argon2 0.1.4 → 1.0.0

data/ext/phc-winner-argon2/src/core.h

@@ -24,12 +24,14 @@
 #define ALIGN(x)
 #endif
 
+#define CONST_CAST(x) (x)(uintptr_t)
+
 /*************************Argon2 internal
  * constants**************************************************/
 
 enum argon2_core_constants {
     /* Version of the algorithm */
-    ARGON2_VERSION_NUMBER = 0x10,
+    ARGON2_VERSION_NUMBER = 0x13,
 
     /* Memory block size in bytes */
     ARGON2_BLOCK_SIZE = 1024,
@@ -212,7 +214,8 @@ void fill_segment(const argon2_instance_t *instance,
  * Function that fills the entire memory t_cost times based on the first two
  * blocks in each lane
  * @param instance Pointer to the current instance
+ * @return ARGON2_OK if successful, @context->state
  */
-void fill_memory_blocks(argon2_instance_t *instance);
+int fill_memory_blocks(argon2_instance_t *instance);
 
 #endif

data/ext/phc-winner-argon2/src/encoding.c

@@ -3,9 +3,10 @@
 #include <string.h>
 #include <limits.h>
 #include "encoding.h"
+#include "core.h"
 
-#/*
- * Example code for a decoder and encoder of "hash strings", with Argon2i
+/*
+ * Example code for a decoder and encoder of "hash strings", with Argon2
  * parameters.
  *
  * This code comprises three sections:
@@ -17,7 +18,7 @@
  *   the relevant functions are made public (non-static) and be given
  *   reasonable names to avoid collisions with other functions.
  *
- *   -- The second section is specific to Argon2i. It encodes and decodes
+ *   -- The second section is specific to Argon2. It encodes and decodes
  *   the parameters, salts and outputs. It does not compute the hash
  *   itself.
  *
@@ -58,7 +59,7 @@
  * Some macros for constant-time comparisons. These work over values in
  * the 0..255 range. Returned value is 0x00 on "false", 0xFF on "true".
  */
-#define EQ(x, y) ((((0U-((unsigned)(x) ^ (unsigned)(y))) >> 8) & 0xFF) ^ 0xFF)
+#define EQ(x, y) ((((0U - ((unsigned)(x) ^ (unsigned)(y))) >> 8) & 0xFF) ^ 0xFF)
 #define GT(x, y) ((((unsigned)(y) - (unsigned)(x)) >> 8) & 0xFF)
 #define GE(x, y) (GT(y, x) ^ 0xFF)
 #define LT(x, y) GT(y, x)
@@ -122,11 +123,11 @@ static size_t to_base64(char *dst, size_t dst_len, const void *src,
         acc_len += 8;
         while (acc_len >= 6) {
             acc_len -= 6;
-            *dst++ = (char) b64_byte_to_char((acc >> acc_len) & 0x3F);
+            *dst++ = (char)b64_byte_to_char((acc >> acc_len) & 0x3F);
         }
     }
     if (acc_len > 0) {
-        *dst++ = (char) b64_byte_to_char((acc << (6 - acc_len)) & 0x3F);
+        *dst++ = (char)b64_byte_to_char((acc << (6 - acc_len)) & 0x3F);
     }
     *dst++ = 0;
     return olen;
@@ -224,16 +225,17 @@ static const char *decode_decimal(const char *str, unsigned long *v) {
 
