argon2 0.0.2 → 0.1.0

data/ext/phc-winner-argon2/src/argon2.h

@@ -73,8 +73,7 @@ extern "C" {
 #define ARGON2_FLAG_CLEAR_PASSWORD (UINT32_C(1) << 0)
 #define ARGON2_FLAG_CLEAR_SECRET (UINT32_C(1) << 1)
 #define ARGON2_FLAG_CLEAR_MEMORY (UINT32_C(1) << 2)
-#define ARGON2_DEFAULT_FLAGS                                                   \
-    (ARGON2_FLAG_CLEAR_PASSWORD | ARGON2_FLAG_CLEAR_MEMORY)
+#define ARGON2_DEFAULT_FLAGS (ARGON2_FLAG_CLEAR_MEMORY)
 
 /* Error codes */
 typedef enum Argon2_ErrorCodes {
@@ -126,6 +125,10 @@ typedef enum Argon2_ErrorCodes {
 
     ARGON2_MISSING_ARGS = 30,
 
+    ARGON2_ENCODING_FAIL = 31,
+
+    ARGON2_DECODING_FAIL = 32,
+
     ARGON2_ERROR_CODES_LENGTH /* Do NOT remove; Do NOT add error codes after
                                  this
                                  error code */
@@ -188,27 +191,80 @@ typedef struct Argon2_Context {
     uint32_t flags; /* array of bool options */
 } argon2_context;
 
+/* Argon2 primitive type */
+typedef enum Argon2_type { Argon2_d = 0, Argon2_i = 1 } argon2_type;
+
+/**
+ * Hashes a password with Argon2i, producing an encoded hash
+ * @param t_cost Number of iterations
+ * @param m_cost Sets memory usage to 2^m_cost kibibytes
+ * @param parallelism Number of threads and compute lanes
+ * @param pwd Pointer to password
+ * @param pwdlen Password size in bytes
+ * @param salt Pointer to salt
+ * @param saltlen Salt size in bytes
+ * @param hashlen Desired length of the hash in bytes
+ * @param encoded Buffer where to write the encoded hash
+ * @param encodedlen Size of the buffer (thus max size of the encoded hash)
+ * @pre   Different parallelism levels will give different results
+ * @pre   Returns ARGON2_OK if successful
+ */
+int argon2i_hash_encoded(const uint32_t t_cost, const uint32_t m_cost,
+                         const uint32_t parallelism, const void *pwd,
+                         const size_t pwdlen, const void *salt,
+                         const size_t saltlen, const size_t hashlen,
+                         char *encoded, const size_t encodedlen);
+
+/**
+ * Hashes a password with Argon2i, producing a raw hash
+ * @param t_cost Number of iterations
+ * @param m_cost Sets memory usage to 2^m_cost kibibytes
+ * @param parallelism Number of threads and compute lanes
+ * @param pwd Pointer to password
+ * @param pwdlen Password size in bytes
+ * @param salt Pointer to salt
+ * @param saltlen Salt size in bytes
+ * @param hash Buffer where to write the raw hash
+ * @param hashlen Desired length of the hash in bytes
+ * @pre   Different parallelism levels will give different results
+ * @pre   Returns ARGON2_OK if successful
+ */
+int argon2i_hash_raw(const uint32_t t_cost, const uint32_t m_cost,
+                     const uint32_t parallelism, const void *pwd,
+                     const size_t pwdlen, const void *salt,
+                     const size_t saltlen, void *hash, const size_t hashlen);
+
+int argon2d_hash_encoded(const uint32_t t_cost, const uint32_t m_cost,
+                         const uint32_t parallelism, const void *pwd,
+                         const size_t pwdlen, const void *salt,
+                         const size_t saltlen, const size_t hashlen,
+                         char *encoded, const size_t encodedlen);
+
+int argon2d_hash_raw(const uint32_t t_cost, const uint32_t m_cost,
+                     const uint32_t parallelism, const void *pwd,
+                     const size_t pwdlen, const void *salt,
+                     const size_t saltlen, void *hash, const size_t hashlen);
+
+/* generic function underlying the above ones */
+int argon2_hash(const uint32_t t_cost, const uint32_t m_cost,
+                const uint32_t parallelism, const void *pwd,
+                const size_t pwdlen, const void *salt, const size_t saltlen,
+                void *hash, const size_t hashlen, char *encoded,
+                const size_t encodedlen, argon2_type type);
+
 /**
- * Function to hash the inputs in the memory-hard fashion (uses Argon2i)
- * @param  out  Pointer to the memory where the hash digest will be written
- * @param  outlen Digest length in bytes
- * @param  in Pointer to the input (password)
- * @param  inlen Input length in bytes
- * @param  salt Pointer to the salt
- * @param  saltlen Salt length in bytes
- * @pre    @a out must have at least @a outlen bytes allocated
- * @pre    @a in must be at least @inlen bytes long
- * @pre    @a saltlen must be at least @saltlen bytes long
- * @return Zero if successful, 1 otherwise.
+ * Verifies a password against an encoded string
+ * @param encoded String encoding parameters, salt, hash
+ * @param pwd Pointer to password
+ * @pre   Returns ARGON2_OK if successful
  */
-int hash_argon2i(void *out, size_t outlen, const void *in, size_t inlen,
-                 const void *salt, size_t saltlen, unsigned int t_cost,
-                 unsigned int m_cost);
+int argon2i_verify(const char *encoded, const void *pwd, const size_t pwdlen);
 
