xref: /openssl/providers/implementations/kdfs/argon2.c (revision 60725f85)

/*
 * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 *
 * RFC 9106 Argon2 (see https://www.rfc-editor.org/rfc/rfc9106.txt)
 *
 */

#include <stdlib.h>
#include <stddef.h>
#include <stdarg.h>
#include <string.h>
#include <openssl/e_os2.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/crypto.h>
#include <openssl/kdf.h>
#include <openssl/err.h>
#include <openssl/core_names.h>
#include <openssl/params.h>
#include <openssl/thread.h>
#include <openssl/proverr.h>
#include "internal/thread.h"
#include "internal/numbers.h"
#include "internal/endian.h"
#include "crypto/evp.h"
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/providercommon.h"
#include "prov/blake2.h"

#if defined(OPENSSL_NO_DEFAULT_THREAD_POOL) && defined(OPENSSL_NO_THREAD_POOL)
# define ARGON2_NO_THREADS
#endif

#if !defined(OPENSSL_THREADS)
# define ARGON2_NO_THREADS
#endif

#ifndef OPENSSL_NO_ARGON2

# define ARGON2_MIN_LANES 1u
# define ARGON2_MAX_LANES 0xFFFFFFu
# define ARGON2_MIN_THREADS 1u
# define ARGON2_MAX_THREADS 0xFFFFFFu
# define ARGON2_SYNC_POINTS 4u
# define ARGON2_MIN_OUT_LENGTH 4u
# define ARGON2_MAX_OUT_LENGTH 0xFFFFFFFFu
# define ARGON2_MIN_MEMORY (2 * ARGON2_SYNC_POINTS)
# define ARGON2_MIN(a, b) ((a) < (b) ? (a) : (b))
# define ARGON2_MAX_MEMORY 0xFFFFFFFFu
# define ARGON2_MIN_TIME 1u
# define ARGON2_MAX_TIME 0xFFFFFFFFu
# define ARGON2_MIN_PWD_LENGTH 0u
# define ARGON2_MAX_PWD_LENGTH 0xFFFFFFFFu
# define ARGON2_MIN_AD_LENGTH 0u
# define ARGON2_MAX_AD_LENGTH 0xFFFFFFFFu
# define ARGON2_MIN_SALT_LENGTH 8u
# define ARGON2_MAX_SALT_LENGTH 0xFFFFFFFFu
# define ARGON2_MIN_SECRET 0u
# define ARGON2_MAX_SECRET 0xFFFFFFFFu
# define ARGON2_BLOCK_SIZE 1024
# define ARGON2_QWORDS_IN_BLOCK ((ARGON2_BLOCK_SIZE) / 8)
# define ARGON2_OWORDS_IN_BLOCK ((ARGON2_BLOCK_SIZE) / 16)
# define ARGON2_HWORDS_IN_BLOCK ((ARGON2_BLOCK_SIZE) / 32)
# define ARGON2_512BIT_WORDS_IN_BLOCK ((ARGON2_BLOCK_SIZE) / 64)
# define ARGON2_ADDRESSES_IN_BLOCK 128
# define ARGON2_PREHASH_DIGEST_LENGTH 64
# define ARGON2_PREHASH_SEED_LENGTH \
    (ARGON2_PREHASH_DIGEST_LENGTH + (2 * sizeof(uint32_t)))

# define ARGON2_DEFAULT_OUTLEN 64u
# define ARGON2_DEFAULT_T_COST 3u
# define ARGON2_DEFAULT_M_COST ARGON2_MIN_MEMORY
# define ARGON2_DEFAULT_LANES  1u
# define ARGON2_DEFAULT_THREADS 1u
# define ARGON2_DEFAULT_VERSION ARGON2_VERSION_NUMBER

# undef G
# define G(a, b, c, d)                                                        \
    do {                                                                      \
        a = a + b + 2 * mul_lower(a, b);                                      \
        d = rotr64(d ^ a, 32);                                                \
        c = c + d + 2 * mul_lower(c, d);                                      \
        b = rotr64(b ^ c, 24);                                                \
        a = a + b + 2 * mul_lower(a, b);                                      \
        d = rotr64(d ^ a, 16);                                                \
        c = c + d + 2 * mul_lower(c, d);                                      \
        b = rotr64(b ^ c, 63);                                                \
    } while ((void)0, 0)

# undef PERMUTATION_P
# define PERMUTATION_P(v0, v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11,      \
                       v12, v13, v14, v15)                                    \
    do {                                                                      \
        G(v0, v4, v8, v12);                                                   \
        G(v1, v5, v9, v13);                                                   \
        G(v2, v6, v10, v14);                                                  \
        G(v3, v7, v11, v15);                                                  \
        G(v0, v5, v10, v15);                                                  \
        G(v1, v6, v11, v12);                                                  \
        G(v2, v7, v8, v13);                                                   \
        G(v3, v4, v9, v14);                                                   \
    } while ((void)0, 0)

# undef PERMUTATION_P_COLUMN
# define PERMUTATION_P_COLUMN(x, i)                                           \
    do {                                                                      \
        uint64_t *base = &x[16 * i];                                          \
        PERMUTATION_P(                                                        \
            *base,        *(base + 1),  *(base + 2),  *(base + 3),            \
            *(base + 4),  *(base + 5),  *(base + 6),  *(base + 7),            \
            *(base + 8),  *(base + 9),  *(base + 10), *(base + 11),           \
            *(base + 12), *(base + 13), *(base + 14), *(base + 15)            \
        );                                                                    \
    } while ((void)0, 0)

# undef PERMUTATION_P_ROW
# define PERMUTATION_P_ROW(x, i)                                              \
    do {                                                                      \
        uint64_t *base = &x[2 * i];                                           \
        PERMUTATION_P(                                                        \
            *base,        *(base + 1),  *(base + 16),  *(base + 17),          \
            *(base + 32), *(base + 33), *(base + 48),  *(base + 49),          \
            *(base + 64), *(base + 65), *(base + 80),  *(base + 81),          \
            *(base + 96), *(base + 97), *(base + 112), *(base + 113)          \
        );                                                                    \
    } while ((void)0, 0)

typedef struct {
    uint64_t v[ARGON2_QWORDS_IN_BLOCK];
} BLOCK;

typedef enum {
    ARGON2_VERSION_10 = 0x10,
    ARGON2_VERSION_13 = 0x13,
    ARGON2_VERSION_NUMBER = ARGON2_VERSION_13
} ARGON2_VERSION;

typedef enum {
    ARGON2_D  = 0,
    ARGON2_I  = 1,
    ARGON2_ID = 2
} ARGON2_TYPE;

typedef struct {
    uint32_t pass;
    uint32_t lane;
    uint8_t slice;
    uint32_t index;
} ARGON2_POS;

