0;
1247
1248 if (buflen > ARGON2_MAX_SECRET) {
1249 OPENSSL_free(ctx->secret);
1250 ctx->secret = NULL;
1251 ctx->secretlen = 0U;
1252 return 0;
1253 }
1254
1255 ctx->secretlen = (uint32_t) buflen;
1256 return 1;
1257 }
1258
kdf_argon2_ctx_set_pwd(KDF_ARGON2 * ctx,const OSSL_PARAM * p)1259 static int kdf_argon2_ctx_set_pwd(KDF_ARGON2 *ctx, const OSSL_PARAM *p)
1260 {
1261 size_t buflen;
1262
1263 if (p->data == NULL)
1264 return 0;
1265
1266 if (ctx->pwd != NULL) {
1267 OPENSSL_clear_free(ctx->pwd, ctx->pwdlen);
1268 ctx->pwd = NULL;
1269 ctx->pwdlen = 0U;
1270 }
1271
1272 if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->pwd, 0, &buflen))
1273 return 0;
1274
1275 if (buflen > ARGON2_MAX_PWD_LENGTH) {
1276 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH, "max: %u",
1277 ARGON2_MAX_PWD_LENGTH);
1278 goto fail;
1279 }
1280
1281 ctx->pwdlen = (uint32_t) buflen;
1282 return 1;
1283
1284 fail:
1285 OPENSSL_free(ctx->pwd);
1286 ctx->pwd = NULL;
1287 ctx->pwdlen = 0U;
1288 return 0;
1289 }
1290
kdf_argon2_ctx_set_salt(KDF_ARGON2 * ctx,const OSSL_PARAM * p)1291 static int kdf_argon2_ctx_set_salt(KDF_ARGON2 *ctx, const OSSL_PARAM *p)
1292 {
1293 size_t buflen;
1294
1295 if (p->data == NULL)
1296 return 0;
1297
1298 if (ctx->salt != NULL) {
1299 OPENSSL_clear_free(ctx->salt, ctx->saltlen);
1300 ctx->salt = NULL;
1301 ctx->saltlen = 0U;
1302 }
1303
1304 if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->salt, 0, &buflen))
1305 return 0;
1306
1307 if (buflen < ARGON2_MIN_SALT_LENGTH) {
1308 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH, "min: %u",
1309 ARGON2_MIN_SALT_LENGTH);
1310 goto fail;
1311 }
1312
1313 if (buflen > ARGON2_MAX_SALT_LENGTH) {
1314 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH, "max: %u",
1315 ARGON2_MAX_SALT_LENGTH);
1316 goto fail;
1317 }
1318
1319 ctx->saltlen = (uint32_t) buflen;
1320 return 1;
1321
1322 fail:
1323 OPENSSL_free(ctx->salt);
1324 ctx->salt = NULL;
1325 ctx->saltlen = 0U;
1326 return 0;
1327 }
1328
kdf_argon2_ctx_set_ad(KDF_ARGON2 * ctx,const OSSL_PARAM * p)1329 static int kdf_argon2_ctx_set_ad(KDF_ARGON2 *ctx, const OSSL_PARAM *p)
1330 {
1331 size_t buflen;
1332
1333 if (p->data == NULL)
1334 return 0;
1335
1336 if (ctx->ad != NULL) {
1337 OPENSSL_clear_free(ctx->ad, ctx->adlen);
1338 ctx->ad = NULL;
1339 ctx->adlen = 0U;
1340 }
1341
1342 if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->ad, 0, &buflen))
1343 return 0;
1344
1345 if (buflen > ARGON2_MAX_AD_LENGTH) {
1346 OPENSSL_free(ctx->ad);
1347 ctx->ad = NULL;
1348 ctx->adlen = 0U;
1349 return 0;
1350 }
1351
1352 ctx->adlen = (uint32_t) buflen;
1353 return 1;
1354 }
1355
kdf_argon2_ctx_set_flag_early_clean(KDF_ARGON2 * ctx,uint32_t f)1356 static void kdf_argon2_ctx_set_flag_early_clean(KDF_ARGON2 *ctx, uint32_t f)
1357 {
1358 ctx->early_clean = !!(f);
1359 }
1360
kdf_argon2_ctx_set_version(KDF_ARGON2 * ctx,uint32_t version)1361 static int kdf_argon2_ctx_set_version(KDF_ARGON2 *ctx, uint32_t version)
1362 {
1363 switch (version) {
1364 case ARGON2_VERSION_10:
1365 case ARGON2_VERSION_13:
1366 ctx->version = version;
1367 return 1;
1368 default:
1369 ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_MODE,
1370 "invalid Argon2 version");
1371 return 0;
1372 }
1373 }
1374
set_property_query(KDF_ARGON2 * ctx,const char * propq)1375 static int set_property_query(KDF_ARGON2 *ctx, const char *propq)
1376 {
1377 OPENSSL_free(ctx->propq);
1378 ctx->propq = NULL;
1379 if (propq != NULL) {
1380 ctx->propq = OPENSSL_strdup(propq);