-/* same for argon2d */
-int hash_argon2d(void *out, size_t outlen, const void *in, size_t inlen,
-                 const void *salt, size_t saltlen, unsigned int t_cost,
-                 unsigned int m_cost);
+int argon2d_verify(const char *encoded, const void *pwd, const size_t pwdlen);
+
+/* generic function underlying the above ones */
+int argon2_verify(const char *encoded, const void *pwd, const size_t pwdlen,
+                  argon2_type type);
 
 /*
  * **************Argon2d: Version of Argon2 that picks memory blocks depending
@@ -269,28 +325,6 @@ int verify_d(argon2_context *context, const char *hash);
  */
 const char *error_message(int error_code);
 
-/* ==================================================================== */
-/*
- * Code specific to Argon2i.
- *
- * The code below applies the following format:
- *
- *  $argon2i$m=<num>,t=<num>,p=<num>[,keyid=<bin>][,data=<bin>][$<bin>[$<bin>]]
- *
- * where <num> is a decimal integer (positive, fits in an 'unsigned long')
- * and <bin> is Base64-encoded data (no '=' padding characters, no newline
- * or whitespace). The "keyid" is a binary identifier for a key (up to 8
- * bytes); "data" is associated data (up to 32 bytes). When the 'keyid'
- * (resp. the 'data') is empty, then it is ommitted from the output.
- *
- * The last two binary chunks (encoded in Base64) are, in that order,
- * the salt and the output. Both are optional, but you cannot have an
- * output without a salt. The binary salt length is between 8 and 48 bytes.
- * The output length is always exactly 32 bytes.
- */
-
-int encode_string(char *dst, size_t dst_len, argon2_context *ctx);
-
 #if defined(__cplusplus)
 }
 #endif

data/ext/phc-winner-argon2/src/core.c

@@ -26,7 +26,6 @@
 #include <stdlib.h>
 #include <string.h>
 
-#include "argon2.h"
 #include "core.h"
 #include "thread.h"
 #include "blake2/blake2.h"

data/ext/phc-winner-argon2/src/core.h

@@ -14,6 +14,8 @@
 #ifndef ARGON2_CORE_H
 #define ARGON2_CORE_H
 
+#include "argon2.h"
+
 #if defined(_MSC_VER)
 #define ALIGN(n) __declspec(align(16))
 #elif defined(__GNUC__) || defined(__clang)
@@ -44,9 +46,6 @@ enum argon2_core_constants {
     ARGON2_PREHASH_SEED_LENGTH = 72
 };
 
