rbnacl-libsodium 1.0.8 → 1.0.9

data/vendor/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-core.h

@@ -0,0 +1,198 @@
+/*
+ * Argon2 source code package
+ *
+ * Written by Daniel Dinu and Dmitry Khovratovich, 2015
+ *
+ * This work is licensed under a Creative Commons CC0 1.0 License/Waiver.
+ *
+ * You should have received a copy of the CC0 Public Domain Dedication along
+ * with
+ * this software. If not, see
+ * <http://creativecommons.org/publicdomain/zero/1.0/>.
+ */
+
+#ifndef argon2_core_H
+#define argon2_core_H
+
+#include "argon2.h"
+
+/*************************Argon2 internal
+ * constants**************************************************/
+
+enum argon2_ctx_constants {
+    /* Version of the algorithm */
+    ARGON2_VERSION_NUMBER = 0x13,
+
+    /* Memory block size in bytes */
+    ARGON2_BLOCK_SIZE = 1024,
+    ARGON2_QWORDS_IN_BLOCK = ARGON2_BLOCK_SIZE / 8,
+    ARGON2_OWORDS_IN_BLOCK = ARGON2_BLOCK_SIZE / 16,
+
+    /* Number of pseudo-random values generated by one call to Blake in Argon2i
+       to
+       generate reference block positions */
+    ARGON2_ADDRESSES_IN_BLOCK = 128,
+
+    /* Pre-hashing digest length and its extension*/
+    ARGON2_PREHASH_DIGEST_LENGTH = 64,
+    ARGON2_PREHASH_SEED_LENGTH = 72
+};
+
+/*************************Argon2 internal data
+ * types**************************************************/
+
+/*
+ * Structure for the (1KB) memory block implemented as 128 64-bit words.
+ * Memory blocks can be copied, XORed. Internal words can be accessed by [] (no
+ * bounds checking).
+ */
+typedef struct block_ { uint64_t v[ARGON2_QWORDS_IN_BLOCK]; } block;
+
+typedef struct block_region_ {
+    void  *base;
+    block *memory;
+    size_t size;
+} block_region;
+
+/*****************Functions that work with the block******************/
+
+/* Initialize each byte of the block with @in */
+void init_block_value(block *b, uint8_t in);
+
+/* Copy block @src to block @dst */
+void copy_block(block *dst, const block *src);
+
+/* XOR @src onto @dst bytewise */
+void xor_block(block *dst, const block *src);
+
+/*
+ * Argon2 instance: memory pointer, number of passes, amount of memory, type,
+ * and derived values.
+ * Used to evaluate the number and location of blocks to construct in each
+ * thread
+ */
+typedef struct Argon2_instance_t {
+    block_region *region;   /* Memory region pointer */
+    uint32_t passes;        /* Number of passes */
+    uint32_t memory_blocks; /* Number of blocks in memory */
+    uint32_t segment_length;
+    uint32_t lane_length;
+    uint32_t lanes;
+    uint32_t threads;
+    argon2_type type;
+    int print_internals; /* whether to print the memory blocks */
+} argon2_instance_t;
+
+/*
+ * Argon2 position: where we construct the block right now. Used to distribute
+ * work between threads.
+ */
+typedef struct Argon2_position_t {
+    uint32_t pass;
+    uint32_t lane;
+    uint8_t slice;
+    uint32_t index;
+} argon2_position_t;
+
+/*Struct that holds the inputs for thread handling FillSegment*/
+typedef struct Argon2_thread_data {
+    argon2_instance_t *instance_ptr;
+    argon2_position_t pos;
+} argon2_thread_data;
+
+/*************************Argon2 core
+ * functions**************************************************/
+
+/*
+ * Computes absolute position of reference block in the lane following a skewed
+ * distribution and using a pseudo-random value as input
+ * @param instance Pointer to the current instance
+ * @param position Pointer to the current position
+ * @param pseudo_rand 32-bit pseudo-random value used to determine the position
+ * @param same_lane Indicates if the block will be taken from the current lane.
