argon2 1.1.1 → 1.1.2

data/ext/phc-winner-argon2/src/genkat.h

@@ -1,14 +1,18 @@
 /*
- * Argon2 source code package
+ * Argon2 reference source code package - reference C implementations
  *
- * Written by Daniel Dinu and Dmitry Khovratovich, 2015
+ * Copyright 2015
+ * Daniel Dinu, Dmitry Khovratovich, Jean-Philippe Aumasson, and Samuel Neves
  *
- * This work is licensed under a Creative Commons CC0 1.0 License/Waiver.
+ * You may use this work under the terms of a Creative Commons CC0 1.0 
+ * License/Waiver or the Apache Public License 2.0, at your option. The terms of
+ * these licenses can be found at:
  *
- * You should have received a copy of the CC0 Public Domain Dedication along
- * with
- * this software. If not, see
- * <http://creativecommons.org/publicdomain/zero/1.0/>.
+ * - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0
+ * - Apache 2.0        : http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * You should have received a copy of both of these licenses along with this
+ * software. If not, they may be obtained at the above URLs.
  */
 
 #ifndef ARGON2_KAT_H

data/ext/phc-winner-argon2/src/opt.c

@@ -1,14 +1,18 @@
 /*
- * Argon2 source code package
+ * Argon2 reference source code package - reference C implementations
  *
- * Written by Daniel Dinu and Dmitry Khovratovich, 2015
+ * Copyright 2015
+ * Daniel Dinu, Dmitry Khovratovich, Jean-Philippe Aumasson, and Samuel Neves
  *
- * This work is licensed under a Creative Commons CC0 1.0 License/Waiver.
+ * You may use this work under the terms of a Creative Commons CC0 1.0 
+ * License/Waiver or the Apache Public License 2.0, at your option. The terms of
+ * these licenses can be found at:
  *
- * You should have received a copy of the CC0 Public Domain Dedication along
- * with
- * this software. If not, see
- * <http://creativecommons.org/publicdomain/zero/1.0/>.
+ * - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0
+ * - Apache 2.0        : http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * You should have received a copy of both of these licenses along with this
+ * software. If not, they may be obtained at the above URLs.
  */
 
 #include <stdint.h>
@@ -21,13 +25,23 @@
 #include "blake2/blake2.h"
 #include "blake2/blamka-round-opt.h"
 
-void fill_block(__m128i *state, const uint8_t *ref_block, uint8_t *next_block) {
+void fill_block(__m128i *state, const block *ref_block, block *next_block,
+                int with_xor) {
     __m128i block_XY[ARGON2_OWORDS_IN_BLOCK];
-    uint32_t i;
-
-    for (i = 0; i < ARGON2_OWORDS_IN_BLOCK; i++) {
-        block_XY[i] = state[i] = _mm_xor_si128(
-            state[i], _mm_loadu_si128((__m128i const *)(&ref_block[16 * i])));
+    unsigned int i;
+
+    if (with_xor) {
+        for (i = 0; i < ARGON2_OWORDS_IN_BLOCK; i++) {
+            state[i] = _mm_xor_si128(
+                state[i], _mm_loadu_si128((const __m128i *)ref_block->v + i));
+            block_XY[i] = _mm_xor_si128(
+                state[i], _mm_loadu_si128((const __m128i *)next_block->v + i));
+        }
+    } else {
+        for (i = 0; i < ARGON2_OWORDS_IN_BLOCK; i++) {
+            block_XY[i] = state[i] = _mm_xor_si128(
+                state[i], _mm_loadu_si128((const __m128i *)ref_block->v + i));
+        }
     }
 
     for (i = 0; i < 8; ++i) {
@@ -44,113 +58,67 @@ void fill_block(__m128i *state, const uint8_t *ref_block, uint8_t *next_block) {
 
