xref: /netbsd-src/lib/libcrypt/crypt-argon2.c (revision 4d92dbe90eae91beded70db613c2e6a1fd6dd84a)

/*	$NetBSD: crypt-argon2.c,v 1.22 2024/07/23 22:37:11 riastradh Exp $	*/

/*
 * Copyright (c) 2009 The NetBSD Foundation, Inc.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

#include <sys/cdefs.h>
__RCSID("$NetBSD: crypt-argon2.c,v 1.22 2024/07/23 22:37:11 riastradh Exp $");

#include <sys/resource.h>
#include <sys/param.h>
#include <sys/sysctl.h>
#include <sys/syslimits.h>

#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
#include <time.h>
#include <pwd.h>
#include <errno.h>
#include <argon2.h>

#include <err.h>
#include "crypt.h"

crypt_private int
estimate_argon2_params(argon2_type, uint32_t *,
    uint32_t *, uint32_t *);

/* defaults pulled from run.c */
#define HASHLEN		32
#define T_COST_DEF 	3
#define LOG_M_COST_DEF 	12 /* 2^12 = 4 MiB */
#define LANES_DEF 	1
#define THREADS_DEF 	1
#define OUTLEN_DEF 	32
#define MAX_PASS_LEN 	128

#define ARGON2_CONTEXT_INITIALIZER	\
	{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, \
	T_COST_DEF, LOG_M_COST_DEF,\
	LANES_DEF, THREADS_DEF, \
	ARGON2_VERSION_NUMBER, 0, 0, ARGON2_DEFAULT_FLAGS}

#define ARGON2_ARGON2_STR	"argon2"
#define ARGON2_ARGON2I_STR	"argon2i"
#define ARGON2_ARGON2D_STR	"argon2d"
#define ARGON2_ARGON2ID_STR	"argon2id"

/*
 * Unpadded Base64 calculations are taken from the Apache2/CC-0
 * licensed libargon2 for compatibility
 */

/*
 * Some macros for constant-time comparisons. These work over values in
 * the 0..255 range. Returned value is 0x00 on "false", 0xFF on "true".
 */
#define EQ(x, y) ((((0U - ((unsigned)(x) ^ (unsigned)(y))) >> 8) & 0xFF) ^ 0xFF)
#define GT(x, y) ((((unsigned)(y) - (unsigned)(x)) >> 8) & 0xFF)
#define GE(x, y) (GT(y, x) ^ 0xFF)
#define LT(x, y) GT(y, x)
#define LE(x, y) GE(y, x)

static unsigned
b64_char_to_byte(int c)
{
    unsigned x;

    x = (GE(c, 'A') & LE(c, 'Z') & (c - 'A')) |
        (GE(c, 'a') & LE(c, 'z') & (c - ('a' - 26))) |
        (GE(c, '0') & LE(c, '9') & (c - ('0' - 52))) | (EQ(c, '+') & 62) |
        (EQ(c, '/') & 63);
    return x | (EQ(x, 0) & (EQ(c, 'A') ^ 0xFF));
}

static const char *
from_base64(void *dst, size_t *dst_len, const char *src)
{
	size_t len;
	unsigned char *buf;
	unsigned acc, acc_len;

	buf = (unsigned char *)dst;
	len = 0;
	acc = 0;
	acc_len = 0;
	for (;;) {
		unsigned d;

		d = b64_char_to_byte(*src);
		if (d == 0xFF) {
			break;
		}
		src++;
		acc = (acc << 6) + d;
		acc_len += 6;
		if (acc_len >= 8) {
			acc_len -= 8;
			if ((len++) >= *dst_len) {
				return NULL;
			}
			*buf++ = (acc >> acc_len) & 0xFF;
		}
	}

	/*
	 * If the input length is equal to 1 modulo 4 (which is
	 * invalid), then there will remain 6 unprocessed bits;
	 * otherwise, only 0, 2 or 4 bits are buffered. The buffered
	 * bits must also all be zero.
	 */
	if (acc_len > 4 || (acc & (((unsigned)1 << acc_len) - 1)) != 0) {
		return NULL;
	}
	*dst_len = len;
	return src;
}