 /* ==================================================================== */
 /*
- * Code specific to Argon2i.
+ * Code specific to Argon2.
  *
  * The code below applies the following format:
  *
- *  $argon2i$m=<num>,t=<num>,p=<num>[,keyid=<bin>][,data=<bin>][$<bin>[$<bin>]]
+ *  $argon2<T>$m=<num>,t=<num>,p=<num>[,keyid=<bin>][,data=<bin>][$<bin>[$<bin>]]
  *
- * where <num> is a decimal integer (positive, fits in an 'unsigned long')
- * and <bin> is Base64-encoded data (no '=' padding characters, no newline
- * or whitespace). The "keyid" is a binary identifier for a key (up to 8
- * bytes); "data" is associated data (up to 32 bytes). When the 'keyid'
+ * where <T> is either 'd' or 'i', <num> is a decimal integer (positive, fits in
+ * an 'unsigned long'), and <bin> is Base64-encoded data (no '=' padding
+ * characters, no newline or whitespace).
+ * The "keyid" is a binary identifier for a key (up to 8 bytes);
+ * "data" is associated data (up to 32 bytes). When the 'keyid'
  * (resp. the 'data') is empty, then it is ommitted from the output.
  *
  * The last two binary chunks (encoded in Base64) are, in that order,
@@ -242,20 +244,19 @@ static const char *decode_decimal(const char *str, unsigned long *v) {
  * The output length is always exactly 32 bytes.
  */
 
-/*
- * Decode an Argon2i hash string into the provided structure 'ctx'.
- * Returned value is 1 on success, 0 on error.
- */
 int decode_string(argon2_context *ctx, const char *str, argon2_type type) {
+
+/* check for prefix */
 #define CC(prefix)                                                             \
     do {                                                                       \
         size_t cc_len = strlen(prefix);                                        \
         if (strncmp(str, prefix, cc_len) != 0) {                               \
-            return 0;                                                          \
+            return ARGON2_DECODING_FAIL;                                       \
         }                                                                      \
         str += cc_len;                                                         \
     } while ((void)0, 0)
 
+/* prefix checking with supplied code */
 #define CC_opt(prefix, code)                                                   \
     do {                                                                       \
         size_t cc_len = strlen(prefix);                                        \
@@ -265,12 +266,13 @@ int decode_string(argon2_context *ctx, const char *str, argon2_type type) {
         }                                                                      \
     } while ((void)0, 0)
 
+/* Decoding  prefix into decimal */
 #define DECIMAL(x)                                                             \
     do {                                                                       \
         unsigned long dec_x;                                                   \
         str = decode_decimal(str, &dec_x);                                     \
         if (str == NULL) {                                                     \
-            return 0;                                                          \
+            return ARGON2_DECODING_FAIL;                                       \
         }                                                                      \
         (x) = dec_x;                                                           \
     } while ((void)0, 0)
@@ -280,7 +282,7 @@ int decode_string(argon2_context *ctx, const char *str, argon2_type type) {
         size_t bin_len = (max_len);                                            \
         str = from_base64(buf, &bin_len, str);                                 \
         if (str == NULL || bin_len > UINT32_MAX) {                             \
-            return 0;                                                          \
+            return ARGON2_DECODING_FAIL;                                       \
         }                                                                      \
         (len) = (uint32_t)bin_len;                                             \
     } while ((void)0, 0)
@@ -288,16 +290,19 @@ int decode_string(argon2_context *ctx, const char *str, argon2_type type) {
     size_t maxadlen = ctx->adlen;
     size_t maxsaltlen = ctx->saltlen;
     size_t maxoutlen = ctx->outlen;
+    int validation_result;
 
     ctx->adlen = 0;
     ctx->saltlen = 0;
     ctx->outlen = 0;
+    ctx->pwdlen = 0;
+
     if (type == Argon2_i)
         CC("$argon2i");
     else if (type == Argon2_d)
         CC("$argon2d");
     else
-        return 0;
+        return ARGON2_INCORRECT_TYPE;
     CC("$m=");
     DECIMAL(ctx->m_cost);
     CC(",t=");
@@ -306,75 +311,39 @@ int decode_string(argon2_context *ctx, const char *str, argon2_type type) {
     DECIMAL(ctx->lanes);
     ctx->threads = ctx->lanes;
 