-/* Argon2 primitive type */
-typedef enum Argon2_type { Argon2_d = 0, Argon2_i = 1 } argon2_type;
-
 /*************************Argon2 internal data
  * types**************************************************/
 

data/ext/phc-winner-argon2/src/encoding.c

@@ -0,0 +1,435 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <limits.h>
+#include "encoding.h"
+
+#/*
+ * Example code for a decoder and encoder of "hash strings", with Argon2i
+ * parameters.
+ *
+ * This code comprises three sections:
+ *
+ *   -- The first section contains generic Base64 encoding and decoding
+ *   functions. It is conceptually applicable to any hash function
+ *   implementation that uses Base64 to encode and decode parameters,
+ *   salts and outputs. It could be made into a library, provided that
+ *   the relevant functions are made public (non-static) and be given
+ *   reasonable names to avoid collisions with other functions.
+ *
+ *   -- The second section is specific to Argon2i. It encodes and decodes
+ *   the parameters, salts and outputs. It does not compute the hash
+ *   itself.
+ *
+ *   -- The third section is test code, with a main() function. With
+ *   this section, the whole file compiles as a stand-alone program
+ *   that exercises the encoding and decoding functions with some
+ *   test vectors.
+ *
+ * The code was originally written by Thomas Pornin <pornin@bolet.org>,
+ * to whom comments and remarks may be sent. It is released under what
+ * should amount to Public Domain or its closest equivalent; the
+ * following mantra is supposed to incarnate that fact with all the
+ * proper legal rituals:
+ *
+ * ---------------------------------------------------------------------
+ * This file is provided under the terms of Creative Commons CC0 1.0
+ * Public Domain Dedication. To the extent possible under law, the
+ * author (Thomas Pornin) has waived all copyright and related or
+ * neighboring rights to this file. This work is published from: Canada.
+ * ---------------------------------------------------------------------
+ *
+ * Copyright (c) 2015 Thomas Pornin
+ */
+
+/* ==================================================================== */
+/*
+ * Common code; could be shared between different hash functions.
+ *
+ * Note: the Base64 functions below assume that uppercase letters (resp.
+ * lowercase letters) have consecutive numerical codes, that fit on 8
+ * bits. All modern systems use ASCII-compatible charsets, where these
+ * properties are true. If you are stuck with a dinosaur of a system
+ * that still defaults to EBCDIC then you already have much bigger
+ * interoperability issues to deal with.
+ */
+
+/*
+ * Some macros for constant-time comparisons. These work over values in
+ * the 0..255 range. Returned value is 0x00 on "false", 0xFF on "true".
+ */
+#define EQ(x, y) ((((-((unsigned)(x) ^ (unsigned)(y))) >> 8) & 0xFF) ^ 0xFF)
+#define GT(x, y) ((((unsigned)(y) - (unsigned)(x)) >> 8) & 0xFF)
+#define GE(x, y) (GT(y, x) ^ 0xFF)
+#define LT(x, y) GT(y, x)
+#define LE(x, y) GE(y, x)
+
+/*
+ * Convert value x (0..63) to corresponding Base64 character.
+ */
+static int b64_byte_to_char(unsigned x) {
+    return (LT(x, 26) & (x + 'A')) |
+           (GE(x, 26) & LT(x, 52) & (x + ('a' - 26))) |
+           (GE(x, 52) & LT(x, 62) & (x + ('0' - 52))) | (EQ(x, 62) & '+') |
+           (EQ(x, 63) & '/');
+}
+
+/*
+ * Convert character c to the corresponding 6-bit value. If character c
+ * is not a Base64 character, then 0xFF (255) is returned.
+ */
+static unsigned b64_char_to_byte(int c) {
+    unsigned x;
+
+    x = (GE(c, 'A') & LE(c, 'Z') & (c - 'A')) |
+        (GE(c, 'a') & LE(c, 'z') & (c - ('a' - 26))) |
+        (GE(c, '0') & LE(c, '9') & (c - ('0' - 52))) | (EQ(c, '+') & 62) |
+        (EQ(c, '/') & 63);
+    return x | (EQ(x, 0) & (EQ(c, 'A') ^ 0xFF));
+}
+
+/*
+ * Convert some bytes to Base64. 'dst_len' is the length (in characters)
+ * of the output buffer 'dst'; if that buffer is not large enough to
+ * receive the result (including the terminating 0), then (size_t)-1
