Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/crypto/openssl/providers/implementations/kdfs/argon2.c
48383 views
1
/*

2
 * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved.

3
 *

4
 * Licensed under the Apache License 2.0 (the "License").  You may not use

5
 * this file except in compliance with the License.  You can obtain a copy

6
 * in the file LICENSE in the source distribution or at

7
 * https://www.openssl.org/source/license.html

8
 *

9
 * RFC 9106 Argon2 (see https://www.rfc-editor.org/rfc/rfc9106.txt)

10
 *

11
 */

12


13
#include <stdlib.h>

14
#include <stddef.h>

15
#include <stdarg.h>

16
#include <string.h>

17
#include <openssl/e_os2.h>

18
#include <openssl/evp.h>

19
#include <openssl/objects.h>

20
#include <openssl/crypto.h>

21
#include <openssl/kdf.h>

22
#include <openssl/err.h>

23
#include <openssl/core_names.h>

24
#include <openssl/params.h>

25
#include <openssl/thread.h>

26
#include <openssl/proverr.h>

27
#include "internal/thread.h"

28
#include "internal/numbers.h"

29
#include "internal/endian.h"

30
#include "crypto/evp.h"

31
#include "prov/implementations.h"

32
#include "prov/provider_ctx.h"

33
#include "prov/providercommon.h"

34
#include "prov/blake2.h"

35


36
#if defined(OPENSSL_NO_DEFAULT_THREAD_POOL) && defined(OPENSSL_NO_THREAD_POOL)

37
# define ARGON2_NO_THREADS

38
#endif

39


40
#if !defined(OPENSSL_THREADS)

41
# define ARGON2_NO_THREADS

42
#endif

43


44
#ifndef OPENSSL_NO_ARGON2

45


46
# define ARGON2_MIN_LANES 1u

47
# define ARGON2_MAX_LANES 0xFFFFFFu

48
# define ARGON2_MIN_THREADS 1u

49
# define ARGON2_MAX_THREADS 0xFFFFFFu

50
# define ARGON2_SYNC_POINTS 4u

51
# define ARGON2_MIN_OUT_LENGTH 4u

52
# define ARGON2_MAX_OUT_LENGTH 0xFFFFFFFFu

53
# define ARGON2_MIN_MEMORY (2 * ARGON2_SYNC_POINTS)

54
# define ARGON2_MIN(a, b) ((a) < (b) ? (a) : (b))

55
# define ARGON2_MAX_MEMORY 0xFFFFFFFFu

56
# define ARGON2_MIN_TIME 1u

57
# define ARGON2_MAX_TIME 0xFFFFFFFFu

58
# define ARGON2_MIN_PWD_LENGTH 0u

59
# define ARGON2_MAX_PWD_LENGTH 0xFFFFFFFFu

60
# define ARGON2_MIN_AD_LENGTH 0u

61
# define ARGON2_MAX_AD_LENGTH 0xFFFFFFFFu

62
# define ARGON2_MIN_SALT_LENGTH 8u

63
# define ARGON2_MAX_SALT_LENGTH 0xFFFFFFFFu

64
# define ARGON2_MIN_SECRET 0u

65
# define ARGON2_MAX_SECRET 0xFFFFFFFFu

66
# define ARGON2_BLOCK_SIZE 1024

67
# define ARGON2_QWORDS_IN_BLOCK ((ARGON2_BLOCK_SIZE) / 8)

68
# define ARGON2_OWORDS_IN_BLOCK ((ARGON2_BLOCK_SIZE) / 16)

69
# define ARGON2_HWORDS_IN_BLOCK ((ARGON2_BLOCK_SIZE) / 32)

70
# define ARGON2_512BIT_WORDS_IN_BLOCK ((ARGON2_BLOCK_SIZE) / 64)

71
# define ARGON2_ADDRESSES_IN_BLOCK 128

72
# define ARGON2_PREHASH_DIGEST_LENGTH 64

73
# define ARGON2_PREHASH_SEED_LENGTH \

74
    (ARGON2_PREHASH_DIGEST_LENGTH + (2 * sizeof(uint32_t)))