-    /*
-     * Both m and t must be no more than 2^32-1. The tests below
-     * use a shift by 30 bits to avoid a direct comparison with
-     * 0xFFFFFFFF, which may trigger a spurious compiler warning
-     * on machines where 'unsigned long' is a 32-bit type.
-     */
-    if (ctx->m_cost < 1 || (ctx->m_cost >> 30) > 3) {
-        return 0;
-    }
-    if (ctx->t_cost < 1 || (ctx->t_cost >> 30) > 3) {
-        return 0;
-    }
-
-    /*
-     * The parallelism p must be between 1 and 255. The memory cost
-     * parameter, expressed in kilobytes, must be at least 8 times
-     * the value of p.
-     */
-    if (ctx->lanes < 1 || ctx->lanes > 255) {
-        return 0;
-    }
-    if (ctx->m_cost < (ctx->lanes << 3)) {
-        return 0;
-    }
-
     CC_opt(",data=", BIN(ctx->ad, maxadlen, ctx->adlen));
     if (*str == 0) {
-        return 1;
+        return ARGON2_OK;
     }
     CC("$");
     BIN(ctx->salt, maxsaltlen, ctx->saltlen);
-    if (ctx->saltlen < 8) {
-        return 0;
-    }
     if (*str == 0) {
-        return 1;
+        return ARGON2_OK;
     }
     CC("$");
     BIN(ctx->out, maxoutlen, ctx->outlen);
-    if (ctx->outlen < 12) {
-        return 0;
+    validation_result = validate_inputs(ctx);
+    if (validation_result != ARGON2_OK) {
+        return validation_result;
+    }
+    if (*str == 0) {
+        return ARGON2_OK;
+    } else {
+        return ARGON2_DECODING_FAIL;
     }
-    return *str == 0;
-
 #undef CC
 #undef CC_opt
 #undef DECIMAL
 #undef BIN
 }
 
-/*
- * encode an argon2i hash string into the provided buffer. 'dst_len'
- * contains the size, in characters, of the 'dst' buffer; if 'dst_len'
- * is less than the number of required characters (including the
- * terminating 0), then this function returns 0.
- *
- * if pp->output_len is 0, then the hash string will be a salt string
- * (no output). if pp->salt_len is also 0, then the string will be a
- * parameter-only string (no salt and no output).
- *
- * on success, 1 is returned.
- */
 int encode_string(char *dst, size_t dst_len, argon2_context *ctx,
                   argon2_type type) {
 #define SS(str)                                                                \
     do {                                                                       \
         size_t pp_len = strlen(str);                                           \
         if (pp_len >= dst_len) {                                               \
-            return 0;                                                          \
+            return ARGON2_ENCODING_FAIL;                                       \
         }                                                                      \
         memcpy(dst, str, pp_len + 1);                                          \
         dst += pp_len;                                                         \
@@ -392,7 +361,7 @@ int encode_string(char *dst, size_t dst_len, argon2_context *ctx,
     do {                                                                       \
         size_t sb_len = to_base64(dst, dst_len, buf, len);                     \
         if (sb_len == (size_t)-1) {                                            \
-            return 0;                                                          \
+            return ARGON2_ENCODING_FAIL;                                       \
         }                                                                      \
         dst += sb_len;                                                         \
         dst_len -= sb_len;                                                     \
@@ -403,7 +372,11 @@ int encode_string(char *dst, size_t dst_len, argon2_context *ctx,
     else if (type == Argon2_d)
         SS("$argon2d$m=");
     else
-        return 0;
+        return ARGON2_ENCODING_FAIL;
+
+    if (validate_inputs(ctx) != ARGON2_OK) {
+        return validate_inputs(ctx);
+    }
     SX(ctx->m_cost);
     SS(",t=");
     SX(ctx->t_cost);
@@ -416,17 +389,17 @@ int encode_string(char *dst, size_t dst_len, argon2_context *ctx,
     }
 
     if (ctx->saltlen == 0)
-        return 1;
+        return ARGON2_OK;
 
     SS("$");
     SB(ctx->salt, ctx->saltlen);
 
     if (ctx->outlen == 0)
-        return 1;
+        return ARGON2_OK;
 
