1 /*
2 * Argon2 source code package
3 *
4 * Written by Daniel Dinu and Dmitry Khovratovich, 2015
5 *
6 * This work is licensed under a Creative Commons CC0 1.0 License/Waiver.
7 *
8 * You should have received a copy of the CC0 Public Domain Dedication along
9 * with
10 * this software. If not, see
11 * <http://creativecommons.org/publicdomain/zero/1.0/>.
12 */
13
14 #include <errno.h>
15 #include <stdint.h>
16 #include <stdio.h>
17 #include <stdlib.h>
18 #include <string.h>
19
20 #include <sys/types.h>
21 #ifdef HAVE_SYS_MMAN_H
22 # include <sys/mman.h>
23 #endif
24
25 #include "crypto_generichash_blake2b.h"
26 #include "private/common.h"
27 #include "private/implementations.h"
28 #include "runtime.h"
29 #include "utils.h"
30
31 #include "argon2-core.h"
32 #include "blake2b-long.h"
33
34 #if !defined(MAP_ANON) && defined(MAP_ANONYMOUS)
35 # define MAP_ANON MAP_ANONYMOUS
36 #endif
37 #ifndef MAP_NOCORE
38 # define MAP_NOCORE 0
39 #endif
40 #ifndef MAP_POPULATE
41 # define MAP_POPULATE 0
42 #endif
43
44 static fill_segment_fn fill_segment = fill_segment_ref;
45
46 static void
load_block(block * dst,const void * input)47 load_block(block *dst, const void *input)
48 {
49 unsigned i;
50 for (i = 0; i < ARGON2_QWORDS_IN_BLOCK; ++i) {
51 dst->v[i] = LOAD64_LE((const uint8_t *) input + i * sizeof(dst->v[i]));
52 }
53 }
54
55 static void
store_block(void * output,const block * src)56 store_block(void *output, const block *src)
57 {
58 unsigned i;
59 for (i = 0; i < ARGON2_QWORDS_IN_BLOCK; ++i) {
60 STORE64_LE((uint8_t *) output + i * sizeof(src->v[i]), src->v[i]);
61 }
62 }
63
64 /***************Memory allocators*****************/
65 /* Allocates memory to the given pointer
66 * @param memory pointer to the pointer to the memory
67 * @param m_cost number of blocks to allocate in the memory
68 * @return ARGON2_OK if @memory is a valid pointer and memory is allocated
69 */
70 static int allocate_memory(block_region **region, uint32_t m_cost);
71
72 static int
allocate_memory(block_region ** region,uint32_t m_cost)73 allocate_memory(block_region **region, uint32_t m_cost)
74 {
75 void * base;
76 block *memory;
77 size_t memory_size;
78
79 if (region == NULL) {
80 return ARGON2_MEMORY_ALLOCATION_ERROR; /* LCOV_EXCL_LINE */
81 }
82 memory_size = sizeof(block) * m_cost;
83 if (m_cost == 0 || memory_size / m_cost != sizeof(block)) {
84 return ARGON2_MEMORY_ALLOCATION_ERROR; /* LCOV_EXCL_LINE */
85 }
86 *region = (block_region *) malloc(sizeof(block_region));
87 if (*region == NULL) {
88 return ARGON2_MEMORY_ALLOCATION_ERROR; /* LCOV_EXCL_LINE */
89 }
90 (*region)->base = (*region)->memory = NULL;
91
92 #if defined(MAP_ANON) && defined(HAVE_MMAP)
93 if ((base = mmap(NULL, memory_size, PROT_READ | PROT_WRITE,
94 MAP_ANON | MAP_PRIVATE | MAP_NOCORE | MAP_POPULATE,
95 -1, 0)) == MAP_FAILED) {
96 base = NULL; /* LCOV_EXCL_LINE */
97 } /* LCOV_EXCL_LINE */
98 memcpy(&memory, &base, sizeof memory);
99 #elif defined(HAVE_POSIX_MEMALIGN)
100 if ((errno = posix_memalign((void **) &base, 64, memory_size)) != 0) {
101 base = NULL;
102 }
103 memcpy(&memory, &base, sizeof memory);
104 #else
105 memory = NULL;
106 if (memory_size + 63 < memory_size) {
107 base = NULL;
108 errno = ENOMEM;
109 } else if ((base = malloc(memory_size + 63)) != NULL) {
110 uint8_t *aligned = ((uint8_t *) base) + 63;
111 aligned -= (uintptr_t) aligned & 63;
112 memcpy(&memory, &aligned, sizeof memory);
113 }
114 #endif
115 if (base == NULL) {
116 /* LCOV_EXCL_START */
117 free(*region);
118 *region = NULL;
119 return ARGON2_MEMORY_ALLOCATION_ERROR;
120 /* LCOV_EXCL_STOP */
121 }
122 (*region)->base = base;
123 (*region)->memory = memory;
124 (*region)->size = memory_size;
125
126 return ARGON2_OK;
127 }
128
129 /*********Memory functions*/
130
131 /* Clears memory
132 * @param instance pointer to the current instance
133 * @param clear_memory indicates if we clear the memory with zeros.
