1 1.22 riastrad /* $NetBSD: crypt-argon2.c,v 1.22 2024/07/23 22:37:11 riastradh Exp $ */ 2 1.21 riastrad 3 1.9 jhigh /* 4 1.9 jhigh * Copyright (c) 2009 The NetBSD Foundation, Inc. 5 1.9 jhigh * All rights reserved. 6 1.9 jhigh * 7 1.9 jhigh * Redistribution and use in source and binary forms, with or without 8 1.9 jhigh * modification, are permitted provided that the following conditions 9 1.9 jhigh * are met: 10 1.9 jhigh * 1. Redistributions of source code must retain the above copyright 11 1.9 jhigh * notice, this list of conditions and the following disclaimer. 12 1.9 jhigh * 2. Redistributions in binary form must reproduce the above copyright 13 1.9 jhigh * notice, this list of conditions and the following disclaimer in the 14 1.9 jhigh * documentation and/or other materials provided with the distribution. 15 1.9 jhigh * 16 1.9 jhigh * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 17 1.9 jhigh * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 18 1.9 jhigh * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 19 1.9 jhigh * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 20 1.9 jhigh * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 1.9 jhigh * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 1.9 jhigh * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 1.9 jhigh * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 1.9 jhigh * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 1.9 jhigh * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 1.9 jhigh * POSSIBILITY OF SUCH DAMAGE. 27 1.9 jhigh */ 28 1.9 jhigh 29 1.21 riastrad #include <sys/cdefs.h> 30 1.22 riastrad __RCSID("$NetBSD: crypt-argon2.c,v 1.22 2024/07/23 22:37:11 riastradh Exp $"); 31 1.21 riastrad 32 1.11 nia #include <sys/resource.h> 33 1.11 nia #include <sys/param.h> 34 1.11 nia #include <sys/sysctl.h> 35 1.11 nia #include <sys/syslimits.h> 36 1.11 nia 37 1.1 jhigh #include <stdlib.h> 38 1.22 riastrad #include <stdio.h> 39 1.1 jhigh #include <unistd.h> 40 1.1 jhigh #include <stdio.h> 41 1.1 jhigh #include <string.h> 42 1.1 jhigh #include <time.h> 43 1.1 jhigh #include <pwd.h> 44 1.1 jhigh #include <errno.h> 45 1.1 jhigh #include <argon2.h> 46 1.1 jhigh 47 1.1 jhigh #include <err.h> 48 1.1 jhigh #include "crypt.h" 49 1.1 jhigh 50 1.11 nia crypt_private int 51 1.11 nia estimate_argon2_params(argon2_type, uint32_t *, 52 1.11 nia uint32_t *, uint32_t *); 53 1.11 nia 54 1.1 jhigh /* defaults pulled from run.c */ 55 1.1 jhigh #define HASHLEN 32 56 1.22 riastrad #define T_COST_DEF 3 57 1.1 jhigh #define LOG_M_COST_DEF 12 /* 2^12 = 4 MiB */ 58 1.1 jhigh #define LANES_DEF 1 59 1.1 jhigh #define THREADS_DEF 1 60 1.1 jhigh #define OUTLEN_DEF 32 61 1.1 jhigh #define MAX_PASS_LEN 128 62 1.1 jhigh 63 1.1 jhigh #define ARGON2_CONTEXT_INITIALIZER \ 64 1.1 jhigh {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, \ 65 1.1 jhigh T_COST_DEF, LOG_M_COST_DEF,\ 66 1.1 jhigh LANES_DEF, THREADS_DEF, \ 67 1.1 jhigh ARGON2_VERSION_NUMBER, 0, 0, ARGON2_DEFAULT_FLAGS} 68 1.1 jhigh 69 1.1 jhigh #define ARGON2_ARGON2_STR "argon2" 70 1.1 jhigh #define ARGON2_ARGON2I_STR "argon2i" 71 1.1 jhigh #define ARGON2_ARGON2D_STR "argon2d" 72 1.1 jhigh #define ARGON2_ARGON2ID_STR "argon2id" 73 1.1 jhigh 74 1.11 nia /* 75 1.11 nia * Unpadded Base64 calculations are taken from the Apache2/CC-0 76 1.11 nia * licensed libargon2 for compatibility 77 1.11 nia */ 78 1.7 nia 79 1.7 nia /* 80 1.7 nia * Some macros for constant-time comparisons. These work over values in 81 1.7 nia * the 0..255 range. Returned value is 0x00 on "false", 0xFF on "true". 