+ * If so we can reference the current segment
+ * @pre All pointers must be valid
+ */
+uint32_t index_alpha(const argon2_instance_t *instance,
+                     const argon2_position_t *position, uint32_t pseudo_rand,
+                     int same_lane);
+
+/*
+ * Function that validates all inputs against predefined restrictions and return
+ * an error code
+ * @param context Pointer to current Argon2 context
+ * @return ARGON2_OK if everything is all right, otherwise one of error codes
+ * (all defined in <argon2.h>
+ */
+int validate_inputs(const argon2_context *context);
+
+/*
+ * Hashes all the inputs into @a blockhash[PREHASH_DIGEST_LENGTH], clears
+ * password and secret if needed
+ * @param  context  Pointer to the Argon2 internal structure containing memory
+ * pointer, and parameters for time and space requirements.
+ * @param  blockhash Buffer for pre-hashing digest
+ * @param  type Argon2 type
+ * @pre    @a blockhash must have at least @a PREHASH_DIGEST_LENGTH bytes
+ * allocated
+ */
+void initial_hash(uint8_t *blockhash, argon2_context *context,
+                  argon2_type type);
+
+/*
+ * Function creates first 2 blocks per lane
+ * @param instance Pointer to the current instance
+ * @param blockhash Pointer to the pre-hashing digest
+ * @pre blockhash must point to @a PREHASH_SEED_LENGTH allocated values
+ */
+void fill_first_blocks(uint8_t *blockhash, const argon2_instance_t *instance);
+
+/*
+ * Function allocates memory, hashes the inputs with Blake,  and creates first
+ * two blocks. Returns the pointer to the main memory with 2 blocks per lane
+ * initialized
+ * @param  context  Pointer to the Argon2 internal structure containing memory
+ * pointer, and parameters for time and space requirements.
+ * @param  instance Current Argon2 instance
+ * @return Zero if successful, -1 if memory failed to allocate. @context->state
+ * will be modified if successful.
+ */
+int initialize(argon2_instance_t *instance, argon2_context *context);
+
+/*
+ * XORing the last block of each lane, hashing it, making the tag. Deallocates
+ * the memory.
+ * @param context Pointer to current Argon2 context (use only the out parameters
+ * from it)
+ * @param instance Pointer to current instance of Argon2
+ * @pre instance->state must point to necessary amount of memory
+ * @pre context->out must point to outlen bytes of memory
+ * @pre if context->free_cbk is not NULL, it should point to a function that
+ * deallocates memory
+ */
+void finalize(const argon2_context *context, argon2_instance_t *instance);
+
+/*
+ * Function that fills the segment using previous segments also from other
+ * threads
+ * @param instance Pointer to the current instance
+ * @param position Current position
+ * @pre all block pointers must be valid
+ */
+typedef int (*fill_segment_fn)(const argon2_instance_t *instance,
+                               argon2_position_t position);
+int argon2_pick_best_implementation(void);
+int fill_segment_ssse3(const argon2_instance_t *instance,
+                       argon2_position_t position);
+int fill_segment_ref(const argon2_instance_t *instance,
+                     argon2_position_t position);
+
+/*
+ * Function that fills the entire memory t_cost times based on the first two
+ * blocks in each lane
+ * @param instance Pointer to the current instance
+ * @return Zero if successful, -1 if memory failed to allocate
+ */
+int fill_memory_blocks(argon2_instance_t *instance);
+
+#endif

data/vendor/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-encoding.c

@@ -0,0 +1,444 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <limits.h>
+#include "argon2-core.h"
+#include "argon2-encoding.h"
+
+/*
+ * Example code for a decoder and encoder of "hash strings", with Argon2
+ * parameters.
+ *
+ * This code comprises three sections:
+ *
+ *   -- The first section contains generic Base64 encoding and decoding
+ *   functions. It is conceptually applicable to any hash function
+ *   implementation that uses Base64 to encode and decode parameters,
+ *   salts and outputs. It could be made into a library, provided that
+ *   the relevant functions are made public (non-static) and be given
+ *   reasonable names to avoid collisions with other functions.