     for (i = 0; i < ARGON2_OWORDS_IN_BLOCK; i++) {
         state[i] = _mm_xor_si128(state[i], block_XY[i]);
-        _mm_storeu_si128((__m128i *)(&next_block[16 * i]), state[i]);
-    }
-}
-
-void fill_block_with_xor(__m128i *state, const uint8_t *ref_block,
-                         uint8_t *next_block) {
-    __m128i block_XY[ARGON2_OWORDS_IN_BLOCK];
-    uint32_t i;
-
-    for (i = 0; i < ARGON2_OWORDS_IN_BLOCK; i++) { 
-       state[i] = _mm_xor_si128(
-            state[i], _mm_loadu_si128((__m128i const *)(&ref_block[16 * i])));
-        block_XY[i] =  _mm_xor_si128(
-            state[i], _mm_loadu_si128((__m128i const *)(&next_block[16 * i])));
-    }
-
-    for (i = 0; i < 8; ++i) {
-        BLAKE2_ROUND(state[8 * i + 0], state[8 * i + 1], state[8 * i + 2],
-                     state[8 * i + 3], state[8 * i + 4], state[8 * i + 5],
-                     state[8 * i + 6], state[8 * i + 7]);
-    }
-
-    for (i = 0; i < 8; ++i) {
-        BLAKE2_ROUND(state[8 * 0 + i], state[8 * 1 + i], state[8 * 2 + i],
-                     state[8 * 3 + i], state[8 * 4 + i], state[8 * 5 + i],
-                     state[8 * 6 + i], state[8 * 7 + i]);
-    }
-
-    for (i = 0; i < ARGON2_OWORDS_IN_BLOCK; i++) {
-        state[i] = _mm_xor_si128(state[i], block_XY[i]);
-        _mm_storeu_si128((__m128i *)(&next_block[16 * i]), state[i]);
+        _mm_storeu_si128((__m128i *)next_block->v + i, state[i]);
     }
 }
 
-void generate_addresses(const argon2_instance_t *instance,
-                        const argon2_position_t *position,
-                        uint64_t *pseudo_rands) {
-    block address_block, input_block, tmp_block;
-    uint32_t i;
+static void next_addresses(block *address_block, block *input_block) {
+    /*Temporary zero-initialized blocks*/
+    __m128i zero_block[ARGON2_OWORDS_IN_BLOCK];
+    __m128i zero2_block[ARGON2_OWORDS_IN_BLOCK];
 
-    init_block_value(&address_block, 0);
-    init_block_value(&input_block, 0);
+    memset(zero_block, 0, sizeof(zero_block));
+    memset(zero2_block, 0, sizeof(zero2_block));
 
-    if (instance != NULL && position != NULL) {
-        input_block.v[0] = position->pass;
-        input_block.v[1] = position->lane;
-        input_block.v[2] = position->slice;
-        input_block.v[3] = instance->memory_blocks;
-        input_block.v[4] = instance->passes;
-        input_block.v[5] = instance->type;
+    /*Increasing index counter*/
+    input_block->v[6]++;
 
-        for (i = 0; i < instance->segment_length; ++i) {
-            if (i % ARGON2_ADDRESSES_IN_BLOCK == 0) {
-                /*Temporary zero-initialized blocks*/
-                __m128i zero_block[ARGON2_OWORDS_IN_BLOCK];
-                __m128i zero2_block[ARGON2_OWORDS_IN_BLOCK];
-                memset(zero_block, 0, sizeof(zero_block));
-                memset(zero2_block, 0, sizeof(zero2_block));
-                init_block_value(&address_block, 0);
-                init_block_value(&tmp_block, 0);
-                /*Increasing index counter*/
-                input_block.v[6]++;
-                /*First iteration of G*/
-                fill_block_with_xor(zero_block, (uint8_t *)&input_block.v,
-                           (uint8_t *)&tmp_block.v);
-                /*Second iteration of G*/
-                fill_block_with_xor(zero2_block, (uint8_t *)&tmp_block.v,
-                           (uint8_t *)&address_block.v);
-            }
+    /*First iteration of G*/
+    fill_block(zero_block, input_block, address_block, 0);
 
