crypt-argon2.c revision 1.8
1 1.1 jhigh #include <stdlib.h> 2 1.1 jhigh #include <stdio.h> 3 1.1 jhigh #include <unistd.h> 4 1.1 jhigh #include <stdio.h> 5 1.1 jhigh #include <string.h> 6 1.1 jhigh #include <time.h> 7 1.1 jhigh #include <pwd.h> 8 1.1 jhigh #include <errno.h> 9 1.1 jhigh #include <argon2.h> 10 1.1 jhigh 11 1.1 jhigh #include <err.h> 12 1.1 jhigh #include "crypt.h" 13 1.1 jhigh 14 1.1 jhigh /* defaults pulled from run.c */ 15 1.1 jhigh #define HASHLEN 32 16 1.1 jhigh #define T_COST_DEF 3 17 1.1 jhigh #define LOG_M_COST_DEF 12 /* 2^12 = 4 MiB */ 18 1.1 jhigh #define LANES_DEF 1 19 1.1 jhigh #define THREADS_DEF 1 20 1.1 jhigh #define OUTLEN_DEF 32 21 1.1 jhigh #define MAX_PASS_LEN 128 22 1.1 jhigh 23 1.1 jhigh #define ARGON2_CONTEXT_INITIALIZER \ 24 1.1 jhigh {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, \ 25 1.1 jhigh T_COST_DEF, LOG_M_COST_DEF,\ 26 1.1 jhigh LANES_DEF, THREADS_DEF, \ 27 1.1 jhigh ARGON2_VERSION_NUMBER, 0, 0, ARGON2_DEFAULT_FLAGS} 28 1.1 jhigh 29 1.1 jhigh #define ARGON2_ARGON2_STR "argon2" 30 1.1 jhigh #define ARGON2_ARGON2I_STR "argon2i" 31 1.1 jhigh #define ARGON2_ARGON2D_STR "argon2d" 32 1.1 jhigh #define ARGON2_ARGON2ID_STR "argon2id" 33 1.1 jhigh 34 1.7 nia 35 1.7 nia /* 36 1.7 nia * Some macros for constant-time comparisons. These work over values in 37 1.7 nia * the 0..255 range. Returned value is 0x00 on "false", 0xFF on "true". 38 1.7 nia */ 39 1.7 nia #define EQ(x, y) ((((0U - ((unsigned)(x) ^ (unsigned)(y))) >> 8) & 0xFF) ^ 0xFF) 40 1.7 nia #define GT(x, y) ((((unsigned)(y) - (unsigned)(x)) >> 8) & 0xFF) 41 1.7 nia #define GE(x, y) (GT(y, x) ^ 0xFF) 42 1.7 nia #define LT(x, y) GT(y, x) 43 1.7 nia #define LE(x, y) GE(y, x) 44 1.7 nia 45 1.7 nia static unsigned 46 1.7 nia b64_char_to_byte(int c) 47 1.7 nia { 48 1.7 nia unsigned x; 49 1.7 nia 50 1.7 nia x = (GE(c, 'A') & LE(c, 'Z') & (c - 'A')) | 51 1.7 nia (GE(c, 'a') & LE(c, 'z') & (c - ('a' - 26))) | 52 1.7 nia (GE(c, '0') & LE(c, '9') & (c - ('0' - 52))) | (EQ(c, '+') & 62) | 53 1.7 nia (EQ(c, '/') & 63); 54 1.7 nia return x | (EQ(x, 0) & (EQ(c, 'A') ^ 0xFF)); 55 1.7 nia } 56 1.7 nia 57 1.7 nia static const char * 58 1.7 nia from_base64(void *dst, size_t *dst_len, const char *src) 59 1.7 nia { 60 1.7 nia size_t len; 61 1.7 nia unsigned char *buf; 62 1.7 nia unsigned acc, acc_len; 63 1.7 nia 64 1.7 nia buf = (unsigned char *)dst; 65 1.7 nia len = 0; 66 1.7 nia acc = 0; 67 1.7 nia acc_len = 0; 68 1.7 nia for (;;) { 69 1.7 nia unsigned d; 70 1.7 nia 71 1.7 nia d = b64_char_to_byte(*src); 72 1.7 nia if (d == 0xFF) { 73 1.7 nia break; 74 1.7 nia } 75 1.7 nia src++; 76 1.7 nia acc = (acc << 6) + d; 77 1.7 nia acc_len += 6; 78 1.7 nia if (acc_len >= 8) { 79 1.7 nia acc_len -= 8; 80 1.7 nia if ((len++) >= *dst_len) { 81 1.7 nia return NULL; 82 1.7 nia } 83 1.7 nia *buf++ = (acc >> acc_len) & 0xFF; 84 1.7 nia } 85 1.7 nia } 86 1.7 nia 87 1.7 nia /* 88 1.7 nia * If the input length is equal to 1 modulo 4 (which is 89 1.7 nia * invalid), then there will remain 6 unprocessed bits; 90 1.7 nia * otherwise, only 0, 2 or 4 bits are buffered. The buffered 91 1.7 nia * bits must also all be zero. 92 1.7 nia */ 93 1.7 nia if (acc_len > 4 || (acc & (((unsigned)1 << acc_len) - 1)) != 0) { 94 1.7 nia