+ *
+ *   -- The second section is specific to Argon2. It encodes and decodes
+ *   the parameters, salts and outputs. It does not compute the hash
+ *   itself.
+ *
+ *   -- The third section is test code, with a main() function. With
+ *   this section, the whole file compiles as a stand-alone program
+ *   that exercises the encoding and decoding functions with some
+ *   test vectors.
+ *
+ * The code was originally written by Thomas Pornin <pornin@bolet.org>,
+ * to whom comments and remarks may be sent. It is released under what
+ * should amount to Public Domain or its closest equivalent; the
+ * following mantra is supposed to incarnate that fact with all the
+ * proper legal rituals:
+ *
+ * ---------------------------------------------------------------------
+ * This file is provided under the terms of Creative Commons CC0 1.0
+ * Public Domain Dedication. To the extent possible under law, the
+ * author (Thomas Pornin) has waived all copyright and related or
+ * neighboring rights to this file. This work is published from: Canada.
+ * ---------------------------------------------------------------------
+ *
+ * Copyright (c) 2015 Thomas Pornin
+ */
+
+/* ==================================================================== */
+/*
+ * Common code; could be shared between different hash functions.
+ *
+ * Note: the Base64 functions below assume that uppercase letters (resp.
+ * lowercase letters) have consecutive numerical codes, that fit on 8
+ * bits. All modern systems use ASCII-compatible charsets, where these
+ * properties are true. If you are stuck with a dinosaur of a system
+ * that still defaults to EBCDIC then you already have much bigger
+ * interoperability issues to deal with.
+ */
+
+/*
+ * Some macros for constant-time comparisons. These work over values in
+ * the 0..255 range. Returned value is 0x00 on "false", 0xFF on "true".
+ */
+#define EQ(x, y) ((((0U - ((unsigned)(x) ^ (unsigned)(y))) >> 8) & 0xFF) ^ 0xFF)
+#define GT(x, y) ((((unsigned)(y) - (unsigned)(x)) >> 8) & 0xFF)
+#define GE(x, y) (GT(y, x) ^ 0xFF)
+#define LT(x, y) GT(y, x)
+#define LE(x, y) GE(y, x)
+
+/*
+ * Convert value x (0..63) to corresponding Base64 character.
+ */
+static int b64_byte_to_char(unsigned x) {
+    return (LT(x, 26) & (x + 'A')) |
+           (GE(x, 26) & LT(x, 52) & (x + ('a' - 26))) |
+           (GE(x, 52) & LT(x, 62) & (x + ('0' - 52))) | (EQ(x, 62) & '+') |
+           (EQ(x, 63) & '/');
+}
+
+/*
+ * Convert character c to the corresponding 6-bit value. If character c
+ * is not a Base64 character, then 0xFF (255) is returned.
+ */
+static unsigned b64_char_to_byte(int c) {
+    unsigned x;
+
+    x = (GE(c, 'A') & LE(c, 'Z') & (c - 'A')) |
+        (GE(c, 'a') & LE(c, 'z') & (c - ('a' - 26))) |
+        (GE(c, '0') & LE(c, '9') & (c - ('0' - 52))) | (EQ(c, '+') & 62) |
+        (EQ(c, '/') & 63);
+    return x | (EQ(x, 0) & (EQ(c, 'A') ^ 0xFF));
+}
+
+/*
+ * Convert some bytes to Base64. 'dst_len' is the length (in characters)
+ * of the output buffer 'dst'; if that buffer is not large enough to
+ * receive the result (including the terminating 0), then (size_t)-1
+ * is returned. Otherwise, the zero-terminated Base64 string is written
+ * in the buffer, and the output length (counted WITHOUT the terminating
+ * zero) is returned.