134 */
135 static void clear_memory(argon2_instance_t *instance, int clear);
136
137 static void
clear_memory(argon2_instance_t * instance,int clear)138 clear_memory(argon2_instance_t *instance, int clear)
139 {
140 /* LCOV_EXCL_START */
141 if (clear) {
142 if (instance->region != NULL) {
143 sodium_memzero(instance->region->memory,
144 sizeof(block) * instance->memory_blocks);
145 }
146 if (instance->pseudo_rands != NULL) {
147 sodium_memzero(instance->pseudo_rands,
148 sizeof(uint64_t) * instance->segment_length);
149 }
150 }
151 /* LCOV_EXCL_STOP */
152 }
153
154 /* Deallocates memory
155 * @param memory pointer to the blocks
156 */
157 static void free_memory(block_region *region);
158
159 static void
free_memory(block_region * region)160 free_memory(block_region *region)
161 {
162 if (region && region->base) {
163 #if defined(MAP_ANON) && defined(HAVE_MMAP)
164 if (munmap(region->base, region->size)) {
165 return; /* LCOV_EXCL_LINE */
166 }
167 #else
168 free(region->base);
169 #endif
170 }
171 free(region);
172 }
173
174 void
free_instance(argon2_instance_t * instance,int flags)175 free_instance(argon2_instance_t *instance, int flags)
176 {
177 /* Clear memory */
178 clear_memory(instance, flags & ARGON2_FLAG_CLEAR_MEMORY);
179
180 /* Deallocate the memory */
181 free(instance->pseudo_rands);
182 instance->pseudo_rands = NULL;
183 free_memory(instance->region);
184 instance->region = NULL;
185 }
186
187 void
finalize(const argon2_context * context,argon2_instance_t * instance)188 finalize(const argon2_context *context, argon2_instance_t *instance)
189 {
190 if (context != NULL && instance != NULL) {
191 block blockhash;
192 uint32_t l;
193
194 copy_block(&blockhash,
195 instance->region->memory + instance->lane_length - 1);
196
197 /* XOR the last blocks */
198 for (l = 1; l < instance->lanes; ++l) {
199 uint32_t last_block_in_lane =
200 l * instance->lane_length + (instance->lane_length - 1);
201 xor_block(&blockhash,
202 instance->region->memory + last_block_in_lane);
203 }
204
205 /* Hash the result */
206 {
207 uint8_t blockhash_bytes[ARGON2_BLOCK_SIZE];
208 store_block(blockhash_bytes, &blockhash);
209 blake2b_long(context->out, context->outlen, blockhash_bytes,
210 ARGON2_BLOCK_SIZE);
211 sodium_memzero(blockhash.v,
212 ARGON2_BLOCK_SIZE); /* clear blockhash */
213 sodium_memzero(blockhash_bytes,
214 ARGON2_BLOCK_SIZE); /* clear blockhash_bytes */
215 }
216
217 free_instance(instance, context->flags);
218 }
219 }
220
221 void
fill_memory_blocks(argon2_instance_t * instance,uint32_t pass)222 fill_memory_blocks(argon2_instance_t *instance, uint32_t pass)
223 {
224 argon2_position_t position;
225 uint32_t l;
226 uint32_t s;
227
228 if (instance == NULL || instance->lanes == 0) {
229 return; /* LCOV_EXCL_LINE */
230 }
231
232 position.pass = pass;
233 for (s = 0; s < ARGON2_SYNC_POINTS; ++s) {
234 position.slice = (uint8_t) s;
235 for (l = 0; l < instance->lanes; ++l) {
236 position.lane = l;
237 position.index = 0;
238 fill_segment(instance, position);
239 }
240 }