-            pseudo_rands[i] = address_block.v[i % ARGON2_ADDRESSES_IN_BLOCK];
-        }
-    }
+    /*Second iteration of G*/
+    fill_block(zero2_block, address_block, address_block, 0);
 }
 
 void fill_segment(const argon2_instance_t *instance,
                   argon2_position_t position) {
     block *ref_block = NULL, *curr_block = NULL;
+    block address_block, input_block;
     uint64_t pseudo_rand, ref_index, ref_lane;
     uint32_t prev_offset, curr_offset;
     uint32_t starting_index, i;
     __m128i state[64];
     int data_independent_addressing;
 
-    /* Pseudo-random values that determine the reference block position */
-    uint64_t *pseudo_rands = NULL;
-
     if (instance == NULL) {
         return;
     }
 
-    data_independent_addressing = (instance->type == Argon2_i);
-
-    pseudo_rands =
-        (uint64_t *)malloc(sizeof(uint64_t) * instance->segment_length);
-    if (pseudo_rands == NULL) {
-        return;
-    }
+    data_independent_addressing =
+        (instance->type == Argon2_i) ||
+        (instance->type == Argon2_id && (position.pass == 0) &&
+         (position.slice < ARGON2_SYNC_POINTS / 2));
 
     if (data_independent_addressing) {
-        generate_addresses(instance, &position, pseudo_rands);
+        init_block_value(&input_block, 0);
+
+        input_block.v[0] = position.pass;
+        input_block.v[1] = position.lane;
+        input_block.v[2] = position.slice;
+        input_block.v[3] = instance->memory_blocks;
+        input_block.v[4] = instance->passes;
+        input_block.v[5] = instance->type;
     }
 
     starting_index = 0;
 
     if ((0 == position.pass) && (0 == position.slice)) {
         starting_index = 2; /* we have already generated the first two blocks */
+
+        /* Don't forget to generate the first block of addresses: */
+        if (data_independent_addressing) {
+            next_addresses(&address_block, &input_block);
+        }
     }
 
     /* Offset of the current block */
@@ -177,7 +145,10 @@ void fill_segment(const argon2_instance_t *instance,
         /* 1.2 Computing the index of the reference block */
         /* 1.2.1 Taking pseudo-random value from the previous block */
         if (data_independent_addressing) {
-            pseudo_rand = pseudo_rands[i];
+            if (i % ARGON2_ADDRESSES_IN_BLOCK == 0) {
+                next_addresses(&address_block, &input_block);
+            }
+            pseudo_rand = address_block.v[i % ARGON2_ADDRESSES_IN_BLOCK];
         } else {
             pseudo_rand = instance->memory[prev_offset].v[0];
         }
@@ -203,18 +174,13 @@ void fill_segment(const argon2_instance_t *instance,
         curr_block = instance->memory + curr_offset;
         if (ARGON2_VERSION_10 == instance->version) {
             /* version 1.2.1 and earlier: overwrite, not XOR */
-            fill_block(state, (uint8_t *)ref_block->v,
-                       (uint8_t *)curr_block->v);
+            fill_block(state, ref_block, curr_block, 0);
         } else {
             if(0 == position.pass) {
-                fill_block(state, (uint8_t *)ref_block->v,
-                           (uint8_t *)curr_block->v);
+                fill_block(state, ref_block, curr_block, 0);
             } else {
-                fill_block_with_xor(state, (uint8_t *)ref_block->v,
-                                    (uint8_t *)curr_block->v);
+                fill_block(state, ref_block, curr_block, 1);
             }
         }
     }
-
-    free(pseudo_rands);
 }