/*
 * Used to find default parameters that perform well on the host
 * machine.  Inputs should dereference to either 0 (to estimate),
 * or desired value.
 */
crypt_private int
estimate_argon2_params(argon2_type atype, uint32_t *etime,
    uint32_t *ememory, uint32_t *ethreads)
{
	const int mib[] = { CTL_HW, HW_USERMEM64 };
	struct timespec tp1, tp2, delta;
	char tmp_salt[16];
	char tmp_pwd[16];
	uint32_t tmp_hash[32];
	char tmp_encoded[256];
	struct rlimit rlim;
	uint64_t max_mem; /* usermem64 returns bytes */
	size_t max_mem_sz = sizeof(max_mem);
	/* low values from argon2 test suite... */
	uint32_t memory = 256; /* 256k; argon2 wants kilobytes */
	uint32_t time = 3;
	uint32_t threads = 1;

	if (*ememory < ARGON2_MIN_MEMORY) {
		/*
		 * attempt to find a reasonble bound for memory use
		 */
		if (sysctl(mib, __arraycount(mib),
		    &max_mem, &max_mem_sz, NULL, 0) < 0) {
			goto error;
		}
		if (getrlimit(RLIMIT_AS, &rlim) < 0)
			goto error;
		if (max_mem > rlim.rlim_cur && rlim.rlim_cur != RLIM_INFINITY)
			max_mem = rlim.rlim_cur;

		/*
		 * Note that adding memory also greatly slows the algorithm.
		 * Do we need to be concerned about memory usage during
		 * concurrent connections?
		 */
		max_mem /= 1000000; /* bytes down to mb */
		if (max_mem > 30000) {
			memory = 32768;
		} else if (max_mem > 15000) {
			memory = 16384;
		} else if (max_mem > 7000) {
			memory = 8192;
		} else if (max_mem > 3000) {
			memory = 4096;
		} else if (max_mem > 900) {
			memory = 1024;
		} else if (max_mem > 24) {
			memory = 256;
		} else {
			memory = ARGON2_MIN_MEMORY;
		}
	} else {
		memory = *ememory;
	}

	if (*etime < ARGON2_MIN_TIME) {
		/*
		 * just fill these with random stuff since we'll immediately
		 * discard them after calculating hashes for 1 second
		 */
		arc4random_buf(tmp_pwd, sizeof(tmp_pwd));
		arc4random_buf(tmp_salt, sizeof(tmp_salt));

		if (clock_gettime(CLOCK_MONOTONIC, &tp1) == -1)
			goto error;
		for (; time < ARGON2_MAX_TIME; ++time) {
			if (argon2_hash(time, memory, threads,
			    tmp_pwd, sizeof(tmp_pwd),
			    tmp_salt, sizeof(tmp_salt),
			    tmp_hash, sizeof(tmp_hash),
			    tmp_encoded, sizeof(tmp_encoded),
			    atype, ARGON2_VERSION_NUMBER) != ARGON2_OK) {
				goto reset;
			}
			if (clock_gettime(CLOCK_MONOTONIC, &tp2) == -1)
				break;
			if (timespeccmp(&tp1, &tp2, >))
				break; /* broken system... */
			timespecsub(&tp2, &tp1, &delta);
			if (delta.tv_sec >= 1)
				break;
		}
	} else {
		time = *etime;
	}

error:
	*etime = time;
	*ememory = memory;
	*ethreads = threads;
	return 0;
reset:
	time = 3;
	memory = 256;
	threads = 1;
	goto error;
}


/* process params to argon2 */
/* we don't force param order as input, */
/* but we do provide the expected order to argon2 api */
static int
decode_option(argon2_context *ctx, argon2_type *atype, const char *option)
{
	size_t tmp = 0;
        char *in = 0, *inp;
        char *a = 0;
        char *p = 0;
	size_t sl;
	int error = 0;

        in = (char *)strdup(option);
	inp = in;

	if (*inp == '$') inp++;

	a = strsep(&inp, "$");

	sl = strlen(a);

	if (sl == strlen(ARGON2_ARGON2I_STR) &&
	   !(strcmp(ARGON2_ARGON2I_STR, a))) {
		*atype=Argon2_i;
	} else if (sl == strlen(ARGON2_ARGON2D_STR) &&
	        !(strcmp(ARGON2_ARGON2D_STR, a))) {
		*atype=Argon2_d;
	}
	else if (sl == strlen(ARGON2_ARGON2ID_STR) &&
	        !(strcmp(ARGON2_ARGON2ID_STR, a))) {
		*atype=Argon2_id;
	} else { /* default to id, we assume simple mistake */
		/* don't abandon yet */
		*atype=Argon2_id;
	}

	a = strsep(&inp, "$");