1381 if (ctx->propq == NULL)
1382 return 0;
1383 }
1384 EVP_MD_free(ctx->md);
1385 ctx->md = NULL;
1386 EVP_MAC_free(ctx->mac);
1387 ctx->mac = NULL;
1388 return 1;
1389 }
1390
kdf_argon2_set_ctx_params(void * vctx,const OSSL_PARAM params[])1391 static int kdf_argon2_set_ctx_params(void *vctx, const OSSL_PARAM params[])
1392 {
1393 const OSSL_PARAM *p;
1394 KDF_ARGON2 *ctx;
1395 uint32_t u32_value;
1396
1397 if (ossl_param_is_empty(params))
1398 return 1;
1399
1400 ctx = (KDF_ARGON2 *) vctx;
1401 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL)
1402 if (!kdf_argon2_ctx_set_pwd(ctx, p))
1403 return 0;
1404
1405 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL)
1406 if (!kdf_argon2_ctx_set_salt(ctx, p))
1407 return 0;
1408
1409 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL)
1410 if (!kdf_argon2_ctx_set_secret(ctx, p))
1411 return 0;
1412
1413 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_ARGON2_AD)) != NULL)
1414 if (!kdf_argon2_ctx_set_ad(ctx, p))
1415 return 0;
1416
1417 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
1418 if (!OSSL_PARAM_get_uint32(p, &u32_value))
1419 return 0;
1420 if (!kdf_argon2_ctx_set_out_length(ctx, u32_value))
1421 return 0;
1422 }
1423
1424 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_ITER)) != NULL) {
1425 if (!OSSL_PARAM_get_uint32(p, &u32_value))
1426 return 0;
1427 if (!kdf_argon2_ctx_set_t_cost(ctx, u32_value))
1428 return 0;
1429 }
1430
1431 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_THREADS)) != NULL) {
1432 if (!OSSL_PARAM_get_uint32(p, &u32_value))
1433 return 0;
1434 if (!kdf_argon2_ctx_set_threads(ctx, u32_value))
1435 return 0;
1436 }
1437
1438 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_ARGON2_LANES)) != NULL) {
1439 if (!OSSL_PARAM_get_uint32(p, &u32_value))
1440 return 0;
1441 if (!kdf_argon2_ctx_set_lanes(ctx, u32_value))
1442 return 0;
1443 }
1444
1445 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_ARGON2_MEMCOST)) != NULL) {
1446 if (!OSSL_PARAM_get_uint32(p, &u32_value))
1447 return 0;
1448 if (!kdf_argon2_ctx_set_m_cost(ctx, u32_value))
1449 return 0;
1450 }
1451
1452 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_EARLY_CLEAN)) != NULL) {
1453 if (!OSSL_PARAM_get_uint32(p, &u32_value))
1454 return 0;
1455 kdf_argon2_ctx_set_flag_early_clean(ctx, u32_value);
1456 }
1457
1458 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_ARGON2_VERSION)) != NULL) {
1459 if (!OSSL_PARAM_get_uint32(p, &u32_value))
1460 return 0;
1461 if (!kdf_argon2_ctx_set_version(ctx, u32_value))
1462 return 0;
1463 }
1464
1465 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PROPERTIES)) != NULL) {
1466 if (p->data_type != OSSL_PARAM_UTF8_STRING
1467 || !set_property_query(ctx, p->data))
1468 return 0;
1469 }
1470
1471 return 1;
1472 }
1473
kdf_argon2_settable_ctx_params(ossl_unused void * ctx,ossl_unused void * p_ctx)1474 static const OSSL_PARAM *kdf_argon2_settable_ctx_params(ossl_unused void *ctx,
1475 ossl_unused void *p_ctx)
1476 {
1477 static const OSSL_PARAM known_settable_ctx_params[] = {
1478 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PASSWORD, NULL, 0),
1479 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0),
1480 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SECRET, NULL, 0),
1481 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_ARGON2_AD, NULL, 0),
1482 OSSL_PARAM_uint32(OSSL_KDF_PARAM_SIZE, NULL),
1483 OSSL_PARAM_uint32(OSSL_KDF_PARAM_ITER, NULL),
1484 OSSL_PARAM_uint32(OSSL_KDF_PARAM_THREADS, NULL),