typedef struct {
    void *provctx;
    uint32_t outlen;
    uint8_t *pwd;
    uint32_t pwdlen;
    uint8_t *salt;
    uint32_t saltlen;
    uint8_t *secret;
    uint32_t secretlen;
    uint8_t *ad;
    uint32_t adlen;
    uint32_t t_cost;
    uint32_t m_cost;
    uint32_t lanes;
    uint32_t threads;
    uint32_t version;
    uint32_t early_clean;
    ARGON2_TYPE type;
    BLOCK *memory;
    uint32_t passes;
    uint32_t memory_blocks;
    uint32_t segment_length;
    uint32_t lane_length;
    OSSL_LIB_CTX *libctx;
    EVP_MD *md;
    EVP_MAC *mac;
    char *propq;
} KDF_ARGON2;

typedef struct {
    ARGON2_POS pos;
    KDF_ARGON2 *ctx;
} ARGON2_THREAD_DATA;

static OSSL_FUNC_kdf_newctx_fn kdf_argon2i_new;
static OSSL_FUNC_kdf_newctx_fn kdf_argon2d_new;
static OSSL_FUNC_kdf_newctx_fn kdf_argon2id_new;
static OSSL_FUNC_kdf_freectx_fn kdf_argon2_free;
static OSSL_FUNC_kdf_reset_fn kdf_argon2_reset;
static OSSL_FUNC_kdf_derive_fn kdf_argon2_derive;
static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_argon2_settable_ctx_params;
static OSSL_FUNC_kdf_set_ctx_params_fn kdf_argon2_set_ctx_params;

static void kdf_argon2_init(KDF_ARGON2 *ctx, ARGON2_TYPE t);
static void *kdf_argon2d_new(void *provctx);
static void *kdf_argon2i_new(void *provctx);
static void *kdf_argon2id_new(void *provctx);
static void kdf_argon2_free(void *vctx);
static int kdf_argon2_derive(void *vctx, unsigned char *out, size_t outlen,
                             const OSSL_PARAM params[]);
static void kdf_argon2_reset(void *vctx);
static int kdf_argon2_ctx_set_threads(KDF_ARGON2 *ctx, uint32_t threads);
static int kdf_argon2_ctx_set_lanes(KDF_ARGON2 *ctx, uint32_t lanes);
static int kdf_argon2_ctx_set_t_cost(KDF_ARGON2 *ctx, uint32_t t_cost);
static int kdf_argon2_ctx_set_m_cost(KDF_ARGON2 *ctx, uint32_t m_cost);
static int kdf_argon2_ctx_set_out_length(KDF_ARGON2 *ctx, uint32_t outlen);
static int kdf_argon2_ctx_set_secret(KDF_ARGON2 *ctx, const OSSL_PARAM *p);
static int kdf_argon2_ctx_set_pwd(KDF_ARGON2 *ctx, const OSSL_PARAM *p);
static int kdf_argon2_ctx_set_salt(KDF_ARGON2 *ctx, const OSSL_PARAM *p);
static int kdf_argon2_ctx_set_ad(KDF_ARGON2 *ctx, const OSSL_PARAM *p);
static int kdf_argon2_set_ctx_params(void *vctx, const OSSL_PARAM params[]);
static int kdf_argon2_get_ctx_params(void *vctx, OSSL_PARAM params[]);
static int kdf_argon2_ctx_set_version(KDF_ARGON2 *ctx, uint32_t version);
static const OSSL_PARAM *kdf_argon2_settable_ctx_params(ossl_unused void *ctx,
                                                        ossl_unused void *p_ctx);
static const OSSL_PARAM *kdf_argon2_gettable_ctx_params(ossl_unused void *ctx,
                                                        ossl_unused void *p_ctx);

static ossl_inline uint64_t load64(const uint8_t *src);
static ossl_inline void store32(uint8_t *dst, uint32_t w);
static ossl_inline void store64(uint8_t *dst, uint64_t w);
static ossl_inline uint64_t rotr64(const uint64_t w, const unsigned int c);
static ossl_inline uint64_t mul_lower(uint64_t x, uint64_t y);

static void init_block_value(BLOCK *b, uint8_t in);
static void copy_block(BLOCK *dst, const BLOCK *src);
static void xor_block(BLOCK *dst, const BLOCK *src);
static void load_block(BLOCK *dst, const void *input);
static void store_block(void *output, const BLOCK *src);
static void fill_first_blocks(uint8_t *blockhash, const KDF_ARGON2 *ctx);
static void fill_block(const BLOCK *prev, const BLOCK *ref, BLOCK *next,
                       int with_xor);

static void next_addresses(BLOCK *address_block, BLOCK *input_block,
                           const BLOCK *zero_block);
static int data_indep_addressing(const KDF_ARGON2 *ctx, uint32_t pass,
                                 uint8_t slice);
static uint32_t index_alpha(const KDF_ARGON2 *ctx, uint32_t pass,
                            uint8_t slice, uint32_t index,
                            uint32_t pseudo_rand, int same_lane);

static void fill_segment(const KDF_ARGON2 *ctx, uint32_t pass, uint32_t lane,
                         uint8_t slice);

# if !defined(ARGON2_NO_THREADS)
static uint32_t fill_segment_thr(void *thread_data);
static int fill_mem_blocks_mt(KDF_ARGON2 *ctx);
# endif

static int fill_mem_blocks_st(KDF_ARGON2 *ctx);
static ossl_inline int fill_memory_blocks(KDF_ARGON2 *ctx);

static void initial_hash(uint8_t *blockhash, KDF_ARGON2 *ctx);
static int initialize(KDF_ARGON2 *ctx);
static void finalize(const KDF_ARGON2 *ctx, void *out);

static int blake2b(EVP_MD *md, EVP_MAC *mac, void *out, size_t outlen,
                   const void *in, size_t inlen, const void *key,
                   size_t keylen);
static int blake2b_long(EVP_MD *md, EVP_MAC *mac, unsigned char *out,
                        size_t outlen, const void *in, size_t inlen);

static ossl_inline uint64_t load64(const uint8_t *src)
{
    return
      (((uint64_t)src[0]) << 0)
    | (((uint64_t)src[1]) << 8)
    | (((uint64_t)src[2]) << 16)
    | (((uint64_t)src[3]) << 24)
    | (((uint64_t)src[4]) << 32)
    | (((uint64_t)src[5]) << 40)
    | (((uint64_t)src[6]) << 48)
    | (((uint64_t)src[7]) << 56);
}

static ossl_inline void store32(uint8_t *dst, uint32_t w)
{
    dst[0] = (uint8_t)(w >> 0);
    dst[1] = (uint8_t)(w >> 8);
    dst[2] = (uint8_t)(w >> 16);
    dst[3] = (uint8_t)(w >> 24);
}

static ossl_inline void store64(uint8_t *dst, uint64_t w)
{
    dst[0] = (uint8_t)(w >> 0);
    dst[1] = (uint8_t)(w >> 8);
    dst[2] = (uint8_t)(w >> 16);
    dst[3] = (uint8_t)(w >> 24);
    dst[4] = (uint8_t)(w >> 32);
    dst[5] = (uint8_t)(w >> 40);
    dst[6] = (uint8_t)(w >> 48);
    dst[7] = (uint8_t)(w >> 56);
}

static ossl_inline uint64_t rotr64(const uint64_t w, const unsigned int c)
{
    return (w >> c) | (w << (64 - c));
}