return NULL; 95 1.7 nia } 96 1.7 nia *dst_len = len; 97 1.7 nia return src; 98 1.7 nia } 99 1.7 nia 100 1.1 jhigh /* process params to argon2 */ 101 1.1 jhigh /* we don't force param order as input, */ 102 1.1 jhigh /* but we do provide the expected order to argon2 api */ 103 1.7 nia static int 104 1.7 nia decode_option(argon2_context *ctx, argon2_type *atype, const char *option) 105 1.1 jhigh { 106 1.7 nia size_t tmp = 0; 107 1.7 nia char *in = 0, *inp; 108 1.7 nia char *a = 0; 109 1.7 nia char *p = 0; 110 1.1 jhigh size_t sl; 111 1.7 nia int error = 0; 112 1.1 jhigh 113 1.1 jhigh in = (char *)strdup(option); 114 1.1 jhigh inp = in; 115 1.1 jhigh 116 1.1 jhigh if (*inp == '$') inp++; 117 1.1 jhigh 118 1.1 jhigh a = strsep(&inp, "$"); 119 1.1 jhigh 120 1.1 jhigh sl = strlen(a); 121 1.1 jhigh 122 1.1 jhigh if (sl == strlen(ARGON2_ARGON2I_STR) && 123 1.1 jhigh !(strcmp(ARGON2_ARGON2I_STR, a))) { 124 1.1 jhigh *atype=Argon2_i; 125 1.1 jhigh } else if (sl == strlen(ARGON2_ARGON2D_STR) && 126 1.1 jhigh !(strcmp(ARGON2_ARGON2D_STR, a))) { 127 1.1 jhigh *atype=Argon2_d; 128 1.1 jhigh } 129 1.1 jhigh else if (sl == strlen(ARGON2_ARGON2ID_STR) && 130 1.1 jhigh !(strcmp(ARGON2_ARGON2ID_STR, a))) { 131 1.1 jhigh *atype=Argon2_id; 132 1.1 jhigh } else { /* default to id, we assume simple mistake */ 133 1.1 jhigh /* don't abandon yet */ 134 1.1 jhigh *atype=Argon2_id; 135 1.1 jhigh } 136 1.1 jhigh 137 1.1 jhigh a = strsep(&inp, "$"); 138 1.1 jhigh 139 1.3 nia /* parse the version number of the hash, if it's there */ 140 1.3 nia if (strncmp(a, "v=", 2) == 0) { 141 1.3 nia a += 2; 142 1.3 nia if ((getnum(a, &tmp))<0) { /* on error, default to current */ 143 1.3 nia /* should start thinking about aborting */ 144 1.4 nia ctx->version = ARGON2_VERSION_10; 145 1.3 nia } else { 146 1.3 nia ctx->version = tmp; 147 1.3 nia } 148 1.3 nia a = strsep(&inp, "$"); 149 1.3 nia } else { 150 1.3 nia /* 151 1.3 nia * This is a parameter list, not a version number, use the 152 1.3 nia * default version. 153 1.3 nia */ 154 1.4 nia ctx->version = ARGON2_VERSION_10; 155 1.1 jhigh } 156 1.1 jhigh 157 1.1 jhigh /* parse labelled argon2 params */ 158 1.1 jhigh /* m_cost (m) 159 1.1 jhigh * t_cost (t) 160 1.1 jhigh * threads (p) 161 1.1 jhigh */ 162 1.1 jhigh while ((p = strsep(&a, ","))) { 163 1.1 jhigh switch (*p) { 164 1.1 jhigh case 'm': 165 1.1 jhigh p += strlen("m="); 166 1.1 jhigh if ((getnum(p, &tmp)) < 0) { 167 1.1 jhigh --error; 168 1.1 jhigh } else { 169 1.1 jhigh ctx->m_cost = tmp; 170 1.1 jhigh } 171 1.1 jhigh break; 172 1.1 jhigh case 't': 173 1.1 jhigh p += strlen("t="); 174 1.1 jhigh if ((getnum(p, &tmp)) < 0) { 175 1.1 jhigh --error; 176 1.1 jhigh } else { 177 1.1 jhigh ctx->t_cost = tmp; 178 1.1 jhigh } 179 1.1 jhigh break; 180 1.1 jhigh case 'p': 181 1.1 jhigh p += strlen("p="); 182 1.1 jhigh if ((getnum(p, &tmp)) < 0) { 183 1.1 jhigh --error; 184 1.1 jhigh } else { 185 1.1 jhigh ctx->threads = tmp; 186 1.1 jhigh } 187 1.1 jhigh break; 188 1.1 jhigh default: 189 1.1 jhigh return -1; 190 1.1 jhigh 191 1.1 jhigh } 192 1.1 jhigh } 193 1.1 jhigh 194 1.1 jhigh a = strsep(&inp, "$"); 195 1.1 jhigh 196 1.7 nia sl = ctx->saltlen; 197 1.7 nia 198 1.7 nia if (from_base64(ctx->salt, &sl, a) == NULL) 199 1.7 nia return -1; 200 1.7 nia 201 1.7 nia ctx->saltlen = sl; 202 1.1 jhigh 203 1.1 jhigh a = strsep(&inp, "$"); 204 1.1 jhigh 205 1.3 nia if (a) { 206 1.3 nia snprintf((char *)ctx->pwd, ctx->pwdlen, "%s", a); 207 1.1 jhigh } else { 208 1.1 jhigh /* don't care if passwd hash is missing */ 209 1.1 jhigh /* if missing, most likely coming from */ 210 1.1 jhigh /* pwhash or similar */ 211 1.1 jhigh } 212 1.1 jhigh 213 1.1 jhigh /* free our token buffer */ 214 1.1 jhigh free(in); 215 1.1 jhigh 216 1.1 jhigh /* 0 on success, <0 otherwise */ 217 1.1 jhigh return error; 218 1.1 jhigh } 219 1.1 jhigh 220 1.1 jhigh char * 221 1.1 jhigh __crypt_argon2(const char *pw, const char * salt) 222 1.1 jhigh { 223 1.1 jhigh /* we use the libargon2 api to generate */ 224 1.1 jhigh /* return code */ 225 1.7 nia int rc = 0; 226 1.1 jhigh /* output buffer */ 227 1.1 jhigh char ebuf[32]; 228 1.1 jhigh /* argon2 variable, default to id */ 229 1.1 jhigh argon2_type atype = Argon2_id; 230 1.1 jhigh /* default to current argon2 version */ 231 1.1 jhigh /* argon2 context to collect params */ 232 1.1 jhigh argon2_context ctx = ARGON2_CONTEXT_INITIALIZER; 233 1.1 jhigh /* argon2 encoded buffer */ 234 1.1 jhigh char encodebuf[256]; 235 1.1 jhigh /* argon2 salt buffer */ 236 1.1 jhigh char saltbuf[128]; 237 1.1 jhigh /* argon2 pwd buffer */ 238 1.1 jhigh char pwdbuf[128]; 239 1.1 jhigh /* returned static buffer */ 240 1.1 jhigh static char rbuf[512]; 241 1.1 jhigh 242 1.1 jhigh /* clear buffers */ 243 1.6 nia explicit_memset(rbuf, 0, sizeof(rbuf)); 244 1.1 jhigh 245 1.1 jhigh /* we use static buffers to avoid allocation */ 246 1.1 jhigh /* and easier cleanup */ 247 1.1 jhigh ctx.out = (uint8_t *)ebuf; 248 1.1 jhigh ctx.outlen = sizeof(ebuf); 249 1.1 jhigh 250 1.1 jhigh ctx.out = (uint8_t *)encodebuf; 251 1.1 jhigh ctx.outlen = sizeof(encodebuf); 252 1.1 jhigh 253 1.1 jhigh ctx.salt = (uint8_t *)saltbuf; 254 1.1 jhigh ctx.saltlen = sizeof(saltbuf); 255 1.1 jhigh 256 1.7 nia ctx.pwd = (uint8_t *)pwdbuf; 257 1.1 jhigh ctx.pwdlen = sizeof(pwdbuf); 258 1.1 jhigh 259 1.1 jhigh /* decode salt string to argon2 params */ 260 1.1 jhigh /* argon2 context for param collection */ 261 1.1 jhigh rc = decode_option(&ctx, &atype, salt); 262 1.1 jhigh 263 1.1 jhigh if (rc < 0) { 264 1.3 nia /* unable to parse input params */ 265 1.1 jhigh return 0; 266 1.1 jhigh } 267 1.1 jhigh 268 1.1 jhigh rc = argon2_hash(ctx.t_cost, ctx.m_cost, 269 1.7 nia ctx.threads, pw, strlen(pw), ctx.salt, ctx.saltlen, 270 1.7 nia ebuf, sizeof(ebuf), encodebuf, sizeof(encodebuf), 271 1.7 nia atype, ctx.version); 272 1.1 jhigh 273 1.1 jhigh if (rc != ARGON2_OK) { 274 1.3 nia fprintf(stderr, "argon2: failed: %s\n", 275 1.3 nia argon2_error_message(rc)); 276 1.1 jhigh return 0; 277 1.1 jhigh } 278 1.1 jhigh 279 1.6 nia memcpy(rbuf, encodebuf, sizeof(encodebuf)); 280 1.1 jhigh 281 1.1 jhigh /* clear buffers */ 282 1.6 nia explicit_memset(ebuf, 0, sizeof(ebuf)); 283 1.5 nia explicit_memset(encodebuf, 0, sizeof(encodebuf)); 284 1.5 nia explicit_memset(saltbuf, 0, sizeof(saltbuf)); 285 1.5 nia explicit_memset(pwdbuf, 0, sizeof(pwdbuf)); 286 1.1 jhigh 287 1.1 jhigh /* return encoded str */ 288 1.1 jhigh return rbuf; 289 1.1 jhigh } 290
Indexes created Tue Sep 30 11:09:46 GMT 2025