75


76
# define ARGON2_DEFAULT_OUTLEN 64u

77
# define ARGON2_DEFAULT_T_COST 3u

78
# define ARGON2_DEFAULT_M_COST ARGON2_MIN_MEMORY

79
# define ARGON2_DEFAULT_LANES  1u

80
# define ARGON2_DEFAULT_THREADS 1u

81
# define ARGON2_DEFAULT_VERSION ARGON2_VERSION_NUMBER

82


83
# undef G

84
# define G(a, b, c, d)                                                        \

85
    do {                                                                      \

86
        a = a + b + 2 * mul_lower(a, b);                                      \

87
        d = rotr64(d ^ a, 32);                                                \

88
        c = c + d + 2 * mul_lower(c, d);                                      \

89
        b = rotr64(b ^ c, 24);                                                \

90
        a = a + b + 2 * mul_lower(a, b);                                      \

91
        d = rotr64(d ^ a, 16);                                                \

92
        c = c + d + 2 * mul_lower(c, d);                                      \

93
        b = rotr64(b ^ c, 63);                                                \

94
    } while ((void)0, 0)

95


96
# undef PERMUTATION_P

97
# define PERMUTATION_P(v0, v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11,      \

98
                       v12, v13, v14, v15)                                    \

99
    do {                                                                      \

100
        G(v0, v4, v8, v12);                                                   \

101
        G(v1, v5, v9, v13);                                                   \

102
        G(v2, v6, v10, v14);                                                  \

103
        G(v3, v7, v11, v15);                                                  \

104
        G(v0, v5, v10, v15);                                                  \

105
        G(v1, v6, v11, v12);                                                  \

106
        G(v2, v7, v8, v13);                                                   \

107
        G(v3, v4, v9, v14);                                                   \

108
    } while ((void)0, 0)

109


110
# undef PERMUTATION_P_COLUMN

111
# define PERMUTATION_P_COLUMN(x, i)                                           \

112
    do {                                                                      \

113
        uint64_t *base = &x[16 * i];                                          \

114
        PERMUTATION_P(                                                        \

115
            *base,        *(base + 1),  *(base + 2),  *(base + 3),            \

116
            *(base + 4),  *(base + 5),  *(base + 6),  *(base + 7),            \

117
            *(base + 8),  *(base + 9),  *(base + 10), *(base + 11),           \

118
            *(base + 12), *(base + 13), *(base + 14), *(base + 15)            \

119
        );                                                                    \

120
    } while ((void)0, 0)

121


122
# undef PERMUTATION_P_ROW

123
# define PERMUTATION_P_ROW(x, i)                                              \

124
    do {                                                                      \

125
        uint64_t *base = &x[2 * i];                                           \

126
        PERMUTATION_P(                                                        \

127
            *base,        *(base + 1),  *(base + 16),  *(base + 17),          \

128
            *(base + 32), *(base + 33), *(base + 48),  *(base + 49),          \

129
            *(base + 64), *(base + 65), *(base + 80),  *(base + 81),          \

130
            *(base + 96), *(base + 97), *(base + 112), *(base + 113)          \

131
        );                                                                    \

132
    } while ((void)0, 0)

133


134
typedef struct {

135
    uint64_t v[ARGON2_QWORDS_IN_BLOCK];

136
} BLOCK;

137


138
typedef enum {

139
    ARGON2_VERSION_10 = 0x10,

140
    ARGON2_VERSION_13 = 0x13,

141
    ARGON2_VERSION_NUMBER = ARGON2_VERSION_13

142
} ARGON2_VERSION;

143


144
typedef enum {

145
    ARGON2_D  = 0,

146
    ARGON2_I  = 1,

147
    ARGON2_ID = 2

148
} ARGON2_TYPE;

149


150
typedef struct {

151
    uint32_t pass;

152
    uint32_t lane;

153
    uint8_t slice;

154
    uint32_t index;

155
} ARGON2_POS;

156


157
typedef struct {

158
    void *provctx;

159
    uint32_t outlen;

160
    uint8_t *pwd;

161
    uint32_t pwdlen;

162
    uint8_t *salt;

163
    uint32_t saltlen;

164
    uint8_t *secret;

165
    uint32_t secretlen;

166
    uint8_t *ad;

167
    uint32_t adlen;