static ossl_inline uint64_t mul_lower(uint64_t x, uint64_t y)
{
    const uint64_t m = 0xFFFFFFFFUL;
    return (x & m) * (y & m);
}

static void init_block_value(BLOCK *b, uint8_t in)
{
    memset(b->v, in, sizeof(b->v));
}

static void copy_block(BLOCK *dst, const BLOCK *src)
{
    memcpy(dst->v, src->v, sizeof(uint64_t) * ARGON2_QWORDS_IN_BLOCK);
}

static void xor_block(BLOCK *dst, const BLOCK *src)
{
    int i;

    for (i = 0; i < ARGON2_QWORDS_IN_BLOCK; ++i)
        dst->v[i] ^= src->v[i];
}

static void load_block(BLOCK *dst, const void *input)
{
    unsigned i;

    for (i = 0; i < ARGON2_QWORDS_IN_BLOCK; ++i)
        dst->v[i] = load64((const uint8_t *)input + i * sizeof(dst->v[i]));
}

static void store_block(void *output, const BLOCK *src)
{
    unsigned i;

    for (i = 0; i < ARGON2_QWORDS_IN_BLOCK; ++i)
        store64((uint8_t *)output + i * sizeof(src->v[i]), src->v[i]);
}

static void fill_first_blocks(uint8_t *blockhash, const KDF_ARGON2 *ctx)
{
    uint32_t l;
    uint8_t blockhash_bytes[ARGON2_BLOCK_SIZE];

    /*
     * Make the first and second block in each lane as G(H0||0||i)
     * or G(H0||1||i).
     */
    for (l = 0; l < ctx->lanes; ++l) {
        store32(blockhash + ARGON2_PREHASH_DIGEST_LENGTH, 0);
        store32(blockhash + ARGON2_PREHASH_DIGEST_LENGTH + 4, l);
        blake2b_long(ctx->md, ctx->mac, blockhash_bytes, ARGON2_BLOCK_SIZE,
                     blockhash, ARGON2_PREHASH_SEED_LENGTH);
        load_block(&ctx->memory[l * ctx->lane_length + 0],
                   blockhash_bytes);
        store32(blockhash + ARGON2_PREHASH_DIGEST_LENGTH, 1);
        blake2b_long(ctx->md, ctx->mac, blockhash_bytes, ARGON2_BLOCK_SIZE,
                     blockhash, ARGON2_PREHASH_SEED_LENGTH);
        load_block(&ctx->memory[l * ctx->lane_length + 1],
                   blockhash_bytes);
    }
    OPENSSL_cleanse(blockhash_bytes, ARGON2_BLOCK_SIZE);
}

static void fill_block(const BLOCK *prev, const BLOCK *ref,
                       BLOCK *next, int with_xor)
{
    BLOCK blockR, tmp;
    unsigned i;

    copy_block(&blockR, ref);
    xor_block(&blockR, prev);
    copy_block(&tmp, &blockR);

    if (with_xor)
        xor_block(&tmp, next);

    for (i = 0; i < 8; ++i)
        PERMUTATION_P_COLUMN(blockR.v, i);

    for (i = 0; i < 8; ++i)
        PERMUTATION_P_ROW(blockR.v, i);

    copy_block(next, &tmp);
    xor_block(next, &blockR);
}

static void next_addresses(BLOCK *address_block, BLOCK *input_block,
                           const BLOCK *zero_block)
{
    input_block->v[6]++;
    fill_block(zero_block, input_block, address_block, 0);
    fill_block(zero_block, address_block, address_block, 0);
}

static int data_indep_addressing(const KDF_ARGON2 *ctx, uint32_t pass,
                                 uint8_t slice)
{
    switch (ctx->type) {
    case ARGON2_I:
        return 1;
    case ARGON2_ID:
        return (pass == 0) && (slice < ARGON2_SYNC_POINTS / 2);
    case ARGON2_D:
    default:
        return 0;
    }
}

/*
 * Pass 0 (pass = 0):
 * This lane: all already finished segments plus already constructed blocks
 *            in this segment
 * Other lanes: all already finished segments
 *
 * Pass 1+:
 * This lane: (SYNC_POINTS - 1) last segments plus already constructed
 *            blocks in this segment
 * Other lanes: (SYNC_POINTS - 1) last segments
 */
static uint32_t index_alpha(const KDF_ARGON2 *ctx, uint32_t pass,
                            uint8_t slice, uint32_t index,
                            uint32_t pseudo_rand, int same_lane)
{
    uint32_t ref_area_sz;
    uint64_t rel_pos;
    uint32_t start_pos, abs_pos;

    start_pos = 0;
    switch (pass) {
    case 0:
        if (slice == 0)
            ref_area_sz = index - 1;
        else if (same_lane)
            ref_area_sz = slice * ctx->segment_length + index - 1;
        else
            ref_area_sz = slice * ctx->segment_length +
                ((index == 0) ? (-1) : 0);
        break;
    default:
        if (same_lane)
            ref_area_sz = ctx->lane_length - ctx->segment_length + index - 1;
        else
            ref_area_sz = ctx->lane_length - ctx->segment_length +
                ((index == 0) ? (-1) : 0);
        if (slice != ARGON2_SYNC_POINTS - 1)
            start_pos = (slice + 1) * ctx->segment_length;
        break;
    }

    rel_pos = pseudo_rand;
    rel_pos = rel_pos * rel_pos >> 32;
    rel_pos = ref_area_sz - 1 - (ref_area_sz * rel_pos >> 32);
    abs_pos = (start_pos + rel_pos) % ctx->lane_length;

    return abs_pos;
}

static void fill_segment(const KDF_ARGON2 *ctx, uint32_t pass, uint32_t lane,
                         uint8_t slice)
{
    BLOCK *ref_block = NULL, *curr_block = NULL;
    BLOCK address_block, input_block, zero_block;
    uint64_t rnd, ref_index, ref_lane;
    uint32_t prev_offset;
    uint32_t start_idx;
    uint32_t j;
    uint32_t curr_offset; /* Offset of the current block */

    memset(&input_block, 0, sizeof(BLOCK));

    if (ctx == NULL)
        return;

    if (data_indep_addressing(ctx, pass, slice)) {
        init_block_value(&zero_block, 0);
        init_block_value(&input_block, 0);

        input_block.v[0] = pass;
        input_block.v[1] = lane;
        input_block.v[2] = slice;
        input_block.v[3] = ctx->memory_blocks;
        input_block.v[4] = ctx->passes;
        input_block.v[5] = ctx->type;
    }

    start_idx = 0;

    /* We've generated the first two blocks. Generate the 1st block of addrs. */
    if ((pass == 0) && (slice == 0)) {
        start_idx = 2;
        if (data_indep_addressing(ctx, pass, slice))
            next_addresses(&address_block, &input_block, &zero_block);
    }

    curr_offset = lane * ctx->lane_length + slice * ctx->segment_length
        + start_idx;

    if ((curr_offset % ctx->lane_length) == 0)
        prev_offset = curr_offset + ctx->lane_length - 1;
    else
        prev_offset = curr_offset - 1;

    for (j = start_idx; j < ctx->segment_length; ++j, ++curr_offset, ++prev_offset) {
        if (curr_offset % ctx->lane_length == 1)
            prev_offset = curr_offset - 1;