82 1.7 nia */ 83 1.7 nia #define EQ(x, y) ((((0U - ((unsigned)(x) ^ (unsigned)(y))) >> 8) & 0xFF) ^ 0xFF) 84 1.7 nia #define GT(x, y) ((((unsigned)(y) - (unsigned)(x)) >> 8) & 0xFF) 85 1.7 nia #define GE(x, y) (GT(y, x) ^ 0xFF) 86 1.7 nia #define LT(x, y) GT(y, x) 87 1.7 nia #define LE(x, y) GE(y, x) 88 1.7 nia 89 1.7 nia static unsigned 90 1.7 nia b64_char_to_byte(int c) 91 1.7 nia { 92 1.7 nia unsigned x; 93 1.7 nia 94 1.7 nia x = (GE(c, 'A') & LE(c, 'Z') & (c - 'A')) | 95 1.7 nia (GE(c, 'a') & LE(c, 'z') & (c - ('a' - 26))) | 96 1.7 nia (GE(c, '0') & LE(c, '9') & (c - ('0' - 52))) | (EQ(c, '+') & 62) | 97 1.7 nia (EQ(c, '/') & 63); 98 1.7 nia return x | (EQ(x, 0) & (EQ(c, 'A') ^ 0xFF)); 99 1.7 nia } 100 1.7 nia 101 1.7 nia static const char * 102 1.7 nia from_base64(void *dst, size_t *dst_len, const char *src) 103 1.7 nia { 104 1.7 nia size_t len; 105 1.7 nia unsigned char *buf; 106 1.7 nia unsigned acc, acc_len; 107 1.7 nia 108 1.7 nia buf = (unsigned char *)dst; 109 1.7 nia len = 0; 110 1.7 nia acc = 0; 111 1.7 nia acc_len = 0; 112 1.7 nia for (;;) { 113 1.7 nia unsigned d; 114 1.7 nia 115 1.7 nia d = b64_char_to_byte(*src); 116 1.7 nia if (d == 0xFF) { 117 1.7 nia break; 118 1.7 nia } 119 1.7 nia src++; 120 1.7 nia acc = (acc << 6) + d; 121 1.7 nia acc_len += 6; 122 1.7 nia if (acc_len >= 8) { 123 1.7 nia acc_len -= 8; 124 1.7 nia if ((len++) >= *dst_len) { 125 1.7 nia return NULL; 126 1.7 nia } 127 1.7 nia *buf++ = (acc >> acc_len) & 0xFF; 128 1.7 nia } 129 1.7 nia } 130 1.7 nia 131 1.7 nia /* 132 1.7 nia * If the input length is equal to 1 modulo 4 (which is 133 1.7 nia * invalid), then there will remain 6 unprocessed bits; 134 1.7 nia * otherwise, only 0, 2 or 4 bits are buffered. The buffered 135 1.7 nia * bits must also all be zero. 136 1.7 nia */ 137 1.7 nia if (acc_len > 4 || (acc & (((unsigned)1 << acc_len) - 1)) != 0) { 138 1.7 nia return NULL; 139 1.7 nia } 140 1.7 nia *dst_len = len; 141 1.7 nia return src; 142 1.7 nia } 143 1.7 nia 144 1.11 nia /* 145 1.11 nia * Used to find default parameters that perform well on the host 146 1.11 nia * machine. Inputs should dereference to either 0 (to estimate), 147 1.11 nia * or desired value. 148 1.11 nia */ 149 1.11 nia crypt_private int 150 1.11 nia estimate_argon2_params(argon2_type atype, uint32_t *etime, 151 1.11 nia uint32_t *ememory, uint32_t *ethreads) 152 1.11 nia { 153 1.11 nia const int mib[] = { CTL_HW, HW_USERMEM64 }; 154 1.11 nia struct timespec tp1, tp2, delta; 155 1.11 nia char tmp_salt[16]; 156 1.11 nia char tmp_pwd[16]; 157 1.11 nia uint32_t tmp_hash[32]; 158 1.11 nia char tmp_encoded[256]; 159 1.11 nia struct rlimit rlim; 160 1.15 nia uint64_t max_mem; /* usermem64 returns bytes */ 161 1.11 nia size_t max_mem_sz = sizeof(max_mem); 162 1.11 nia /* low values from argon2 test suite... */ 163 1.15 nia uint32_t memory = 256; /* 256k; argon2 wants kilobytes */ 164 1.13 nia uint32_t time = 3; 165 1.11 nia uint32_t threads = 1; 166 1.11 nia 167 1.11 nia if (*ememory < ARGON2_MIN_MEMORY) { 168 1.11 nia /* 169 1.11 nia * attempt to find a reasonble bound for memory use 170 1.11 nia */ 171 1.11 nia if (sysctl(mib, __arraycount(mib), 172 1.11 nia &max_mem, &max_mem_sz, NULL, 0) < 0) { 173 1.11 nia goto error; 174 1.11 nia } 175 1.11 nia if (getrlimit(RLIMIT_AS, &rlim) < 0) 176 1.11 nia goto error; 177 1.11 nia if (max_mem > rlim.rlim_cur && rlim.rlim_cur != RLIM_INFINITY) 178 1.11 nia max_mem = rlim.rlim_cur; 179 1.11 nia 180 1.11 nia /* 181 1.11 nia * Note that adding memory also greatly slows the algorithm. 182 1.11 nia * Do we need to be concerned about memory usage during 183 1.11 nia * concurrent connections? 184 1.11 nia */ 185 1.15 nia max_mem /= 1000000; /* bytes down to mb */ 186 1.11 nia if (max_mem > 30000) { 187 1.14 nia memory = 32768; 188 1.14 nia } else if (max_mem > 15000) { 189 1.14 nia memory = 16384; 190 1.14 nia } else if (max_mem > 7000) { 191 1.11 nia memory = 8192; 192 1.14 nia } else if (max_mem > 3000) { 193 1.11 nia memory = 4096; 194 1.14 nia } else if (max_mem > 900) { 195 1.14 nia memory = 1024; 196 1.11 nia } else if (max_mem > 24) { 197 1.11 nia memory = 256; 198 1.11 nia } else { 199 1.11 nia memory = ARGON2_MIN_MEMORY; 200 1.11 nia } 201 1.11 nia } else { 202 1.11 nia memory = *ememory; 203 1.11 nia } 204 1.11 nia 205 1.11 nia if (*etime < ARGON2_MIN_TIME) { 206 1.11 nia /* 207 1.11 nia * just fill these with random stuff since we'll immediately 208 1.11 nia * discard them after calculating hashes for 1 second 209 1.11 nia */ 210 1.11 nia arc4random_buf(tmp_pwd, sizeof(tmp_pwd)); 211 1.11 nia arc4random_buf(tmp_salt, sizeof(tmp_salt)); 212 1.11 nia 213 1.11 nia if (clock_gettime(CLOCK_MONOTONIC, &tp1) == -1) 214 1.11 nia goto error; 215 1.20 mlelstv for (; time < ARGON2_MAX_TIME; ++time) { 216 1.11 nia if (argon2_hash(time, memory, threads, 217 1.22 riastrad tmp_pwd, sizeof(tmp_pwd), 218 1.22 riastrad tmp_salt, sizeof(tmp_salt), 219 1.22 riastrad tmp_hash, sizeof(tmp_hash), 220 1.22 riastrad tmp_encoded, sizeof(tmp_encoded), 221 1.11 nia atype, ARGON2_VERSION_NUMBER) != ARGON2_OK) { 222 1.11 nia goto reset; 223 1.11 nia } 224 1.11 nia if (clock_gettime(CLOCK_MONOTONIC, &tp2) == -1) 225 1.11 nia break; 226 1.11 nia if (timespeccmp(&tp1, &tp2, >)) 227 1.11 nia break; /* broken system... */ 228 1.11 nia timespecsub(&tp2, &tp1, &delta); 229 1.20 mlelstv if (delta.tv_sec >= 1) 230 1.20 mlelstv break; 231 1.11 nia } 232 1.11 nia } else { 233 1.11 nia time = *etime; 234 1.11 nia } 235 1.11 nia 236 1.11 nia error: 237 1.11 nia *etime = time; 238 1.11 nia *ememory = memory; 239 1.11 nia *ethreads = threads; 240 1.11 nia return 0; 241 1.11 nia reset: 242 1.13 nia time = 3; 243 1.11 nia memory = 256; 244 1.11 nia threads = 1; 245 1.11 nia goto error; 246 1.11 nia } 247 1.11 nia 248 1.11 nia 249 1.1 jhigh /* process params to argon2 */ 250 1.1 jhigh /* we don't force param order as input, */ 251 1.1 jhigh /* but we do provide the expected order