168
    uint32_t t_cost;

169
    uint32_t m_cost;

170
    uint32_t lanes;

171
    uint32_t threads;

172
    uint32_t version;

173
    uint32_t early_clean;

174
    ARGON2_TYPE type;

175
    BLOCK *memory;

176
    uint32_t passes;

177
    uint32_t memory_blocks;

178
    uint32_t segment_length;

179
    uint32_t lane_length;

180
    OSSL_LIB_CTX *libctx;

181
    EVP_MD *md;

182
    EVP_MAC *mac;

183
    char *propq;

184
} KDF_ARGON2;

185


186
typedef struct {

187
    ARGON2_POS pos;

188
    KDF_ARGON2 *ctx;

189
} ARGON2_THREAD_DATA;

190


191
static OSSL_FUNC_kdf_newctx_fn kdf_argon2i_new;

192
static OSSL_FUNC_kdf_newctx_fn kdf_argon2d_new;

193
static OSSL_FUNC_kdf_newctx_fn kdf_argon2id_new;

194
static OSSL_FUNC_kdf_freectx_fn kdf_argon2_free;

195
static OSSL_FUNC_kdf_reset_fn kdf_argon2_reset;

196
static OSSL_FUNC_kdf_derive_fn kdf_argon2_derive;

197
static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_argon2_settable_ctx_params;

198
static OSSL_FUNC_kdf_set_ctx_params_fn kdf_argon2_set_ctx_params;

199


200
static void kdf_argon2_init(KDF_ARGON2 *ctx, ARGON2_TYPE t);

201
static void *kdf_argon2d_new(void *provctx);

202
static void *kdf_argon2i_new(void *provctx);

203
static void *kdf_argon2id_new(void *provctx);

204
static void kdf_argon2_free(void *vctx);

205
static int kdf_argon2_derive(void *vctx, unsigned char *out, size_t outlen,

206
                             const OSSL_PARAM params[]);

207
static void kdf_argon2_reset(void *vctx);

208
static int kdf_argon2_ctx_set_threads(KDF_ARGON2 *ctx, uint32_t threads);

209
static int kdf_argon2_ctx_set_lanes(KDF_ARGON2 *ctx, uint32_t lanes);

210
static int kdf_argon2_ctx_set_t_cost(KDF_ARGON2 *ctx, uint32_t t_cost);

211
static int kdf_argon2_ctx_set_m_cost(KDF_ARGON2 *ctx, uint32_t m_cost);

212
static int kdf_argon2_ctx_set_out_length(KDF_ARGON2 *ctx, uint32_t outlen);

213
static int kdf_argon2_ctx_set_secret(KDF_ARGON2 *ctx, const OSSL_PARAM *p);

214
static int kdf_argon2_ctx_set_pwd(KDF_ARGON2 *ctx, const OSSL_PARAM *p);

215
static int kdf_argon2_ctx_set_salt(KDF_ARGON2 *ctx, const OSSL_PARAM *p);

216
static int kdf_argon2_ctx_set_ad(KDF_ARGON2 *ctx, const OSSL_PARAM *p);

217
static int kdf_argon2_set_ctx_params(void *vctx, const OSSL_PARAM params[]);

218
static int kdf_argon2_get_ctx_params(void *vctx, OSSL_PARAM params[]);

219
static int kdf_argon2_ctx_set_version(KDF_ARGON2 *ctx, uint32_t version);

220
static const OSSL_PARAM *kdf_argon2_settable_ctx_params(ossl_unused void *ctx,

221
                                                        ossl_unused void *p_ctx);

222
static const OSSL_PARAM *kdf_argon2_gettable_ctx_params(ossl_unused void *ctx,

223
                                                        ossl_unused void *p_ctx);

224


225
static ossl_inline uint64_t load64(const uint8_t *src);

226
static ossl_inline void store32(uint8_t *dst, uint32_t w);

227
static ossl_inline void store64(uint8_t *dst, uint64_t w);

228
static ossl_inline uint64_t rotr64(const uint64_t w, const unsigned int c);

229
static ossl_inline uint64_t mul_lower(uint64_t x, uint64_t y);

230


231
static void init_block_value(BLOCK *b, uint8_t in);