+ * is returned. Otherwise, the zero-terminated Base64 string is written
+ * in the buffer, and the output length (counted WITHOUT the terminating
+ * zero) is returned.
+ */
+static size_t to_base64(char *dst, size_t dst_len, const void *src,
+                        size_t src_len) {
+    size_t olen;
+    const unsigned char *buf;
+    unsigned acc, acc_len;
+
+    olen = (src_len / 3) << 2;
+    switch (src_len % 3) {
+    case 2:
+        olen++;
+    /* fall through */
+    case 1:
+        olen += 2;
+        break;
+    }
+    if (dst_len <= olen) {
+        return (size_t)-1;
+    }
+    acc = 0;
+    acc_len = 0;
+    buf = (const unsigned char *)src;
+    while (src_len-- > 0) {
+        acc = (acc << 8) + (*buf++);
+        acc_len += 8;
+        while (acc_len >= 6) {
+            acc_len -= 6;
+            *dst++ = b64_byte_to_char((acc >> acc_len) & 0x3F);
+        }
+    }
+    if (acc_len > 0) {
+        *dst++ = b64_byte_to_char((acc << (6 - acc_len)) & 0x3F);
+    }
+    *dst++ = 0;
+    return olen;
+}
+
+/*
+ * Decode Base64 chars into bytes. The '*dst_len' value must initially
+ * contain the length of the output buffer '*dst'; when the decoding
+ * ends, the actual number of decoded bytes is written back in
+ * '*dst_len'.
+ *
+ * Decoding stops when a non-Base64 character is encountered, or when
+ * the output buffer capacity is exceeded. If an error occurred (output
+ * buffer is too small, invalid last characters leading to unprocessed
+ * buffered bits), then NULL is returned; otherwise, the returned value
+ * points to the first non-Base64 character in the source stream, which
+ * may be the terminating zero.
+ */
+static const char *from_base64(void *dst, size_t *dst_len, const char *src) {
+    size_t len;
+    unsigned char *buf;
+    unsigned acc, acc_len;
+
+    buf = (unsigned char *)dst;
+    len = 0;
+    acc = 0;
+    acc_len = 0;
+    for (;;) {
+        unsigned d;
+
+        d = b64_char_to_byte(*src);
+        if (d == 0xFF) {
+            break;
+        }
+        src++;
+        acc = (acc << 6) + d;
+        acc_len += 6;
+        if (acc_len >= 8) {
+            acc_len -= 8;
+            if ((len++) >= *dst_len) {
+                return NULL;
+            }
+            *buf++ = (acc >> acc_len) & 0xFF;
+        }
+    }
+
+    /*
+     * If the input length is equal to 1 modulo 4 (which is
+     * invalid), then there will remain 6 unprocessed bits;
+     * otherwise, only 0, 2 or 4 bits are buffered. The buffered
+     * bits must also all be zero.
+     */
+    if (acc_len > 4 || (acc & (((unsigned)1 << acc_len) - 1)) != 0) {
+        return NULL;
+    }
+    *dst_len = len;
+    return src;
+}
+
+/*
+ * Decode decimal integer from 'str'; the value is written in '*v'.
+ * Returned value is a pointer to the next non-decimal character in the
+ * string. If there is no digit at all, or the value encoding is not
+ * minimal (extra leading zeros), or the value does not fit in an
+ * 'unsigned long', then NULL is returned.
+ */
+static const char *decode_decimal(const char *str, unsigned long *v) {
+    const char *orig;
+    unsigned long acc;
+
+    orig = str;
+    acc = 0;
+    for (orig = str;; str++) {
+        int c;
+
+        c = *str;
+        if (c < '0' || c > '9') {
+            break;
+        }
+        c -= '0';
+        if (acc > (ULONG_MAX / 10)) {
+            return NULL;
+        }
+        acc *= 10;
+        if ((unsigned long)c > (ULONG_MAX - acc)) {
+            return NULL;
+        }
+        acc += (unsigned long)c;
+    }
+    if (str == orig || (*orig == '0' && str != (orig + 1))) {
+        return NULL;
+    }
+    *v = acc;
+    return str;
+}
+
+/* ==================================================================== */
+/*
+ * Code specific to Argon2i.
+ *
+ * The code below applies the following format:
+ *
+ *  $argon2i$m=<num>,t=<num>,p=<num>[,keyid=<bin>][,data=<bin>][$<bin>[$<bin>]]
+ *
+ * where <num> is a decimal integer (positive, fits in an 'unsigned long')