to argon2 api */ 252 1.7 nia static int 253 1.22 riastrad decode_option(argon2_context *ctx, argon2_type *atype, const char *option) 254 1.1 jhigh { 255 1.7 nia size_t tmp = 0; 256 1.7 nia char *in = 0, *inp; 257 1.7 nia char *a = 0; 258 1.7 nia char *p = 0; 259 1.1 jhigh size_t sl; 260 1.7 nia int error = 0; 261 1.1 jhigh 262 1.1 jhigh in = (char *)strdup(option); 263 1.1 jhigh inp = in; 264 1.1 jhigh 265 1.1 jhigh if (*inp == '$') inp++; 266 1.1 jhigh 267 1.1 jhigh a = strsep(&inp, "$"); 268 1.1 jhigh 269 1.1 jhigh sl = strlen(a); 270 1.1 jhigh 271 1.22 riastrad if (sl == strlen(ARGON2_ARGON2I_STR) && 272 1.1 jhigh !(strcmp(ARGON2_ARGON2I_STR, a))) { 273 1.1 jhigh *atype=Argon2_i; 274 1.22 riastrad } else if (sl == strlen(ARGON2_ARGON2D_STR) && 275 1.1 jhigh !(strcmp(ARGON2_ARGON2D_STR, a))) { 276 1.1 jhigh *atype=Argon2_d; 277 1.1 jhigh } 278 1.22 riastrad else if (sl == strlen(ARGON2_ARGON2ID_STR) && 279 1.1 jhigh !(strcmp(ARGON2_ARGON2ID_STR, a))) { 280 1.1 jhigh *atype=Argon2_id; 281 1.1 jhigh } else { /* default to id, we assume simple mistake */ 282 1.1 jhigh /* don't abandon yet */ 283 1.1 jhigh *atype=Argon2_id; 284 1.1 jhigh } 285 1.1 jhigh 286 1.1 jhigh a = strsep(&inp, "$"); 287 1.1 jhigh 288 1.3 nia /* parse the version number of the hash, if it's there */ 289 1.3 nia if (strncmp(a, "v=", 2) == 0) { 290 1.3 nia a += 2; 291 1.3 nia if ((getnum(a, &tmp))<0) { /* on error, default to current */ 292 1.3 nia /* should start thinking about aborting */ 293 1.4 nia ctx->version = ARGON2_VERSION_10; 294 1.3 nia } else { 295 1.3 nia ctx->version = tmp; 296 1.3 nia } 297 1.3 nia a = strsep(&inp, "$"); 298 1.3 nia } else { 299 1.3 nia /* 300 1.3 nia * This is a parameter list, not a version number, use the 301 1.3 nia * default version. 302 1.3 nia */ 303 1.4 nia ctx->version = ARGON2_VERSION_10; 304 1.1 jhigh } 305 1.1 jhigh 306 1.1 jhigh /* parse labelled argon2 params */ 307 1.1 jhigh /* m_cost (m) 308 1.1 jhigh * t_cost (t) 309 1.1 jhigh * threads (p) 310 1.1 jhigh */ 311 1.1 jhigh while ((p = strsep(&a, ","))) { 312 1.1 jhigh switch (*p) { 313 1.1 jhigh case 'm': 314 1.1 jhigh p += strlen("m="); 315 1.1 jhigh if ((getnum(p, &tmp)) < 0) { 316 1.1 jhigh --error; 317 1.1 jhigh } else { 318 1.1 jhigh ctx->m_cost = tmp; 319 1.1 jhigh } 320 1.1 jhigh break; 321 1.1 jhigh case 't': 322 1.1 jhigh p += strlen("t="); 323 1.1 jhigh if ((getnum(p, &tmp)) < 0) { 324 1.1 jhigh --error; 325 1.1 jhigh } else { 326 1.1 jhigh ctx->t_cost = tmp; 327 1.1 jhigh } 328 1.1 jhigh break; 329 1.1 jhigh case 'p': 330 1.1 jhigh p += strlen("p="); 331 1.1 jhigh if ((getnum(p, &tmp)) < 0) { 332 1.1 jhigh --error; 333 1.1 jhigh } else { 334 1.1 jhigh ctx->threads = tmp; 335 1.1 jhigh } 336 1.1 jhigh break; 337 1.1 jhigh default: 338 1.17 abs free(in); 339 1.1 jhigh return -1; 340 1.1 jhigh 341 1.1 jhigh } 342 1.1 jhigh } 343 1.1 jhigh 344 1.1 jhigh a = strsep(&inp, "$"); 345 1.19 martin if (a == NULL) { 346 1.18 abs free(in); 347 1.18 abs return -1; 348 1.18 abs } 349 1.1 jhigh 350 1.7 nia sl = ctx->saltlen; 351 1.7 nia 352 1.17 abs if (from_base64(ctx->salt, &sl, a) == NULL) { 353 1.18 abs free(in); 354 1.7 nia return -1; 355 1.18 