        /* Taking pseudo-random value from the previous block. */
        if (data_indep_addressing(ctx, pass, slice)) {
            if (j % ARGON2_ADDRESSES_IN_BLOCK == 0)
                next_addresses(&address_block, &input_block, &zero_block);
            rnd = address_block.v[j % ARGON2_ADDRESSES_IN_BLOCK];
        } else {
            rnd = ctx->memory[prev_offset].v[0];
        }

        /* Computing the lane of the reference block */
        ref_lane = ((rnd >> 32)) % ctx->lanes;
        /* Can not reference other lanes yet */
        if ((pass == 0) && (slice == 0))
            ref_lane = lane;

        /* Computing the number of possible reference block within the lane. */
        ref_index = index_alpha(ctx, pass, slice, j, rnd & 0xFFFFFFFF,
                                ref_lane == lane);

        /* Creating a new block */
        ref_block = ctx->memory + ctx->lane_length * ref_lane + ref_index;
        curr_block = ctx->memory + curr_offset;
        if (ARGON2_VERSION_10 == ctx->version) {
            /* Version 1.2.1 and earlier: overwrite, not XOR */
            fill_block(ctx->memory + prev_offset, ref_block, curr_block, 0);
            continue;
        }

        fill_block(ctx->memory + prev_offset, ref_block, curr_block,
                   pass == 0 ? 0 : 1);
    }
}

# if !defined(ARGON2_NO_THREADS)

static uint32_t fill_segment_thr(void *thread_data)
{
    ARGON2_THREAD_DATA *my_data;

    my_data = (ARGON2_THREAD_DATA *) thread_data;
    fill_segment(my_data->ctx, my_data->pos.pass, my_data->pos.lane,
                 my_data->pos.slice);

    return 0;
}

static int fill_mem_blocks_mt(KDF_ARGON2 *ctx)
{
    uint32_t r, s, l, ll;
    void **t;
    ARGON2_THREAD_DATA *t_data;

    t = OPENSSL_zalloc(sizeof(void *)*ctx->lanes);
    t_data = OPENSSL_zalloc(ctx->lanes * sizeof(ARGON2_THREAD_DATA));

    if (t == NULL || t_data == NULL)
        goto fail;

    for (r = 0; r < ctx->passes; ++r) {
        for (s = 0; s < ARGON2_SYNC_POINTS; ++s) {
            for (l = 0; l < ctx->lanes; ++l) {
                ARGON2_POS p;
                if (l >= ctx->threads) {
                    if (ossl_crypto_thread_join(t[l - ctx->threads], NULL) == 0)
                        goto fail;
                    if (ossl_crypto_thread_clean(t[l - ctx->threads]) == 0)
                        goto fail;
                    t[l] = NULL;
                }

                p.pass = r;
                p.lane = l;
                p.slice = (uint8_t)s;
                p.index = 0;

                t_data[l].ctx = ctx;
                memcpy(&(t_data[l].pos), &p, sizeof(ARGON2_POS));
                t[l] = ossl_crypto_thread_start(ctx->libctx, &fill_segment_thr,
                                                (void *) &t_data[l]);
                if (t[l] == NULL) {
                    for (ll = 0; ll < l; ++ll) {
                        if (ossl_crypto_thread_join(t[ll], NULL) == 0)
                            goto fail;
                        if (ossl_crypto_thread_clean(t[ll]) == 0)
                            goto fail;
                        t[ll] = NULL;
                    }
                    goto fail;
                }
            }
            for (l = ctx->lanes - ctx->threads; l < ctx->lanes; ++l) {
                if (ossl_crypto_thread_join(t[l], NULL) == 0)
                    goto fail;
                if (ossl_crypto_thread_clean(t[l]) == 0)
                    goto fail;
                t[l] = NULL;
            }
        }
    }

    OPENSSL_free(t_data);
    OPENSSL_free(t);

    return 1;

fail:
    if (t_data != NULL)
        OPENSSL_free(t_data);
    if (t != NULL)
        OPENSSL_free(t);
    return 0;
}

# endif /* !defined(ARGON2_NO_THREADS) */

static int fill_mem_blocks_st(KDF_ARGON2 *ctx)
{
    uint32_t r, s, l;

    for (r = 0; r < ctx->passes; ++r)
        for (s = 0; s < ARGON2_SYNC_POINTS; ++s)
            for (l = 0; l < ctx->lanes; ++l)
                fill_segment(ctx, r, l, s);
    return 1;
}

static ossl_inline int fill_memory_blocks(KDF_ARGON2 *ctx)
{
# if !defined(ARGON2_NO_THREADS)
    return ctx->threads == 1 ? fill_mem_blocks_st(ctx) : fill_mem_blocks_mt(ctx);
# else
    return ctx->threads == 1 ? fill_mem_blocks_st(ctx) : 0;
# endif
}

static void initial_hash(uint8_t *blockhash, KDF_ARGON2 *ctx)
{
    EVP_MD_CTX *mdctx;
    uint8_t value[sizeof(uint32_t)];
    unsigned int tmp;
    uint32_t args[7];

    if (ctx == NULL || blockhash == NULL)
        return;

    args[0] = ctx->lanes;
    args[1] = ctx->outlen;
    args[2] = ctx->m_cost;
    args[3] = ctx->t_cost;
    args[4] = ctx->version;
    args[5] = (uint32_t) ctx->type;
    args[6] = ctx->pwdlen;

    mdctx = EVP_MD_CTX_create();
    if (mdctx == NULL || EVP_DigestInit_ex(mdctx, ctx->md, NULL) != 1)
        goto fail;

    for (tmp = 0; tmp < sizeof(args) / sizeof(uint32_t); ++tmp) {
        store32((uint8_t *) &value, args[tmp]);
        if (EVP_DigestUpdate(mdctx, &value, sizeof(value)) != 1)
            goto fail;
    }

    if (ctx->pwd != NULL) {
        if (EVP_DigestUpdate(mdctx, ctx->pwd, ctx->pwdlen) != 1)
            goto fail;
        if (ctx->early_clean) {
            OPENSSL_cleanse(ctx->pwd, ctx->pwdlen);
            ctx->pwdlen = 0;
        }
    }

    store32((uint8_t *) &value, ctx->saltlen);

    if (EVP_DigestUpdate(mdctx, &value, sizeof(value)) != 1)
        goto fail;

    if (ctx->salt != NULL)
        if (EVP_DigestUpdate(mdctx, ctx->salt, ctx->saltlen) != 1)
            goto fail;

    store32((uint8_t *) &value, ctx->secretlen);
    if (EVP_DigestUpdate(mdctx, &value, sizeof(value)) != 1)
        goto fail;