data/ext/phc-winner-argon2/src/opt.h

@@ -1,14 +1,18 @@
 /*
- * Argon2 source code package
+ * Argon2 reference source code package - reference C implementations
  *
- * Written by Daniel Dinu and Dmitry Khovratovich, 2015
+ * Copyright 2015
+ * Daniel Dinu, Dmitry Khovratovich, Jean-Philippe Aumasson, and Samuel Neves
  *
- * This work is licensed under a Creative Commons CC0 1.0 License/Waiver.
+ * You may use this work under the terms of a Creative Commons CC0 1.0 
+ * License/Waiver or the Apache Public License 2.0, at your option. The terms of
+ * these licenses can be found at:
  *
- * You should have received a copy of the CC0 Public Domain Dedication along
- * with
- * this software. If not, see
- * <http://creativecommons.org/publicdomain/zero/1.0/>.
+ * - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0
+ * - Apache 2.0        : http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * You should have received a copy of both of these licenses along with this
+ * software. If not, they may be obtained at the above URLs.
  */
 
 #ifndef ARGON2_OPT_H
@@ -18,35 +22,14 @@
 #include <emmintrin.h>
 
 /*
- * Function fills a new memory block by XORing the new block over the old one. Memory must be initialized. 
- * After finishing, @state is identical to @next_block
+ * Function fills a new memory block and optionally XORs the old block over the new one.
+ * Memory must be initialized.
  * @param state Pointer to the just produced block. Content will be updated(!)
  * @param ref_block Pointer to the reference block
  * @param next_block Pointer to the block to be XORed over. May coincide with @ref_block
+ * @param with_xor Whether to XOR into the new block (1) or just overwrite (0)
  * @pre all block pointers must be valid
  */
-void fill_block_with_xor(__m128i *state, const uint8_t *ref_block, uint8_t *next_block);
-
-/* LEGACY CODE: version 1.2.1 and earlier
-* Function fills a new memory block by overwriting @next_block.
-* @param state Pointer to the just produced block. Content will be updated(!)
-* @param ref_block Pointer to the reference block
-* @param next_block Pointer to the block to be XORed over. May coincide with @ref_block
-* @pre all block pointers must be valid
-*/
-void fill_block(__m128i *state, const uint8_t *ref_block, uint8_t *next_block);
-
-
-/*
- * Generate pseudo-random values to reference blocks in the segment and puts
- * them into the array
- * @param instance Pointer to the current instance
- * @param position Pointer to the current position
- * @param pseudo_rands Pointer to the array of 64-bit values
- * @pre pseudo_rands must point to @a instance->segment_length allocated values
- */
-void generate_addresses(const argon2_instance_t *instance,
-                        const argon2_position_t *position,
-                        uint64_t *pseudo_rands);
+void fill_block(__m128i *s, const block *ref_block, block *next_block, int with_xor);
 
 #endif /* ARGON2_OPT_H */

data/ext/phc-winner-argon2/src/ref.c

@@ -1,14 +1,18 @@
 /*
- * Argon2 source code package
+ * Argon2 reference source code package - reference C implementations
  *
- * Written by Daniel Dinu and Dmitry Khovratovich, 2015
+ * Copyright 2015
+ * Daniel Dinu, Dmitry Khovratovich, Jean-Philippe Aumasson, and Samuel Neves
  *
- * This work is licensed under a Creative Commons CC0 1.0 License/Waiver.
+ * You may use this work under the terms of a Creative Commons CC0 1.0 
+ * License/Waiver or the Apache Public License 2.0, at your option. The terms of
+ * these licenses can be found at:
  *
- * You should have received a copy of the CC0 Public Domain Dedication along
- * with
- * this software. If not, see
- * <http://creativecommons.org/publicdomain/zero/1.0/>.
+ * - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0
+ * - Apache 2.0        : http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * You should have received a copy of both of these licenses along with this
+ * software. If not, they may be obtained at the above URLs.
  */
 