241 }
242
243 int
validate_inputs(const argon2_context * context)244 validate_inputs(const argon2_context *context)
245 {
246 /* LCOV_EXCL_START */
247 if (NULL == context) {
248 return ARGON2_INCORRECT_PARAMETER;
249 }
250
251 if (NULL == context->out) {
252 return ARGON2_OUTPUT_PTR_NULL;
253 }
254
255 /* Validate output length */
256 if (ARGON2_MIN_OUTLEN > context->outlen) {
257 return ARGON2_OUTPUT_TOO_SHORT;
258 }
259
260 if (ARGON2_MAX_OUTLEN < context->outlen) {
261 return ARGON2_OUTPUT_TOO_LONG;
262 }
263
264 /* Validate password (required param) */
265 if (NULL == context->pwd) {
266 if (0 != context->pwdlen) {
267 return ARGON2_PWD_PTR_MISMATCH;
268 }
269 }
270
271 if (ARGON2_MIN_PWD_LENGTH > context->pwdlen) {
272 return ARGON2_PWD_TOO_SHORT;
273 }
274
275 if (ARGON2_MAX_PWD_LENGTH < context->pwdlen) {
276 return ARGON2_PWD_TOO_LONG;
277 }
278
279 /* Validate salt (required param) */
280 if (NULL == context->salt) {
281 if (0 != context->saltlen) {
282 return ARGON2_SALT_PTR_MISMATCH;
283 }
284 }
285
286 if (ARGON2_MIN_SALT_LENGTH > context->saltlen) {
287 return ARGON2_SALT_TOO_SHORT;
288 }
289
290 if (ARGON2_MAX_SALT_LENGTH < context->saltlen) {
291 return ARGON2_SALT_TOO_LONG;
292 }
293
294 /* Validate secret (optional param) */
295 if (NULL == context->secret) {
296 if (0 != context->secretlen) {
297 return ARGON2_SECRET_PTR_MISMATCH;
298 }
299 } else {
300 if (ARGON2_MIN_SECRET > context->secretlen) {
301 return ARGON2_SECRET_TOO_SHORT;
302 }
303
304 if (ARGON2_MAX_SECRET < context->secretlen) {
305 return ARGON2_SECRET_TOO_LONG;
306 }
307 }
308
309 /* Validate associated data (optional param) */
310 if (NULL == context->ad) {
311 if (0 != context->adlen) {
312 return ARGON2_AD_PTR_MISMATCH;
313 }
314 } else {
315 if (ARGON2_MIN_AD_LENGTH > context->adlen) {
316 return ARGON2_AD_TOO_SHORT;
317 }
318
319 if (ARGON2_MAX_AD_LENGTH < context->adlen) {
320 return ARGON2_AD_TOO_LONG;
321 }
322 }
323
324 /* Validate memory cost */
325 if (ARGON2_MIN_MEMORY > context->m_cost) {
326 return ARGON2_MEMORY_TOO_LITTLE;
327 }
328
329 if (ARGON2_MAX_MEMORY < context->m_cost) {
330 return ARGON2_MEMORY_TOO_MUCH;
331 }
332
333 if (context->m_cost < 8 * context->lanes) {
334 return ARGON2_MEMORY_TOO_LITTLE;
335 }
336
337 /* Validate time cost */
338 if (ARGON2_MIN_TIME > context->t_cost) {
339 return ARGON2_TIME_TOO_SMALL;
340 }
341
342 if (ARGON2_MAX_TIME < context->t_cost) {
343 return ARGON2_TIME_TOO_LARGE;
344 }
345
346 /* Validate lanes */
347 if (ARGON2_MIN_LANES > context->lanes) {
348 return ARGON2_LANES_TOO_FEW;
349 }
350
351 if (ARGON2_MAX_LANES < context->lanes) {
352 return ARGON2_LANES_TOO_MANY;
353 }
354
355 /* Validate threads */
356 if (ARGON2_MIN_THREADS > context->threads) {
357 return ARGON2_THREADS_TOO_FEW;
358 }
359
360 if (ARGON2_MAX_THREADS < context->threads) {
361 return ARGON2_THREADS_TOO_MANY;
362 }
363 /* LCOV_EXCL_STOP */
364
365 return ARGON2_OK;
366 }
367
368 void
fill_first_blocks(uint8_t * blockhash,const argon2_instance_t * instance)369 fill_first_blocks(uint8_t *blockhash, const argon2_instance_t *instance)