+ * and <bin> is Base64-encoded data (no '=' padding characters, no newline
+ * or whitespace). The "keyid" is a binary identifier for a key (up to 8
+ * bytes); "data" is associated data (up to 32 bytes). When the 'keyid'
+ * (resp. the 'data') is empty, then it is ommitted from the output.
+ *
+ * The last two binary chunks (encoded in Base64) are, in that order,
+ * the salt and the output. Both are optional, but you cannot have an
+ * output without a salt. The binary salt length is between 8 and 48 bytes.
+ * The output length is always exactly 32 bytes.
+ */
+
+/*
+ * Decode an Argon2i hash string into the provided structure 'ctx'.
+ * Returned value is 1 on success, 0 on error.
+ */
+int decode_string(argon2_context *ctx, const char *str, argon2_type type) {
+#define CC(prefix)                                                             \
+    do {                                                                       \
+        size_t cc_len = strlen(prefix);                                        \
+        if (strncmp(str, prefix, cc_len) != 0) {                               \
+            return 0;                                                          \
+        }                                                                      \
+        str += cc_len;                                                         \
+    } while (0)
+
+#define CC_opt(prefix, code)                                                   \
+    do {                                                                       \
+        size_t cc_len = strlen(prefix);                                        \
+        if (strncmp(str, prefix, cc_len) == 0) {                               \
+            str += cc_len;                                                     \
+            { code; }                                                          \
+        }                                                                      \
+    } while (0)
+
+#define DECIMAL(x)                                                             \
+    do {                                                                       \
+        unsigned long dec_x;                                                   \
+        str = decode_decimal(str, &dec_x);                                     \
+        if (str == NULL) {                                                     \
+            return 0;                                                          \
+        }                                                                      \
+        (x) = dec_x;                                                           \
+    } while (0)
+
+#define BIN(buf, max_len, len)                                                 \
+    do {                                                                       \
+        size_t bin_len = (max_len);                                            \
+        str = from_base64(buf, &bin_len, str);                                 \
+        if (str == NULL) {                                                     \
+            return 0;                                                          \
+        }                                                                      \
+        (len) = bin_len;                                                       \
+    } while (0)
+
+    size_t maxadlen = ctx->adlen;
+    size_t maxsaltlen = ctx->saltlen;
+    size_t maxoutlen = ctx->outlen;
+
+    ctx->adlen = 0;
+    ctx->saltlen = 0;
+    ctx->outlen = 0;
+    if (type == Argon2_i)
+        CC("$argon2i");
+    else if (type == Argon2_d)
+        CC("$argon2d");
+    else
+        return 0;
+    CC("$m=");
+    DECIMAL(ctx->m_cost);
+    CC(",t=");
+    DECIMAL(ctx->t_cost);
+    CC(",p=");
+    DECIMAL(ctx->lanes);
+    ctx->threads = ctx->lanes;
+
+    /*
+     * Both m and t must be no more than 2^32-1. The tests below
+     * use a shift by 30 bits to avoid a direct comparison with
+     * 0xFFFFFFFF, which may trigger a spurious compiler warning
+     * on machines where 'unsigned long' is a 32-bit type.