 #include <stdint.h>
@@ -24,53 +28,21 @@
 
 
 void fill_block(const block *prev_block, const block *ref_block,
-    block *next_block) {
+                block *next_block, int with_xor) {
     block blockR, block_tmp;
     unsigned i;
 
     copy_block(&blockR, ref_block);
     xor_block(&blockR, prev_block);
     copy_block(&block_tmp, &blockR);
-            /*Now blockR = ref_block + prev_block and bloc_tmp = ref_block + prev_block */
-                /* Apply Blake2 on columns of 64-bit words: (0,1,...,15) , then
-                (16,17,..31)... finally (112,113,...127) */
-    for (i = 0; i < 8; ++i) {
-        BLAKE2_ROUND_NOMSG(
-            blockR.v[16 * i], blockR.v[16 * i + 1], blockR.v[16 * i + 2],
-            blockR.v[16 * i + 3], blockR.v[16 * i + 4], blockR.v[16 * i + 5],
-            blockR.v[16 * i + 6], blockR.v[16 * i + 7], blockR.v[16 * i + 8],
-            blockR.v[16 * i + 9], blockR.v[16 * i + 10], blockR.v[16 * i + 11],
-            blockR.v[16 * i + 12], blockR.v[16 * i + 13], blockR.v[16 * i + 14],
-            blockR.v[16 * i + 15]);
+    /* Now blockR = ref_block + prev_block and block_tmp = ref_block + prev_block */
+    if (with_xor) {
+        /* Saving the next block contents for XOR over: */
+        xor_block(&block_tmp, next_block);
+        /* Now blockR = ref_block + prev_block and
+           block_tmp = ref_block + prev_block + next_block */
     }
 
-    /* Apply Blake2 on rows of 64-bit words: (0,1,16,17,...112,113), then
-    (2,3,18,19,...,114,115).. finally (14,15,30,31,...,126,127) */
-    for (i = 0; i < 8; i++) {
-        BLAKE2_ROUND_NOMSG(
-            blockR.v[2 * i], blockR.v[2 * i + 1], blockR.v[2 * i + 16],
-            blockR.v[2 * i + 17], blockR.v[2 * i + 32], blockR.v[2 * i + 33],
-            blockR.v[2 * i + 48], blockR.v[2 * i + 49], blockR.v[2 * i + 64],
-            blockR.v[2 * i + 65], blockR.v[2 * i + 80], blockR.v[2 * i + 81],
-            blockR.v[2 * i + 96], blockR.v[2 * i + 97], blockR.v[2 * i + 112],
-            blockR.v[2 * i + 113]);
-    }
-
-    copy_block(next_block, &block_tmp);
-    xor_block(next_block, &blockR);
-}
-
-
-void fill_block_with_xor(const block *prev_block, const block *ref_block,
-                block *next_block) {
-    block blockR, block_tmp;
-    unsigned i;
-
-    copy_block(&blockR, ref_block);
-    xor_block(&blockR, prev_block);
-    copy_block(&block_tmp, &blockR);
-    xor_block(&block_tmp, next_block); /*Saving the next block contents for XOR over*/
-    /*Now blockR = ref_block + prev_block and bloc_tmp = ref_block + prev_block + next_block*/
     /* Apply Blake2 on columns of 64-bit words: (0,1,...,15) , then
        (16,17,..31)... finally (112,113,...127) */
     for (i = 0; i < 8; ++i) {
@@ -99,69 +71,53 @@ void fill_block_with_xor(const block *prev_block, const block *ref_block,
     xor_block(next_block, &blockR);
 }
 
-void generate_addresses(const argon2_instance_t *instance,
-                        const argon2_position_t *position,
-                        uint64_t *pseudo_rands) {
-    block zero_block, input_block, address_block,tmp_block;
-    uint32_t i;
-
-    init_block_value(&zero_block, 0);
-    init_block_value(&input_block, 0);
-
-    if (instance != NULL && position != NULL) {
-        input_block.v[0] = position->pass;
-        input_block.v[1] = position->lane;
-        input_block.v[2] = position->slice;
-        input_block.v[3] = instance->memory_blocks;
-        input_block.v[4] = instance->passes;
-        input_block.v[5] = instance->type;
-
-        for (i = 0; i < instance->segment_length; ++i) {
-            if (i % ARGON2_ADDRESSES_IN_BLOCK == 0) {
-                input_block.v[6]++;
-                init_block_value(&tmp_block, 0);
-                init_block_value(&address_block, 0);
-                fill_block_with_xor(&zero_block, &input_block, &tmp_block);
-                fill_block_with_xor(&zero_block, &tmp_block, &address_block);
-            }
-
-            pseudo_rands[i] = address_block.v[i % ARGON2_ADDRESSES_IN_BLOCK];
-        }
-    }
+static void next_addresses(block *address_block, block *input_block,
+                           const block *zero_block) {
+    input_block->v[6]++;
+    fill_block(zero_block, input_block, address_block, 0);
+    fill_block(zero_block, address_block, address_block, 0);
 }
 