+ */
+static size_t to_base64(char *dst, size_t dst_len, const void *src,
+                        size_t src_len) {
+    size_t olen;
+    const unsigned char *buf;
+    unsigned acc, acc_len;
+
+    olen = (src_len / 3) << 2;
+    switch (src_len % 3) {
+    case 2:
+        olen++;
+    /* fall through */
+    case 1:
+        olen += 2;
+        break;
+    }
+    if (dst_len <= olen) {
+        return (size_t)-1;
+    }
+    acc = 0;
+    acc_len = 0;
+    buf = (const unsigned char *)src;
+    while (src_len-- > 0) {
+        acc = (acc << 8) + (*buf++);
+        acc_len += 8;
+        while (acc_len >= 6) {
+            acc_len -= 6;
+            *dst++ = (char)b64_byte_to_char((acc >> acc_len) & 0x3F);
+        }
+    }
+    if (acc_len > 0) {
+        *dst++ = (char)b64_byte_to_char((acc << (6 - acc_len)) & 0x3F);
+    }
+    *dst++ = 0;
+    return olen;
+}
+
+/*
+ * Decode Base64 chars into bytes. The '*dst_len' value must initially
+ * contain the length of the output buffer '*dst'; when the decoding
+ * ends, the actual number of decoded bytes is written back in
+ * '*dst_len'.
+ *
+ * Decoding stops when a non-Base64 character is encountered, or when
+ * the output buffer capacity is exceeded. If an error occurred (output
+ * buffer is too small, invalid last characters leading to unprocessed
+ * buffered bits), then NULL is returned; otherwise, the returned value
+ * points to the first non-Base64 character in the source stream, which
+ * may be the terminating zero.
+ */
+static const char *from_base64(void *dst, size_t *dst_len, const char *src) {
+    size_t len;
+    unsigned char *buf;
+    unsigned acc, acc_len;
+
+    buf = (unsigned char *)dst;
+    len = 0;
+    acc = 0;
+    acc_len = 0;
+    for (;;) {
+        unsigned d;
+
+        d = b64_char_to_byte(*src);
+        if (d == 0xFF) {
+            break;
+        }
+        src++;
+        acc = (acc << 6) + d;
+        acc_len += 6;
+        if (acc_len >= 8) {
+            acc_len -= 8;
+            if ((len++) >= *dst_len) {
+                return NULL;
+            }
+            *buf++ = (acc >> acc_len) & 0xFF;
+        }
+    }
+
+    /*
+     * If the input length is equal to 1 modulo 4 (which is
+     * invalid), then there will remain 6 unprocessed bits;
+     * otherwise, only 0, 2 or 4 bits are buffered. The buffered
+     * bits must also all be zero.
+     */
+    if (acc_len > 4 || (acc & ((1U << acc_len) - 1)) != 0) {
+        return NULL;
+    }
+    *dst_len = len;
+    return src;
+}
+
+/*
+ * Decode decimal integer from 'str'; the value is written in '*v'.
+ * Returned value is a pointer to the next non-decimal character in the
+ * string. If there is no digit at all, or the value encoding is not
+ * minimal (extra leading zeros), or the value does not fit in an
+ * 'unsigned long', then NULL is returned.
+ */
+static const char *decode_decimal(const char *str, unsigned long *v) {
+    const char *orig;
+    unsigned long acc;
+
+    acc = 0;
+    for (orig = str;; str++) {
+        int c;
+
+        c = *str;
+        if (c < '0' || c > '9') {
+            break;
+        }
+        c -= '0';
+        if (acc > (ULONG_MAX / 10)) {
+            return NULL;
+        }
+        acc *= 10;
+        if ((unsigned long)c > (ULONG_MAX - acc)) {
+            return NULL;
+        }
+        acc += (unsigned long)c;
+    }
+    if (str == orig || (*orig == '0' && str != (orig + 1))) {
+        return NULL;
+    }
+    *v = acc;
+    return str;
+}
+
+/* ==================================================================== */
+/*
+ * Code specific to Argon2.