abs } 356 1.7 nia 357 1.7 nia ctx->saltlen = sl; 358 1.1 jhigh 359 1.1 jhigh a = strsep(&inp, "$"); 360 1.1 jhigh 361 1.3 nia if (a) { 362 1.3 nia snprintf((char *)ctx->pwd, ctx->pwdlen, "%s", a); 363 1.1 jhigh } else { 364 1.1 jhigh /* don't care if passwd hash is missing */ 365 1.1 jhigh /* if missing, most likely coming from */ 366 1.22 riastrad /* pwhash or similar */ 367 1.1 jhigh } 368 1.1 jhigh 369 1.1 jhigh /* free our token buffer */ 370 1.1 jhigh free(in); 371 1.1 jhigh 372 1.1 jhigh /* 0 on success, <0 otherwise */ 373 1.1 jhigh return error; 374 1.1 jhigh } 375 1.1 jhigh 376 1.22 riastrad crypt_private char * 377 1.1 jhigh __crypt_argon2(const char *pw, const char * salt) 378 1.1 jhigh { 379 1.1 jhigh /* we use the libargon2 api to generate */ 380 1.1 jhigh /* return code */ 381 1.7 nia int rc = 0; 382 1.1 jhigh /* output buffer */ 383 1.1 jhigh char ebuf[32]; 384 1.1 jhigh /* argon2 variable, default to id */ 385 1.1 jhigh argon2_type atype = Argon2_id; 386 1.1 jhigh /* default to current argon2 version */ 387 1.1 jhigh /* argon2 context to collect params */ 388 1.1 jhigh argon2_context ctx = ARGON2_CONTEXT_INITIALIZER; 389 1.1 jhigh /* argon2 encoded buffer */ 390 1.1 jhigh char encodebuf[256]; 391 1.1 jhigh /* argon2 salt buffer */ 392 1.1 jhigh char saltbuf[128]; 393 1.1 jhigh /* argon2 pwd buffer */ 394 1.1 jhigh char pwdbuf[128]; 395 1.1 jhigh /* returned static buffer */ 396 1.1 jhigh static char rbuf[512]; 397 1.1 jhigh 398 1.1 jhigh /* clear buffers */ 399 1.6 nia explicit_memset(rbuf, 0, sizeof(rbuf)); 400 1.1 jhigh 401 1.1 jhigh /* we use static buffers to avoid allocation */ 402 1.1 jhigh /* and easier cleanup */ 403 1.1 jhigh ctx.out = (uint8_t *)encodebuf; 404 1.1 jhigh ctx.outlen = sizeof(encodebuf); 405 1.1 jhigh 406 1.1 jhigh ctx.salt = (uint8_t *)saltbuf; 407 1.1 jhigh ctx.saltlen = sizeof(saltbuf); 408 1.1 jhigh 409 1.7 nia ctx.pwd = (uint8_t *)pwdbuf; 410 1.1 jhigh ctx.pwdlen = sizeof(pwdbuf); 411 1.1 jhigh 412 1.1 jhigh /* decode salt string to argon2 params */ 413 1.1 jhigh /* argon2 context for param collection */ 414 1.1 jhigh rc = decode_option(&ctx, &atype, salt); 415 1.1 jhigh 416 1.1 jhigh if (rc < 0) { 417 1.3 nia /* unable to parse input params */ 418 1.12 nia return NULL; 419 1.1 jhigh } 420 1.1 jhigh 421 1.1 jhigh rc = argon2_hash(ctx.t_cost, ctx.m_cost, 422 1.7 nia ctx.threads, pw, strlen(pw), ctx.salt, ctx.saltlen, 423 1.7 nia ebuf, sizeof(ebuf), encodebuf, sizeof(encodebuf), 424 1.7 nia atype, ctx.version); 425 1.1 jhigh 426 1.1 jhigh if (rc != ARGON2_OK) { 427 1.3 nia fprintf(stderr, "argon2: failed: %s\n", 428 1.3 nia argon2_error_message(rc)); 429 1.12 nia return NULL; 430 1.1 jhigh } 431 1.1 jhigh 432 1.6 nia memcpy(rbuf, encodebuf, sizeof(encodebuf)); 433 1.1 jhigh 434 1.1 jhigh /* clear buffers */ 435 1.6 nia explicit_memset(ebuf, 0, sizeof(ebuf)); 436 1.5 nia explicit_memset(encodebuf, 0, sizeof(encodebuf)); 437 1.5 nia explicit_memset(saltbuf, 0, sizeof(saltbuf)); 438 1.5 nia explicit_memset(pwdbuf, 0, sizeof(pwdbuf)); 439 1.1 jhigh 440 1.1 jhigh /* return encoded str */ 441 1.1 jhigh return rbuf; 442 1.1 jhigh } 443
Indexes created Mon Sep 22 21:09:42 GMT 2025