     SS("$");
     SB(ctx->out, ctx->outlen);
-    return 1;
+    return ARGON2_OK;
 
 #undef SS
 #undef SX

data/ext/phc-winner-argon2/src/encoding.h

@@ -2,9 +2,33 @@
 #define ENCODING_H
 #include "argon2.h"
 
+#define ARGON2_MAX_DECODED_LANES UINT32_C(255)
+#define ARGON2_MIN_DECODED_SALT_LEN UINT32_C(8)
+#define ARGON2_MIN_DECODED_OUT_LEN UINT32_C(12)
+
+/*
+* encode an Argon2 hash string into the provided buffer. 'dst_len'
+* contains the size, in characters, of the 'dst' buffer; if 'dst_len'
+* is less than the number of required characters (including the
+* terminating 0), then this function returns ARGON2_ENCODING_ERROR.
+*
+* if ctx->outlen is 0, then the hash string will be a salt string
+* (no output). if ctx->saltlen is also 0, then the string will be a
+* parameter-only string (no salt and no output).
+*
+* on success, ARGON2_OK is returned.
+*
+* No other parameters are checked
+*/
 int encode_string(char *dst, size_t dst_len, argon2_context *ctx,
                   argon2_type type);
 
+/*
+* Decodes an Argon2 hash string into the provided structure 'ctx'.
+* The fields ctx.saltlen, ctx.adlen, ctx.outlen set the maximal salt, ad, out
+* length values that are allowed; invalid input string causes an error.
+* Returned value is ARGON2_OK on success, other ARGON2_ codes on error.
+*/
 int decode_string(argon2_context *ctx, const char *str, argon2_type type);
 
 #endif

data/ext/phc-winner-argon2/src/genkat.c

@@ -180,9 +180,9 @@ static void generate_testvectors(const char *type) {
 #undef TEST_ADLEN
 
     if (!strcmp(type, "d")) {
-        argon2d(&context);
+        argon2d_ctx(&context);
     } else if (!strcmp(type, "i")) {
-        argon2i(&context);
+        argon2i_ctx(&context);
     } else
         fatal("wrong Argon2 type");
 }

data/ext/phc-winner-argon2/src/opt.c

@@ -16,19 +16,20 @@
 #include <stdlib.h>
 
 #include "argon2.h"
-#include "core.h"
 #include "opt.h"
 
 #include "blake2/blake2.h"
 #include "blake2/blamka-round-opt.h"
 
-void fill_block(__m128i *state, const uint8_t *ref_block, uint8_t *next_block) {
+void fill_block_with_xor(__m128i *state, const uint8_t *ref_block, uint8_t *next_block) {
     __m128i block_XY[ARGON2_OWORDS_IN_BLOCK];
     uint32_t i;
 
-    for (i = 0; i < ARGON2_OWORDS_IN_BLOCK; i++) {
-        block_XY[i] = state[i] = _mm_xor_si128(
+    for (i = 0; i < ARGON2_OWORDS_IN_BLOCK; i++) { 
+       state[i] = _mm_xor_si128(
             state[i], _mm_loadu_si128((__m128i const *)(&ref_block[16 * i])));
+        block_XY[i] =  _mm_xor_si128(
+            state[i], _mm_loadu_si128((__m128i const *)(&next_block[16 * i])));
     }
 
     for (i = 0; i < 8; ++i) {
@@ -52,7 +53,7 @@ void fill_block(__m128i *state, const uint8_t *ref_block, uint8_t *next_block) {
 void generate_addresses(const argon2_instance_t *instance,
                         const argon2_position_t *position,
                         uint64_t *pseudo_rands) {
-    block address_block, input_block;
+    block address_block, input_block, tmp_block;
     uint32_t i;
 
     init_block_value(&address_block, 0);
@@ -68,14 +69,20 @@ void generate_addresses(const argon2_instance_t *instance,
 