    if (ctx->secret != NULL) {
        if (EVP_DigestUpdate(mdctx, ctx->secret, ctx->secretlen) != 1)
            goto fail;
        if (ctx->early_clean) {
            OPENSSL_cleanse(ctx->secret, ctx->secretlen);
            ctx->secretlen = 0;
        }
    }

    store32((uint8_t *) &value, ctx->adlen);
    if (EVP_DigestUpdate(mdctx, &value, sizeof(value)) != 1)
        goto fail;

    if (ctx->ad != NULL)
        if (EVP_DigestUpdate(mdctx, ctx->ad, ctx->adlen) != 1)
            goto fail;

    tmp = ARGON2_PREHASH_DIGEST_LENGTH;
    if (EVP_DigestFinal_ex(mdctx, blockhash, &tmp) != 1)
        goto fail;

fail:
    EVP_MD_CTX_destroy(mdctx);
}

static int initialize(KDF_ARGON2 *ctx)
{
    uint8_t blockhash[ARGON2_PREHASH_SEED_LENGTH];

    if (ctx == NULL)
        return 0;

    if (ctx->memory_blocks * sizeof(BLOCK) / sizeof(BLOCK) != ctx->memory_blocks)
        return 0;

    if (ctx->type != ARGON2_D)
        ctx->memory = OPENSSL_secure_zalloc(ctx->memory_blocks *
                                            sizeof(BLOCK));
    else
        ctx->memory = OPENSSL_zalloc(ctx->memory_blocks *
                                     sizeof(BLOCK));

    if (ctx->memory == NULL) {
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_MEMORY_SIZE,
                       "cannot allocate required memory");
        return 0;
    }

    initial_hash(blockhash, ctx);
    OPENSSL_cleanse(blockhash + ARGON2_PREHASH_DIGEST_LENGTH,
                    ARGON2_PREHASH_SEED_LENGTH - ARGON2_PREHASH_DIGEST_LENGTH);
    fill_first_blocks(blockhash, ctx);
    OPENSSL_cleanse(blockhash, ARGON2_PREHASH_SEED_LENGTH);

    return 1;
}

static void finalize(const KDF_ARGON2 *ctx, void *out)
{
    BLOCK blockhash;
    uint8_t blockhash_bytes[ARGON2_BLOCK_SIZE];
    uint32_t last_block_in_lane;
    uint32_t l;

    if (ctx == NULL)
        return;

    copy_block(&blockhash, ctx->memory + ctx->lane_length - 1);

    /* XOR the last blocks */
    for (l = 1; l < ctx->lanes; ++l) {
        last_block_in_lane = l * ctx->lane_length + (ctx->lane_length - 1);
        xor_block(&blockhash, ctx->memory + last_block_in_lane);
    }

    /* Hash the result */
    store_block(blockhash_bytes, &blockhash);
    blake2b_long(ctx->md, ctx->mac, out, ctx->outlen, blockhash_bytes,
                 ARGON2_BLOCK_SIZE);
    OPENSSL_cleanse(blockhash.v, ARGON2_BLOCK_SIZE);
    OPENSSL_cleanse(blockhash_bytes, ARGON2_BLOCK_SIZE);

    if (ctx->type != ARGON2_D)
        OPENSSL_secure_clear_free(ctx->memory,
                                  ctx->memory_blocks * sizeof(BLOCK));
    else
        OPENSSL_clear_free(ctx->memory,
                           ctx->memory_blocks * sizeof(BLOCK));
}

static int blake2b_mac(EVP_MAC *mac, void *out, size_t outlen, const void *in,
                       size_t inlen, const void *key, size_t keylen)
{
    int ret = 0;
    size_t par_n = 0, out_written;
    EVP_MAC_CTX *ctx = NULL;
    OSSL_PARAM par[3];

    if ((ctx = EVP_MAC_CTX_new(mac)) == NULL)
        goto fail;

    par[par_n++] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,
                                                     (void *) key, keylen);
    par[par_n++] = OSSL_PARAM_construct_size_t(OSSL_MAC_PARAM_SIZE, &outlen);
    par[par_n++] = OSSL_PARAM_construct_end();

    ret = EVP_MAC_CTX_set_params(ctx, par) == 1
        && EVP_MAC_init(ctx, NULL, 0, NULL) == 1
        && EVP_MAC_update(ctx, in, inlen) == 1
        && EVP_MAC_final(ctx, out, (size_t *) &out_written, outlen) == 1;

fail:
    EVP_MAC_CTX_free(ctx);
    return ret;
}

static int blake2b_md(EVP_MD *md, void *out, size_t outlen, const void *in,
                      size_t inlen)
{
    int ret = 0;
    EVP_MD_CTX *ctx = NULL;
    OSSL_PARAM par[2];

    if ((ctx = EVP_MD_CTX_create()) == NULL)
        return 0;

    par[0] = OSSL_PARAM_construct_size_t(OSSL_DIGEST_PARAM_SIZE, &outlen);
    par[1] = OSSL_PARAM_construct_end();

    ret = EVP_DigestInit_ex2(ctx, md, par) == 1
        && EVP_DigestUpdate(ctx, in, inlen) == 1
        && EVP_DigestFinal_ex(ctx, out, NULL) == 1;

    EVP_MD_CTX_free(ctx);
    return ret;
}

static int blake2b(EVP_MD *md, EVP_MAC *mac, void *out, size_t outlen,
                   const void *in, size_t inlen, const void *key, size_t keylen)
{
    if (out == NULL || outlen == 0)
        return 0;

    if (key == NULL || keylen == 0)
        return blake2b_md(md, out, outlen, in, inlen);

    return blake2b_mac(mac, out, outlen, in, inlen, key, keylen);
}

static int blake2b_long(EVP_MD *md, EVP_MAC *mac, unsigned char *out,
                        size_t outlen, const void *in, size_t inlen)
{
    int ret = 0;
    EVP_MD_CTX *ctx = NULL;
    uint32_t outlen_curr;
    uint8_t outbuf[BLAKE2B_OUTBYTES];
    uint8_t inbuf[BLAKE2B_OUTBYTES];
    uint8_t outlen_bytes[sizeof(uint32_t)] = {0};
    OSSL_PARAM par[2];
    size_t outlen_md;

    if (out == NULL || outlen == 0)
        return 0;