1485 OSSL_PARAM_uint32(OSSL_KDF_PARAM_ARGON2_LANES, NULL),
1486 OSSL_PARAM_uint32(OSSL_KDF_PARAM_ARGON2_MEMCOST, NULL),
1487 OSSL_PARAM_uint32(OSSL_KDF_PARAM_EARLY_CLEAN, NULL),
1488 OSSL_PARAM_uint32(OSSL_KDF_PARAM_ARGON2_VERSION, NULL),
1489 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0),
1490 OSSL_PARAM_END
1491 };
1492
1493 return known_settable_ctx_params;
1494 }
1495
kdf_argon2_get_ctx_params(void * vctx,OSSL_PARAM params[])1496 static int kdf_argon2_get_ctx_params(void *vctx, OSSL_PARAM params[])
1497 {
1498 OSSL_PARAM *p;
1499
1500 (void) vctx;
1501 if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
1502 return OSSL_PARAM_set_size_t(p, SIZE_MAX);
1503
1504 return -2;
1505 }
1506
kdf_argon2_gettable_ctx_params(ossl_unused void * ctx,ossl_unused void * p_ctx)1507 static const OSSL_PARAM *kdf_argon2_gettable_ctx_params(ossl_unused void *ctx,
1508 ossl_unused void *p_ctx)
1509 {
1510 static const OSSL_PARAM known_gettable_ctx_params[] = {
1511 OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
1512 OSSL_PARAM_END
1513 };
1514
1515 return known_gettable_ctx_params;
1516 }
1517
1518 const OSSL_DISPATCH ossl_kdf_argon2i_functions[] = {
1519 { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_argon2i_new },
1520 { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_argon2_free },
1521 { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_argon2_reset },
1522 { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_argon2_derive },
1523 { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
1524 (void(*)(void))kdf_argon2_settable_ctx_params },
1525 { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_argon2_set_ctx_params },
1526 { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
1527 (void(*)(void))kdf_argon2_gettable_ctx_params },
1528 { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_argon2_get_ctx_params },
1529 OSSL_DISPATCH_END
1530 };
1531
1532 const OSSL_DISPATCH ossl_kdf_argon2d_functions[] = {
1533 { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_argon2d_new },
1534 { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_argon2_free },
1535 { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_argon2_reset },
1536 { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_argon2_derive },
1537 { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
1538 (void(*)(void))kdf_argon2_settable_ctx_params },
1539 { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_argon2_set_ctx_params },
1540 { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
1541 (void(*)(void))kdf_argon2_gettable_ctx_params },
1542 { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_argon2_get_ctx_params },
1543 OSSL_DISPATCH_END
1544 };
1545
1546 const OSSL_DISPATCH ossl_kdf_argon2id_functions[] = {
1547 { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_argon2id_new },
1548 { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_argon2_free },
1549 { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_argon2_reset },
1550 { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_argon2_derive },
1551 { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
1552 (void(*)(void))kdf_argon2_settable_ctx_params },
1553 { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_argon2_set_ctx_params },
1554 { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
1555 (void(*)(void))kdf_argon2_gettable_ctx_params },
1556 { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_argon2_get_ctx_params },
1557 OSSL_DISPATCH_END
1558 };
1559
1560 #endif
1561