370 {
371 uint32_t l;
372 /* Make the first and second block in each lane as G(H0||i||0) or
373 G(H0||i||1) */
374 uint8_t blockhash_bytes[ARGON2_BLOCK_SIZE];
375 for (l = 0; l < instance->lanes; ++l) {
376 STORE32_LE(blockhash + ARGON2_PREHASH_DIGEST_LENGTH, 0);
377 STORE32_LE(blockhash + ARGON2_PREHASH_DIGEST_LENGTH + 4, l);
378 blake2b_long(blockhash_bytes, ARGON2_BLOCK_SIZE, blockhash,
379 ARGON2_PREHASH_SEED_LENGTH);
380 load_block(&instance->region->memory[l * instance->lane_length + 0],
381 blockhash_bytes);
382
383 STORE32_LE(blockhash + ARGON2_PREHASH_DIGEST_LENGTH, 1);
384 blake2b_long(blockhash_bytes, ARGON2_BLOCK_SIZE, blockhash,
385 ARGON2_PREHASH_SEED_LENGTH);
386 load_block(&instance->region->memory[l * instance->lane_length + 1],
387 blockhash_bytes);
388 }
389 sodium_memzero(blockhash_bytes, ARGON2_BLOCK_SIZE);
390 }
391
392 void
initial_hash(uint8_t * blockhash,argon2_context * context,argon2_type type)393 initial_hash(uint8_t *blockhash, argon2_context *context, argon2_type type)
394 {
395 crypto_generichash_blake2b_state BlakeHash;
396 uint8_t value[4U /* sizeof(uint32_t) */];
397
398 if (NULL == context || NULL == blockhash) {
399 return; /* LCOV_EXCL_LINE */
400 }
401
402 crypto_generichash_blake2b_init(&BlakeHash, NULL, 0U,
403 ARGON2_PREHASH_DIGEST_LENGTH);
404
405 STORE32_LE(value, context->lanes);
406 crypto_generichash_blake2b_update(&BlakeHash, value, sizeof(value));
407
408 STORE32_LE(value, context->outlen);
409 crypto_generichash_blake2b_update(&BlakeHash, value, sizeof(value));
410
411 STORE32_LE(value, context->m_cost);
412 crypto_generichash_blake2b_update(&BlakeHash, value, sizeof(value));
413
414 STORE32_LE(value, context->t_cost);
415 crypto_generichash_blake2b_update(&BlakeHash, value, sizeof(value));
416
417 STORE32_LE(value, ARGON2_VERSION_NUMBER);
418 crypto_generichash_blake2b_update(&BlakeHash, value, sizeof(value));
419
420 STORE32_LE(value, (uint32_t) type);
421 crypto_generichash_blake2b_update(&BlakeHash, value, sizeof(value));
422
423 STORE32_LE(value, context->pwdlen);
424 crypto_generichash_blake2b_update(&BlakeHash, value, sizeof(value));
425
426 if (context->pwd != NULL) {
427 crypto_generichash_blake2b_update(
428 &BlakeHash, (const uint8_t *) context->pwd, context->pwdlen);
429
430 /* LCOV_EXCL_START */
431 if (context->flags & ARGON2_FLAG_CLEAR_PASSWORD) {
432 sodium_memzero(context->pwd, context->pwdlen);
433 context->pwdlen = 0;
434 }
435 /* LCOV_EXCL_STOP */
436 }
437
438 STORE32_LE(value, context->saltlen);
439 crypto_generichash_blake2b_update(&BlakeHash, value, sizeof(value));
440
441 if (context->salt != NULL) {
442 crypto_generichash_blake2b_update(
443 &BlakeHash, (const uint8_t *) context->salt, context->saltlen);
444 }
445
446 STORE32_LE(value, context->secretlen);
447 crypto_generichash_blake2b_update(&BlakeHash, value, sizeof(value));
448
449 /* LCOV_EXCL_START */
450 if (context->secret != NULL) {
451 crypto_generichash_blake2b_update(