         for (i = 0; i < instance->segment_length; ++i) {
             if (i % ARGON2_ADDRESSES_IN_BLOCK == 0) {
+                /*Temporary zero-initialized blocks*/
                 __m128i zero_block[ARGON2_OWORDS_IN_BLOCK];
                 __m128i zero2_block[ARGON2_OWORDS_IN_BLOCK];
                 memset(zero_block, 0, sizeof(zero_block));
                 memset(zero2_block, 0, sizeof(zero2_block));
+                init_block_value(&address_block, 0);
+                init_block_value(&tmp_block, 0);
+                /*Increasing index counter*/
                 input_block.v[6]++;
-                fill_block(zero_block, (uint8_t *)&input_block.v,
-                           (uint8_t *)&address_block.v);
-                fill_block(zero2_block, (uint8_t *)&address_block.v,
+                /*First iteration of G*/
+                fill_block_with_xor(zero_block, (uint8_t *)&input_block.v,
+                           (uint8_t *)&tmp_block.v);
+                /*Second iteration of G*/
+                fill_block_with_xor(zero2_block, (uint8_t *)&tmp_block.v,
                            (uint8_t *)&address_block.v);
             }
 
@@ -91,7 +98,7 @@ void fill_segment(const argon2_instance_t *instance,
     uint32_t prev_offset, curr_offset;
     uint32_t starting_index, i;
     __m128i state[64];
-    int data_independent_addressing = (instance->type == Argon2_i);
+    int data_independent_addressing;
 
     /* Pseudo-random values that determine the reference block position */
     uint64_t *pseudo_rands = NULL;
@@ -100,6 +107,8 @@ void fill_segment(const argon2_instance_t *instance,
         return;
     }
 
+    data_independent_addressing = (instance->type == Argon2_i);
+
     pseudo_rands =
         (uint64_t *)malloc(sizeof(uint64_t) * instance->segment_length);
     if (pseudo_rands == NULL) {
@@ -164,7 +173,7 @@ void fill_segment(const argon2_instance_t *instance,
         ref_block =
             instance->memory + instance->lane_length * ref_lane + ref_index;
         curr_block = instance->memory + curr_offset;
-        fill_block(state, (uint8_t *)ref_block->v, (uint8_t *)curr_block->v);
+        fill_block_with_xor(state, (uint8_t *)ref_block->v, (uint8_t *)curr_block->v);
     }
 
     free(pseudo_rands);

data/ext/phc-winner-argon2/src/opt.h

@@ -14,19 +14,18 @@
 #ifndef ARGON2_OPT_H
 #define ARGON2_OPT_H
 
-#include <stdint.h>
-#include <emmintrin.h>
-#include "argon2.h"
 #include "core.h"
+#include <emmintrin.h>
 
 /*
- * Function fills a new memory block. Differs from the
+ * Function fills a new memory block by XORing the new block over the old one. Memory must be initialized. 
+ * After finishing, @state is identical to @next_block
  * @param state Pointer to the just produced block. Content will be updated(!)
  * @param ref_block Pointer to the reference block
- * @param next_block Pointer to the block to be constructed
+ * @param next_block Pointer to the block to be XORed over. May coincide with @ref_block
  * @pre all block pointers must be valid
  */
-void fill_block(__m128i *state, const uint8_t *ref_block, uint8_t *next_block);
+void fill_block_with_xor(__m128i *state, const uint8_t *ref_block, uint8_t *next_block);
 
 /*
  * Generate pseudo-random values to reference blocks in the segment and puts
@@ -40,15 +39,4 @@ void generate_addresses(const argon2_instance_t *instance,
                         const argon2_position_t *position,
                         uint64_t *pseudo_rands);
 
-/*
- * Function that fills the segment using previous segments also from other
- * threads.
- * Identical to the reference code except that it calls optimized FillBlock()
- * @param instance Pointer to the current instance
- * @param position Current position
- * @pre all block pointers must be valid
- */
-void fill_segment(const argon2_instance_t *instance,
-                  argon2_position_t position);
-
 #endif /* ARGON2_OPT_H */