    /* Ensure little-endian byte order */
    store32(outlen_bytes, (uint32_t)outlen);

    if ((ctx = EVP_MD_CTX_create()) == NULL)
        return 0;

    outlen_md = (outlen <= BLAKE2B_OUTBYTES) ? outlen : BLAKE2B_OUTBYTES;
    par[0] = OSSL_PARAM_construct_size_t(OSSL_DIGEST_PARAM_SIZE, &outlen_md);
    par[1] = OSSL_PARAM_construct_end();

    ret = EVP_DigestInit_ex2(ctx, md, par) == 1
        && EVP_DigestUpdate(ctx, outlen_bytes, sizeof(outlen_bytes)) == 1
        && EVP_DigestUpdate(ctx, in, inlen) == 1
        && EVP_DigestFinal_ex(ctx, (outlen > BLAKE2B_OUTBYTES) ? outbuf : out,
                              NULL) == 1;

    if (ret == 0)
        goto fail;

    if (outlen > BLAKE2B_OUTBYTES) {
        memcpy(out, outbuf, BLAKE2B_OUTBYTES / 2);
        out += BLAKE2B_OUTBYTES / 2;
        outlen_curr = (uint32_t) outlen - BLAKE2B_OUTBYTES / 2;

        while (outlen_curr > BLAKE2B_OUTBYTES) {
            memcpy(inbuf, outbuf, BLAKE2B_OUTBYTES);
            if (blake2b(md, mac, outbuf, BLAKE2B_OUTBYTES, inbuf,
                        BLAKE2B_OUTBYTES, NULL, 0) != 1)
                goto fail;
            memcpy(out, outbuf, BLAKE2B_OUTBYTES / 2);
            out += BLAKE2B_OUTBYTES / 2;
            outlen_curr -= BLAKE2B_OUTBYTES / 2;
        }

        memcpy(inbuf, outbuf, BLAKE2B_OUTBYTES);
        if (blake2b(md, mac, outbuf, outlen_curr, inbuf, BLAKE2B_OUTBYTES,
                    NULL, 0) != 1)
            goto fail;
        memcpy(out, outbuf, outlen_curr);
    }
    ret = 1;

fail:
    EVP_MD_CTX_free(ctx);
    return ret;
}

static void kdf_argon2_init(KDF_ARGON2 *c, ARGON2_TYPE type)
{
    OSSL_LIB_CTX *libctx;

    libctx = c->libctx;
    memset(c, 0, sizeof(*c));

    c->libctx = libctx;
    c->outlen = ARGON2_DEFAULT_OUTLEN;
    c->t_cost = ARGON2_DEFAULT_T_COST;
    c->m_cost = ARGON2_DEFAULT_M_COST;
    c->lanes = ARGON2_DEFAULT_LANES;
    c->threads = ARGON2_DEFAULT_THREADS;
    c->version = ARGON2_DEFAULT_VERSION;
    c->type = type;
}

static void *kdf_argon2d_new(void *provctx)
{
    KDF_ARGON2 *ctx;

    if (!ossl_prov_is_running())
        return NULL;

    ctx = OPENSSL_zalloc(sizeof(*ctx));
    if (ctx == NULL) {
        ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
        return NULL;
    }

    ctx->libctx = PROV_LIBCTX_OF(provctx);

    kdf_argon2_init(ctx, ARGON2_D);
    return ctx;
}

static void *kdf_argon2i_new(void *provctx)
{
    KDF_ARGON2 *ctx;

    if (!ossl_prov_is_running())
        return NULL;

    ctx = OPENSSL_zalloc(sizeof(*ctx));
    if (ctx == NULL) {
        ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
        return NULL;
    }

    ctx->libctx = PROV_LIBCTX_OF(provctx);

    kdf_argon2_init(ctx, ARGON2_I);
    return ctx;
}

static void *kdf_argon2id_new(void *provctx)
{
    KDF_ARGON2 *ctx;

    if (!ossl_prov_is_running())
        return NULL;

    ctx = OPENSSL_zalloc(sizeof(*ctx));
    if (ctx == NULL) {
        ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
        return NULL;
    }

    ctx->libctx = PROV_LIBCTX_OF(provctx);

    kdf_argon2_init(ctx, ARGON2_ID);
    return ctx;
}

static void kdf_argon2_free(void *vctx)
{
    KDF_ARGON2 *ctx = (KDF_ARGON2 *)vctx;

    if (ctx == NULL)
        return;

    if (ctx->pwd != NULL)
        OPENSSL_clear_free(ctx->pwd, ctx->pwdlen);

    if (ctx->salt != NULL)
        OPENSSL_clear_free(ctx->salt, ctx->saltlen);

    if (ctx->secret != NULL)
        OPENSSL_clear_free(ctx->secret, ctx->secretlen);

    if (ctx->ad != NULL)
        OPENSSL_clear_free(ctx->ad, ctx->adlen);

    EVP_MD_free(ctx->md);
    EVP_MAC_free(ctx->mac);

    OPENSSL_free(ctx->propq);

    memset(ctx, 0, sizeof(*ctx));

    OPENSSL_free(ctx);
}

static int kdf_argon2_derive(void *vctx, unsigned char *out, size_t outlen,
                             const OSSL_PARAM params[])
{
    KDF_ARGON2 *ctx;
    uint32_t memory_blocks, segment_length;

    ctx = (KDF_ARGON2 *)vctx;

    if (!ossl_prov_is_running() || !kdf_argon2_set_ctx_params(vctx, params))
        return 0;

    if (ctx->mac == NULL)
        ctx->mac = EVP_MAC_fetch(ctx->libctx, "blake2bmac", ctx->propq);
    if (ctx->mac == NULL) {
        ERR_raise_data(ERR_LIB_PROV, PROV_R_MISSING_MAC,
                       "cannot fetch blake2bmac");
        return 0;
    }

    if (ctx->md == NULL)
        ctx->md = EVP_MD_fetch(ctx->libctx, "blake2b512", ctx->propq);
    if (ctx->md == NULL) {
        ERR_raise_data(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST,
                       "cannot fetch blake2b512");
        return 0;
    }

    if (ctx->salt == NULL || ctx->saltlen == 0) {
        ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SALT);
        return 0;
    }

    if (outlen != ctx->outlen) {
        if (OSSL_PARAM_locate((OSSL_PARAM *)params, "size") != NULL) {
            ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
            return 0;
        }
        if (!kdf_argon2_ctx_set_out_length(ctx, (uint32_t) outlen))
            return 0;
    }

    switch (ctx->type) {
    case ARGON2_D:
    case ARGON2_I:
    case ARGON2_ID:
        break;
    default:
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_MODE, "invalid Argon2 type");
        return 0;
    }

    if (ctx->threads > 1) {
# ifdef ARGON2_NO_THREADS
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_THREAD_POOL_SIZE,
                       "requested %u threads, single-threaded mode supported only",
                       ctx->threads);
        return 0;
# else
        if (ctx->threads > ossl_get_avail_threads(ctx->libctx)) {
            ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_THREAD_POOL_SIZE,
                           "requested %u threads, available: %u",
                           ctx->threads, ossl_get_avail_threads(ctx->libctx));
            return 0;
        }
# endif
        if (ctx->threads > ctx->lanes) {
            ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_THREAD_POOL_SIZE,
                           "requested more threads (%u) than lanes (%u)",
                           ctx->threads, ctx->lanes);
            return 0;
        }
    }

    if (ctx->m_cost < 8 * ctx->lanes) {
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_MEMORY_SIZE,
                       "m_cost must be greater or equal than 8 times the number of lanes");
        return 0;
    }

    memory_blocks = ctx->m_cost;
    if (memory_blocks < 2 * ARGON2_SYNC_POINTS * ctx->lanes)
        memory_blocks = 2 * ARGON2_SYNC_POINTS * ctx->lanes;