+     */
+    if (ctx->m_cost < 1 || (ctx->m_cost >> 30) > 3) {
+        return 0;
+    }
+    if (ctx->t_cost < 1 || (ctx->t_cost >> 30) > 3) {
+        return 0;
+    }
+
+    /*
+     * The parallelism p must be between 1 and 255. The memory cost
+     * parameter, expressed in kilobytes, must be at least 8 times
+     * the value of p.
+     */
+    if (ctx->lanes < 1 || ctx->lanes > 255) {
+        return 0;
+    }
+    if (ctx->m_cost < (ctx->lanes << 3)) {
+        return 0;
+    }
+
+    CC_opt(",data=", BIN(ctx->ad, maxadlen, ctx->adlen));
+    if (*str == 0) {
+        return 1;
+    }
+    CC("$");
+    BIN(ctx->salt, maxsaltlen, ctx->saltlen);
+    if (ctx->saltlen < 8) {
+        return 0;
+    }
+    if (*str == 0) {
+        return 1;
+    }
+    CC("$");
+    BIN(ctx->out, maxoutlen, ctx->outlen);
+    if (ctx->outlen < 12) {
+        return 0;
+    }
+    return *str == 0;
+
+#undef CC
+#undef CC_opt
+#undef DECIMAL
+#undef BIN
+}
+
+/*
+ * encode an argon2i hash string into the provided buffer. 'dst_len'
+ * contains the size, in characters, of the 'dst' buffer; if 'dst_len'
+ * is less than the number of required characters (including the
+ * terminating 0), then this function returns 0.
+ *
+ * if pp->output_len is 0, then the hash string will be a salt string
+ * (no output). if pp->salt_len is also 0, then the string will be a
+ * parameter-only string (no salt and no output).
+ *
+ * on success, 1 is returned.
+ */
+int encode_string(char *dst, size_t dst_len, argon2_context *ctx,
+                  argon2_type type) {
+#define SS(str)                                                                \
+    do {                                                                       \
+        size_t pp_len = strlen(str);                                           \
+        if (pp_len >= dst_len) {                                               \
+            return 0;                                                          \
+        }                                                                      \
+        memcpy(dst, str, pp_len + 1);                                          \
+        dst += pp_len;                                                         \
+        dst_len -= pp_len;                                                     \
+    } while (0)
+
+#define SX(x)                                                                  \
+    do {                                                                       \
+        char tmp[30];                                                          \
+        sprintf(tmp, "%lu", (unsigned long)(x));                               \
+        SS(tmp);                                                               \
+    } while (0);
+
+#define SB(buf, len)                                                           \
+    do {                                                                       \
+        size_t sb_len = to_base64(dst, dst_len, buf, len);                     \
+        if (sb_len == (size_t)-1) {                                            \
+            return 0;                                                          \
+        }                                                                      \
+        dst += sb_len;                                                         \
+        dst_len -= sb_len;                                                     \
+    } while (0);
+
+    if (type == Argon2_i)
+        SS("$argon2i$m=");
+    else if (type == Argon2_d)
+        SS("$argon2d$m=");
+    else
+        return 0;
+    SX(ctx->m_cost);
+    SS(",t=");
+    SX(ctx->t_cost);
+    SS(",p=");
+    SX(ctx->lanes);
+
+    if (ctx->adlen > 0) {
+        SS(",data=");
+        SB(ctx->ad, ctx->adlen);
+    }
+
+    if (ctx->saltlen == 0)
+        return 1;
+
+    SS("$");
+    SB(ctx->salt, ctx->saltlen);
+
+    if (ctx->outlen == 0)
+        return 1;
+
+    SS("$");
+    SB(ctx->out, ctx->outlen);
+    return 1;
+
+#undef SS
+#undef SX
+#undef SB
+}