452 &BlakeHash, (const uint8_t *) context->secret, context->secretlen);
453
454 if (context->flags & ARGON2_FLAG_CLEAR_SECRET) {
455 sodium_memzero(context->secret, context->secretlen);
456 context->secretlen = 0;
457 }
458 }
459 /* LCOV_EXCL_STOP */
460
461 STORE32_LE(value, context->adlen);
462 crypto_generichash_blake2b_update(&BlakeHash, value, sizeof(value));
463
464 /* LCOV_EXCL_START */
465 if (context->ad != NULL) {
466 crypto_generichash_blake2b_update(
467 &BlakeHash, (const uint8_t *) context->ad, context->adlen);
468 }
469 /* LCOV_EXCL_STOP */
470
471 crypto_generichash_blake2b_final(&BlakeHash, blockhash,
472 ARGON2_PREHASH_DIGEST_LENGTH);
473 }
474
475 int
initialize(argon2_instance_t * instance,argon2_context * context)476 initialize(argon2_instance_t *instance, argon2_context *context)
477 {
478 uint8_t blockhash[ARGON2_PREHASH_SEED_LENGTH];
479 int result = ARGON2_OK;
480
481 if (instance == NULL || context == NULL) {
482 return ARGON2_INCORRECT_PARAMETER;
483 }
484
485 /* 1. Memory allocation */
486
487 if ((instance->pseudo_rands = (uint64_t *)
488 malloc(sizeof(uint64_t) * instance->segment_length)) == NULL) {
489 return ARGON2_MEMORY_ALLOCATION_ERROR;
490 }
491
492 result = allocate_memory(&(instance->region), instance->memory_blocks);
493 if (ARGON2_OK != result) {
494 free_instance(instance, context->flags);
495 return result;
496 }
497
498 /* 2. Initial hashing */
499 /* H_0 + 8 extra bytes to produce the first blocks */
500 /* uint8_t blockhash[ARGON2_PREHASH_SEED_LENGTH]; */
501 /* Hashing all inputs */
502 initial_hash(blockhash, context, instance->type);
503 /* Zeroing 8 extra bytes */
504 sodium_memzero(blockhash + ARGON2_PREHASH_DIGEST_LENGTH,
505 ARGON2_PREHASH_SEED_LENGTH - ARGON2_PREHASH_DIGEST_LENGTH);
506
507 /* 3. Creating first blocks, we always have at least two blocks in a slice
508 */
509 fill_first_blocks(blockhash, instance);
510 /* Clearing the hash */
511 sodium_memzero(blockhash, ARGON2_PREHASH_SEED_LENGTH);
512
513 return ARGON2_OK;
514 }
515
516 int
argon2_pick_best_implementation(void)517 argon2_pick_best_implementation(void)
518 {
519 /* LCOV_EXCL_START */
520 #if defined(HAVE_AVX512FINTRIN_H) && defined(HAVE_AVX2INTRIN_H) && \
521 defined(HAVE_TMMINTRIN_H) && defined(HAVE_SMMINTRIN_H)
522 if (sodium_runtime_has_avx512f()) {
523 fill_segment = fill_segment_avx512f;
524 return 0;
525 }
526 #endif
527 #if defined(HAVE_AVX2INTRIN_H) && defined(HAVE_TMMINTRIN_H) && \
528 defined(HAVE_SMMINTRIN_H)
529 if (sodium_runtime_has_avx2()) {
530 fill_segment = fill_segment_avx2;
531 return 0;
532 }
533 #endif
534 #if defined(HAVE_EMMINTRIN_H) && defined(HAVE_TMMINTRIN_H)
535 if (sodium_runtime_has_ssse3()) {
536 fill_segment = fill_segment_ssse3;
537 return 0;
538 }
539 #endif
540 fill_segment = fill_segment_ref;
541
542 return 0;
543 /* LCOV_EXCL_STOP */
544 }
545
546 int
_crypto_pwhash_argon2_pick_best_implementation(void)547 _crypto_pwhash_argon2_pick_best_implementation(void)
548 {
549 return argon2_pick_best_implementation();
550 }
551