+ *
+ * The code below applies the following format:
+ *
+ *  $argon2<T>$v=<num>$m=<num>,t=<num>,p=<num>[,keyid=<bin>][,data=<bin>][$<bin>[$<bin>]]
+ *
+ * where <T> is either 'd' or 'i', <num> is a decimal integer (positive, fits in an 'unsigned long')
+ * and <bin> is Base64-encoded data (no '=' padding characters, no newline
+ * or whitespace). The "keyid" is a binary identifier for a key (up to 8
+ * bytes); "data" is associated data (up to 32 bytes). When the 'keyid'
+ * (resp. the 'data') is empty, then it is ommitted from the output.
+ *
+ * The last two binary chunks (encoded in Base64) are, in that order,
+ * the salt and the output. Both are optional, but you cannot have an
+ * output without a salt. The binary salt length is between 8 and 48 bytes.
+ * The output length is always exactly 32 bytes.
+ */
+
+/*
+ * Decode an Argon2i hash string into the provided structure 'ctx'.
+ * Returned value is ARGON2_OK on success.
+ */
+int decode_string(argon2_context *ctx, const char *str, argon2_type type) {
+    /* Prefix checking */
+#define CC(prefix)                                                             \
+    do {                                                                       \
+        size_t cc_len = strlen(prefix);                                        \
+        if (strncmp(str, prefix, cc_len) != 0) {                               \
+            return ARGON2_DECODING_FAIL;                                       \
+        }                                                                      \
+        str += cc_len;                                                         \
+    } while ((void)0, 0)
+
+    /* Prefix checking with supplied code */
+#define CC_opt(prefix, code)                                                   \
+    do {                                                                       \
+        size_t cc_len = strlen(prefix);                                        \
+        if (strncmp(str, prefix, cc_len) == 0) {                               \
+            str += cc_len;                                                     \
+            { code; }                                                          \
+        }                                                                      \
+    } while ((void)0, 0)
+
+    /* Decoding prefix into decimal */
+#define DECIMAL(x)                                                             \
+    do {                                                                       \
+        unsigned long dec_x;                                                   \
+        str = decode_decimal(str, &dec_x);                                     \
+        if (str == NULL) {                                                     \
+            return ARGON2_DECODING_FAIL;                                       \
+        }                                                                      \
+        (x) = dec_x;                                                           \
+    } while ((void)0, 0)
+
+    /* Decoding prefix into binary */
+#define BIN(buf, max_len, len)                                                 \
+    do {                                                                       \
+        size_t bin_len = (max_len);                                            \
+        str = from_base64(buf, &bin_len, str);                                 \
+        if (str == NULL || bin_len > UINT32_MAX) {                             \
+            return ARGON2_DECODING_FAIL;                                       \
+        }                                                                      \
+        (len) = (uint32_t)bin_len;                                             \
+    } while ((void)0, 0)
+
+    size_t maxadlen = ctx->adlen;
+    size_t maxsaltlen = ctx->saltlen;
+    size_t maxoutlen = ctx->outlen;
+    unsigned long version = 0;
+    int validation_result;
+
+    ctx->adlen = 0;
+    ctx->saltlen = 0;
+    ctx->outlen = 0;
+    ctx->pwdlen = 0;
+    if (type == Argon2_i) {
+        CC("$argon2i");
+    } else {
+        return ARGON2_INCORRECT_TYPE;
+    }
+    CC("$v=");
+    DECIMAL(version);
+    if (version != ARGON2_VERSION_NUMBER) {
+        return ARGON2_INCORRECT_TYPE;
+    }
+    CC("$m=");
+    DECIMAL(ctx->m_cost);
+    CC(",t=");
+    DECIMAL(ctx->t_cost);