	/* parse the version number of the hash, if it's there */
	if (strncmp(a, "v=", 2) == 0) {
		a += 2;
		if ((getnum(a, &tmp))<0) { /* on error, default to current */
			/* should start thinking about aborting */
			ctx->version = ARGON2_VERSION_10;
		} else {
			ctx->version = tmp;
		}
		a = strsep(&inp, "$");
	} else {
		/*
		 * This is a parameter list, not a version number, use the
		 * default version.
		 */
		ctx->version = ARGON2_VERSION_10;
	}

	/* parse labelled argon2 params */
	/* m_cost (m)
	 * t_cost (t)
	 * threads (p)
	 */
	while ((p = strsep(&a, ","))) {
		switch (*p) {
			case 'm':
				p += strlen("m=");
				if ((getnum(p, &tmp)) < 0) {
					--error;
				} else {
					ctx->m_cost = tmp;
				}
				break;
			case 't':
				p += strlen("t=");
				if ((getnum(p, &tmp)) < 0) {
					--error;
				} else {
					ctx->t_cost = tmp;
				}
				break;
			case 'p':
				p += strlen("p=");
				if ((getnum(p, &tmp)) < 0) {
					--error;
				} else {
					ctx->threads = tmp;
				}
				break;
			default:
                                free(in);
				return -1;

		}
	}

	a = strsep(&inp, "$");
	if (a == NULL) {
		free(in);
		return -1;
 	}

	sl = ctx->saltlen;

	if (from_base64(ctx->salt, &sl, a) == NULL) {
		free(in);
		return -1;
	}

	ctx->saltlen = sl;

	a = strsep(&inp, "$");

	if (a) {
		snprintf((char *)ctx->pwd, ctx->pwdlen, "%s", a);
	} else {
		/* don't care if passwd hash is missing */
		/* if missing, most likely coming from */
		/* pwhash or similar */
	}

	/* free our token buffer */
        free(in);

	/* 0 on success, <0 otherwise */
        return error;
}

crypt_private char *
__crypt_argon2(const char *pw, const char * salt)
{
	/* we use the libargon2 api to generate */
	/* return code */
	int rc = 0;
	/* output buffer */
	char ebuf[32];
	/* argon2 variable, default to id */
	argon2_type atype = Argon2_id;
	/* default to current argon2 version */
	/* argon2 context to collect params */
	argon2_context ctx = ARGON2_CONTEXT_INITIALIZER;
	/* argon2 encoded buffer */
	char encodebuf[256];
	/* argon2 salt buffer */
	char saltbuf[128];
	/* argon2 pwd buffer */
	char pwdbuf[128];
	/* returned static buffer */
	static char rbuf[512];

	/* clear buffers */
	explicit_memset(rbuf, 0, sizeof(rbuf));

	/* we use static buffers to avoid allocation */
	/* and easier cleanup */
	ctx.out = (uint8_t *)encodebuf;
	ctx.outlen = sizeof(encodebuf);

	ctx.salt = (uint8_t *)saltbuf;
	ctx.saltlen = sizeof(saltbuf);

	ctx.pwd = (uint8_t *)pwdbuf;
	ctx.pwdlen = sizeof(pwdbuf);

	/* decode salt string to argon2 params */
	/* argon2 context for param collection */
	rc = decode_option(&ctx, &atype, salt);

	if (rc < 0) {
		/* unable to parse input params */
		return NULL;
	}

	rc = argon2_hash(ctx.t_cost, ctx.m_cost,
	    ctx.threads, pw, strlen(pw), ctx.salt, ctx.saltlen,
	    ebuf, sizeof(ebuf), encodebuf, sizeof(encodebuf),
	    atype, ctx.version);

	if (rc != ARGON2_OK) {
		fprintf(stderr, "argon2: failed: %s\n",
		    argon2_error_message(rc));
		return NULL;
	}

	memcpy(rbuf, encodebuf, sizeof(encodebuf));

	/* clear buffers */
	explicit_memset(ebuf, 0, sizeof(ebuf));
	explicit_memset(encodebuf, 0, sizeof(encodebuf));
	explicit_memset(saltbuf, 0, sizeof(saltbuf));
	explicit_memset(pwdbuf, 0, sizeof(pwdbuf));

	/* return encoded str */
	return rbuf;
}