    /* Ensure that all segments have equal length */
    segment_length = memory_blocks / (ctx->lanes * ARGON2_SYNC_POINTS);
    memory_blocks = segment_length * (ctx->lanes * ARGON2_SYNC_POINTS);

    ctx->memory = NULL;
    ctx->memory_blocks = memory_blocks;
    ctx->segment_length = segment_length;
    ctx->passes = ctx->t_cost;
    ctx->lane_length = segment_length * ARGON2_SYNC_POINTS;

    if (initialize(ctx) != 1)
        return 0;

    if (fill_memory_blocks(ctx) != 1)
        return 0;

    finalize(ctx, out);

    return 1;
}

static void kdf_argon2_reset(void *vctx)
{
    OSSL_LIB_CTX *libctx;
    KDF_ARGON2 *ctx;
    ARGON2_TYPE type;

    ctx = (KDF_ARGON2 *) vctx;
    type = ctx->type;
    libctx = ctx->libctx;

    EVP_MD_free(ctx->md);
    EVP_MAC_free(ctx->mac);

    OPENSSL_free(ctx->propq);

    if (ctx->pwd != NULL)
        OPENSSL_clear_free(ctx->pwd, ctx->pwdlen);

    if (ctx->salt != NULL)
        OPENSSL_clear_free(ctx->salt, ctx->saltlen);

    if (ctx->secret != NULL)
        OPENSSL_clear_free(ctx->secret, ctx->secretlen);

    if (ctx->ad != NULL)
        OPENSSL_clear_free(ctx->ad, ctx->adlen);

    memset(ctx, 0, sizeof(*ctx));
    ctx->libctx = libctx;
    kdf_argon2_init(ctx, type);
}

static int kdf_argon2_ctx_set_threads(KDF_ARGON2 *ctx, uint32_t threads)
{
    if (threads < ARGON2_MIN_THREADS) {
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_THREAD_POOL_SIZE,
                       "min threads: %u", ARGON2_MIN_THREADS);
        return 0;
    }

    if (threads > ARGON2_MAX_THREADS) {
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_THREAD_POOL_SIZE,
                       "max threads: %u", ARGON2_MAX_THREADS);
        return 0;
    }

    ctx->threads = threads;
    return 1;
}

static int kdf_argon2_ctx_set_lanes(KDF_ARGON2 *ctx, uint32_t lanes)
{
    if (lanes > ARGON2_MAX_LANES) {
        ERR_raise_data(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER,
                       "max lanes: %u", ARGON2_MAX_LANES);
        return 0;
    }

    if (lanes < ARGON2_MIN_LANES) {
        ERR_raise_data(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER,
                       "min lanes: %u", ARGON2_MIN_LANES);
        return 0;
    }

    ctx->lanes = lanes;
    return 1;
}

static int kdf_argon2_ctx_set_t_cost(KDF_ARGON2 *ctx, uint32_t t_cost)
{
    /* ARGON2_MAX_MEMORY == max m_cost value, so skip check  */

    if (t_cost < ARGON2_MIN_TIME) {
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_ITERATION_COUNT,
                       "min: %u", ARGON2_MIN_TIME);
        return 0;
    }

    ctx->t_cost = t_cost;
    return 1;
}

static int kdf_argon2_ctx_set_m_cost(KDF_ARGON2 *ctx, uint32_t m_cost)
{
    /* ARGON2_MAX_MEMORY == max m_cost value, so skip check */

    if (m_cost < ARGON2_MIN_MEMORY) {
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_MEMORY_SIZE, "min: %u",
                       ARGON2_MIN_MEMORY);
        return 0;
    }

    ctx->m_cost = m_cost;
    return 1;
}

static int kdf_argon2_ctx_set_out_length(KDF_ARGON2 *ctx, uint32_t outlen)
{
    /*
     * ARGON2_MAX_OUT_LENGTH == max outlen value, so upper bounds checks
     * are always satisfied; to suppress compiler if statement tautology
     * warnings, these checks are skipped.
     */

    if (outlen < ARGON2_MIN_OUT_LENGTH) {
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH, "min: %u",
                       ARGON2_MIN_OUT_LENGTH);
        return 0;
    }

    ctx->outlen = outlen;
    return 1;
}

static int kdf_argon2_ctx_set_secret(KDF_ARGON2 *ctx, const OSSL_PARAM *p)
{
    size_t buflen;

    if (p->data == NULL)
        return 0;

    if (ctx->secret != NULL) {
        OPENSSL_clear_free(ctx->secret, ctx->secretlen);
        ctx->secret = NULL;
        ctx->secretlen = 0U;
    }

    if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->secret, 0, &buflen))
        return 0;

    if (buflen > ARGON2_MAX_SECRET) {
        OPENSSL_free(ctx->secret);
        ctx->secret = NULL;
        ctx->secretlen = 0U;
        return 0;
    }

    ctx->secretlen = (uint32_t) buflen;
    return 1;
}

static int kdf_argon2_ctx_set_pwd(KDF_ARGON2 *ctx, const OSSL_PARAM *p)
{
    size_t buflen;

    if (p->data == NULL)
        return 0;

    if (ctx->pwd != NULL) {
        OPENSSL_clear_free(ctx->pwd, ctx->pwdlen);
        ctx->pwd = NULL;
        ctx->pwdlen = 0U;
    }

    if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->pwd, 0, &buflen))
        return 0;

    if (buflen > ARGON2_MAX_PWD_LENGTH) {
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH, "max: %u",
                       ARGON2_MAX_PWD_LENGTH);
        goto fail;
    }

    ctx->pwdlen = (uint32_t) buflen;
    return 1;

fail:
    OPENSSL_free(ctx->pwd);
    ctx->pwd = NULL;
    ctx->pwdlen = 0U;
    return 0;
}

static int kdf_argon2_ctx_set_salt(KDF_ARGON2 *ctx, const OSSL_PARAM *p)
{
    size_t buflen;

    if (p->data == NULL)
        return 0;

    if (ctx->salt != NULL) {
        OPENSSL_clear_free(ctx->salt, ctx->saltlen);
        ctx->salt = NULL;
        ctx->saltlen = 0U;
    }

    if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->salt, 0, &buflen))
        return 0;

    if (buflen < ARGON2_MIN_SALT_LENGTH) {
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH, "min: %u",
                       ARGON2_MIN_SALT_LENGTH);
        goto fail;
    }

    if (buflen > ARGON2_MAX_SALT_LENGTH) {
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH, "max: %u",
                       ARGON2_MAX_SALT_LENGTH);
        goto fail;
    }

    ctx->saltlen = (uint32_t) buflen;
    return 1;

fail:
    OPENSSL_free(ctx->salt);
    ctx->salt = NULL;
    ctx->saltlen = 0U;
    return 0;
}

static int kdf_argon2_ctx_set_ad(KDF_ARGON2 *ctx, const OSSL_PARAM *p)
{
    size_t buflen;

    if (p->data == NULL)
        return 0;

    if (ctx->ad != NULL) {
        OPENSSL_clear_free(ctx->ad, ctx->adlen);
        ctx->ad = NULL;
        ctx->adlen = 0U;
    }

    if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->ad, 0, &buflen))
        return 0;