 void fill_segment(const argon2_instance_t *instance,
                   argon2_position_t position) {
     block *ref_block = NULL, *curr_block = NULL;
+    block address_block, input_block, zero_block;
     uint64_t pseudo_rand, ref_index, ref_lane;
     uint32_t prev_offset, curr_offset;
     uint32_t starting_index;
     uint32_t i;
     int data_independent_addressing;
-    /* Pseudo-random values that determine the reference block position */
-    uint64_t *pseudo_rands = NULL;
 
     if (instance == NULL) {
         return;
     }
 
-    data_independent_addressing = (instance->type == Argon2_i);
-
-    pseudo_rands =
-        (uint64_t *)malloc(sizeof(uint64_t) * (instance->segment_length));
-
-    if (pseudo_rands == NULL) {
-        return;
-    }
+    data_independent_addressing =
+        (instance->type == Argon2_i) ||
+        (instance->type == Argon2_id && (position.pass == 0) &&
+         (position.slice < ARGON2_SYNC_POINTS / 2));
 
     if (data_independent_addressing) {
-        generate_addresses(instance, &position, pseudo_rands);
+        init_block_value(&zero_block, 0);
+        init_block_value(&input_block, 0);
+
+        input_block.v[0] = position.pass;
+        input_block.v[1] = position.lane;
+        input_block.v[2] = position.slice;
+        input_block.v[3] = instance->memory_blocks;
+        input_block.v[4] = instance->passes;
+        input_block.v[5] = instance->type;
     }
 
     starting_index = 0;
 
     if ((0 == position.pass) && (0 == position.slice)) {
         starting_index = 2; /* we have already generated the first two blocks */
+
+        /* Don't forget to generate the first block of addresses: */
+        if (data_independent_addressing) {
+            next_addresses(&address_block, &input_block, &zero_block);
+        }
     }
 
     /* Offset of the current block */
@@ -186,7 +142,10 @@ void fill_segment(const argon2_instance_t *instance,
         /* 1.2 Computing the index of the reference block */
         /* 1.2.1 Taking pseudo-random value from the previous block */
         if (data_independent_addressing) {
-            pseudo_rand = pseudo_rands[i];
+            if (i % ARGON2_ADDRESSES_IN_BLOCK == 0) {
+                next_addresses(&address_block, &input_block, &zero_block);
+            }
+            pseudo_rand = address_block.v[i % ARGON2_ADDRESSES_IN_BLOCK];
         } else {
             pseudo_rand = instance->memory[prev_offset].v[0];
         }
@@ -212,17 +171,15 @@ void fill_segment(const argon2_instance_t *instance,
         curr_block = instance->memory + curr_offset;
         if (ARGON2_VERSION_10 == instance->version) {
             /* version 1.2.1 and earlier: overwrite, not XOR */
-            fill_block(instance->memory + prev_offset, ref_block, curr_block);
+            fill_block(instance->memory + prev_offset, ref_block, curr_block, 0);
         } else {
             if(0 == position.pass) {
                 fill_block(instance->memory + prev_offset, ref_block,
-                           curr_block);
+                           curr_block, 0);
             } else {
-                fill_block_with_xor(instance->memory + prev_offset, ref_block,
-                                    curr_block);
+                fill_block(instance->memory + prev_offset, ref_block,
+                           curr_block, 1);
             }
         }
     }
-
-    free(pseudo_rands);
 }