+    CC(",p=");
+    DECIMAL(ctx->lanes);
+    ctx->threads = ctx->lanes;
+
+    CC_opt(",data=", BIN(ctx->ad, maxadlen, ctx->adlen));
+    if (*str == 0) {
+        return ARGON2_OK;
+    }
+    CC("$");
+    BIN(ctx->salt, maxsaltlen, ctx->saltlen);
+    if (*str == 0) {
+        return ARGON2_OK;
+    }
+    CC("$");
+    BIN(ctx->out, maxoutlen, ctx->outlen);
+    validation_result = validate_inputs(ctx);
+    if (validation_result != ARGON2_OK) {
+        return validation_result;
+    }
+    if (*str == 0) {
+        return ARGON2_OK;
+    }
+    return ARGON2_DECODING_FAIL;
+
+#undef CC
+#undef CC_opt
+#undef DECIMAL
+#undef BIN
+}
+
+#define U32_STR_MAXSIZE 11U
+
+static void u32_to_string(char *str, uint32_t x) {
+    char   tmp[U32_STR_MAXSIZE - 1U];
+    size_t i;
+
+    i = sizeof tmp;
+    do {
+        tmp[--i] = (x % (uint32_t) 10U) + '0';
+        x /= (uint32_t) 10U;
+    } while (x != 0U && i != 0U);
+    memcpy(str, &tmp[i], (sizeof tmp) - i);
+    str[(sizeof tmp) - i] = 0;
+}
+
+/*
+ * Encode an argon2i hash string into the provided buffer. 'dst_len'
+ * contains the size, in characters, of the 'dst' buffer; if 'dst_len'
+ * is less than the number of required characters (including the
+ * terminating 0), then this function returns 0.
+ *
+ * If pp->output_len is 0, then the hash string will be a salt string
+ * (no output). if pp->salt_len is also 0, then the string will be a
+ * parameter-only string (no salt and no output).
+ *
+ * On success, ARGON2_OK is returned.
+ */
+int encode_string(char *dst, size_t dst_len, argon2_context *ctx,
+                  argon2_type type) {
+#define SS(str)                                                                \
+    do {                                                                       \
+        size_t pp_len = strlen(str);                                           \
+        if (pp_len >= dst_len) {                                               \
+            return ARGON2_ENCODING_FAIL;                                       \
+        }                                                                      \
+        memcpy(dst, str, pp_len + 1);                                          \
+        dst += pp_len;                                                         \
+        dst_len -= pp_len;                                                     \
+    } while ((void)0, 0)
+
+#define SX(x)                                                                  \
+    do {                                                                       \
+        char tmp[U32_STR_MAXSIZE];                                             \
+        u32_to_string(tmp, x);                                                 \
+        SS(tmp);                                                               \
+    } while ((void)0, 0)
+
+#define SB(buf, len)                                                           \
+    do {                                                                       \
+        size_t sb_len = to_base64(dst, dst_len, buf, len);                     \
+        if (sb_len == (size_t)-1) {                                            \
+            return ARGON2_ENCODING_FAIL;                                       \
+        }                                                                      \
+        dst += sb_len;                                                         \
+        dst_len -= sb_len;                                                     \
+    } while ((void)0, 0)
+
+    int validation_result;
+
+    if (type == Argon2_i) {
+        SS("$argon2i$v=");
+    } else {
+        return ARGON2_ENCODING_FAIL;
+    }
+    validation_result = validate_inputs(ctx);
+    if (validation_result != ARGON2_OK) {
+        return validation_result;
+    }
+    SX(ARGON2_VERSION_NUMBER);
+    SS("$m=");
+    SX(ctx->m_cost);
+    SS(",t=");
+    SX(ctx->t_cost);
+    SS(",p=");
+    SX(ctx->lanes);
+
+    if (ctx->adlen > 0) {
+        SS(",data=");
+        SB(ctx->ad, ctx->adlen);
+    }
+
+    if (ctx->saltlen == 0) {
+        return ARGON2_OK;
+    }
+    SS("$");
+    SB(ctx->salt, ctx->saltlen);
+
+    if (ctx->outlen == 0) {
+        return ARGON2_OK;
+    }
+    SS("$");
+    SB(ctx->out, ctx->outlen);
+    return ARGON2_OK;
+
+#undef SS
+#undef SX
+#undef SB
+}