    if (buflen > ARGON2_MAX_AD_LENGTH) {
        OPENSSL_free(ctx->ad);
        ctx->ad = NULL;
        ctx->adlen = 0U;
        return 0;
    }

    ctx->adlen = (uint32_t) buflen;
    return 1;
}

static void kdf_argon2_ctx_set_flag_early_clean(KDF_ARGON2 *ctx, uint32_t f)
{
    ctx->early_clean = !!(f);
}

static int kdf_argon2_ctx_set_version(KDF_ARGON2 *ctx, uint32_t version)
{
    switch (version) {
    case ARGON2_VERSION_10:
    case ARGON2_VERSION_13:
        ctx->version = version;
        return 1;
    default:
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_MODE,
                       "invalid Argon2 version");
        return 0;
    }
}

static int set_property_query(KDF_ARGON2 *ctx, const char *propq)
{
    OPENSSL_free(ctx->propq);
    ctx->propq = NULL;
    if (propq != NULL) {
        ctx->propq = OPENSSL_strdup(propq);
        if (ctx->propq == NULL)
            return 0;
    }
    EVP_MD_free(ctx->md);
    ctx->md = NULL;
    EVP_MAC_free(ctx->mac);
    ctx->mac = NULL;
    return 1;
}

static int kdf_argon2_set_ctx_params(void *vctx, const OSSL_PARAM params[])
{
    const OSSL_PARAM *p;
    KDF_ARGON2 *ctx;
    uint32_t u32_value;

    if (params == NULL)
        return 1;

    ctx = (KDF_ARGON2 *) vctx;
    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL)
        if (!kdf_argon2_ctx_set_pwd(ctx, p))
            return 0;

    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL)
        if (!kdf_argon2_ctx_set_salt(ctx, p))
            return 0;

    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL)
        if (!kdf_argon2_ctx_set_secret(ctx, p))
            return 0;

    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_ARGON2_AD)) != NULL)
        if (!kdf_argon2_ctx_set_ad(ctx, p))
            return 0;

    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
        if (!OSSL_PARAM_get_uint32(p, &u32_value))
            return 0;
        if (!kdf_argon2_ctx_set_out_length(ctx, u32_value))
            return 0;
    }

    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_ITER)) != NULL) {
        if (!OSSL_PARAM_get_uint32(p, &u32_value))
            return 0;
        if (!kdf_argon2_ctx_set_t_cost(ctx, u32_value))
            return 0;
    }

    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_THREADS)) != NULL) {
        if (!OSSL_PARAM_get_uint32(p, &u32_value))
            return 0;
        if (!kdf_argon2_ctx_set_threads(ctx, u32_value))
            return 0;
    }

    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_ARGON2_LANES)) != NULL) {
        if (!OSSL_PARAM_get_uint32(p, &u32_value))
            return 0;
        if (!kdf_argon2_ctx_set_lanes(ctx, u32_value))
            return 0;
    }

    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_ARGON2_MEMCOST)) != NULL) {
        if (!OSSL_PARAM_get_uint32(p, &u32_value))
            return 0;
        if (!kdf_argon2_ctx_set_m_cost(ctx, u32_value))
            return 0;
    }

    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_EARLY_CLEAN)) != NULL) {
        if (!OSSL_PARAM_get_uint32(p, &u32_value))
            return 0;
        kdf_argon2_ctx_set_flag_early_clean(ctx, u32_value);
    }

    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_ARGON2_VERSION)) != NULL) {
        if (!OSSL_PARAM_get_uint32(p, &u32_value))
            return 0;
        if (!kdf_argon2_ctx_set_version(ctx, u32_value))
            return 0;
    }

    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PROPERTIES)) != NULL) {
        if (p->data_type != OSSL_PARAM_UTF8_STRING
            || !set_property_query(ctx, p->data))
            return 0;
    }

    return 1;
}

static const OSSL_PARAM *kdf_argon2_settable_ctx_params(ossl_unused void *ctx,
                                                        ossl_unused void *p_ctx)
{
    static const OSSL_PARAM known_settable_ctx_params[] = {
        OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PASSWORD, NULL, 0),
        OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0),
        OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SECRET, NULL, 0),
        OSSL_PARAM_octet_string(OSSL_KDF_PARAM_ARGON2_AD, NULL, 0),
        OSSL_PARAM_uint32(OSSL_KDF_PARAM_SIZE, NULL),
        OSSL_PARAM_uint32(OSSL_KDF_PARAM_ITER, NULL),
        OSSL_PARAM_uint32(OSSL_KDF_PARAM_THREADS, NULL),
        OSSL_PARAM_uint32(OSSL_KDF_PARAM_ARGON2_LANES, NULL),
        OSSL_PARAM_uint32(OSSL_KDF_PARAM_ARGON2_MEMCOST, NULL),
        OSSL_PARAM_uint32(OSSL_KDF_PARAM_EARLY_CLEAN, NULL),
        OSSL_PARAM_uint32(OSSL_KDF_PARAM_ARGON2_VERSION, NULL),
        OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0),
        OSSL_PARAM_END
    };

    return known_settable_ctx_params;
}

static int kdf_argon2_get_ctx_params(void *vctx, OSSL_PARAM params[])
{
    OSSL_PARAM *p;

    (void) vctx;
    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
        return OSSL_PARAM_set_size_t(p, SIZE_MAX);

    return -2;
}

static const OSSL_PARAM *kdf_argon2_gettable_ctx_params(ossl_unused void *ctx,
                                                        ossl_unused void *p_ctx)
{
    static const OSSL_PARAM known_gettable_ctx_params[] = {
        OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
        OSSL_PARAM_END
    };

    return known_gettable_ctx_params;
}

const OSSL_DISPATCH ossl_kdf_argon2i_functions[] = {
    { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_argon2i_new },
    { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_argon2_free },
    { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_argon2_reset },
    { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_argon2_derive },
    { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
      (void(*)(void))kdf_argon2_settable_ctx_params },
    { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_argon2_set_ctx_params },
    { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
      (void(*)(void))kdf_argon2_gettable_ctx_params },
    { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_argon2_get_ctx_params },
    OSSL_DISPATCH_END
};

const OSSL_DISPATCH ossl_kdf_argon2d_functions[] = {
    { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_argon2d_new },
    { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_argon2_free },
    { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_argon2_reset },
    { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_argon2_derive },
    { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
      (void(*)(void))kdf_argon2_settable_ctx_params },
    { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_argon2_set_ctx_params },
    { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
      (void(*)(void))kdf_argon2_gettable_ctx_params },
    { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_argon2_get_ctx_params },
    OSSL_DISPATCH_END
};

const OSSL_DISPATCH ossl_kdf_argon2id_functions[] = {
    { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_argon2id_new },
    { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_argon2_free },
    { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_argon2_reset },
    { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_argon2_derive },
    { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
      (void(*)(void))kdf_argon2_settable_ctx_params },
    { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_argon2_set_ctx_params },
    { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
      (void(*)(void))kdf_argon2_gettable_ctx_params },
    { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_argon2_get_ctx_params },
    OSSL_DISPATCH_END
};

#endif