232
static void copy_block(BLOCK *dst, const BLOCK *src);

233
static void xor_block(BLOCK *dst, const BLOCK *src);

234
static void load_block(BLOCK *dst, const void *input);

235
static void store_block(void *output, const BLOCK *src);

236
static void fill_first_blocks(uint8_t *blockhash, const KDF_ARGON2 *ctx);

237
static void fill_block(const BLOCK *prev, const BLOCK *ref, BLOCK *next,

238
                       int with_xor);

239


240
static void next_addresses(BLOCK *address_block, BLOCK *input_block,

241
                           const BLOCK *zero_block);

242
static int data_indep_addressing(const KDF_ARGON2 *ctx, uint32_t pass,

243
                                 uint8_t slice);

244
static uint32_t index_alpha(const KDF_ARGON2 *ctx, uint32_t pass,

245
                            uint8_t slice, uint32_t index,

246
                            uint32_t pseudo_rand, int same_lane);

247


248
static void fill_segment(const KDF_ARGON2 *ctx, uint32_t pass, uint32_t lane,

249
                         uint8_t slice);

250


251
# if !defined(ARGON2_NO_THREADS)

252
static uint32_t fill_segment_thr(void *thread_data);

253
static int fill_mem_blocks_mt(KDF_ARGON2 *ctx);

254
# endif

255


256
static int fill_mem_blocks_st(KDF_ARGON2 *ctx);

257
static ossl_inline int fill_memory_blocks(KDF_ARGON2 *ctx);

258


259
static void initial_hash(uint8_t *blockhash, KDF_ARGON2 *ctx);

260
static int initialize(KDF_ARGON2 *ctx);

261
static void finalize(const KDF_ARGON2 *ctx, void *out);

262


263
static int blake2b(EVP_MD *md, EVP_MAC *mac, void *out, size_t outlen,

264
                   const void *in, size_t inlen, const void *key,

265
                   size_t keylen);

266
static int blake2b_long(EVP_MD *md, EVP_MAC *mac, unsigned char *out,

267
                        size_t outlen, const void *in, size_t inlen);

268


269
static ossl_inline uint64_t load64(const uint8_t *src)

270
{

271
    return

272
      (((uint64_t)src[0]) << 0)

273
    | (((uint64_t)src[1]) << 8)

274
    | (((uint64_t)src[2]) << 16)

275
    | (((uint64_t)src[3]) << 24)

276
    | (((uint64_t)src[4]) << 32)

277
    | (((uint64_t)src[5]) << 40)

278
    | (((uint64_t)src[6]) << 48)

279
    | (((uint64_t)src[7]) << 56);

280
}

281


282
static ossl_inline void store32(uint8_t *dst, uint32_t w)

283
{

284
    dst[0] = (uint8_t)(w >> 0);

285
    dst[1] = (uint8_t)(w >> 8);

286
    dst[2] = (uint8_t)(w >> 16);

287
    dst[3] = (uint8_t)(w >> 24);

288
}

289


290
static ossl_inline void store64(uint8_t *dst, uint64_t w)

291
{

292
    dst[0] = (uint8_t)(w >> 0);

293
    dst[1] = (uint8_t)(w >> 8);

294
    dst[2] = (uint8_t)(w >> 16);

295
    dst[3] = (uint8_t)(w >> 24);

296
    dst[4] = (uint8_t)(w >> 32);

297
    dst[5] = (uint8_t)(w >> 40);

298
    dst[6] = (uint8_t)(w >> 48);

299
    dst[7] = (uint8_t)(w >> 56);

300
}

301


302
static ossl_inline uint64_t rotr64(const uint64_t w, const unsigned int c)

303
{

304
    return (w >> c) | (w << (64 - c));

305
}

306


307
static ossl_inline uint64_t mul_lower(uint64_t x, uint64_t y)

308
{

309
    const uint64_t m = 0xFFFFFFFFUL;

310
    return (x & m) * (y & m);

311
}

312


313
static void init_block_value(BLOCK *b, uint8_t in)

314
{

315
    memset(b->v, in, sizeof(b->v));

316
}

317


318
static void copy_block(BLOCK *dst, const BLOCK *src)

319
{

320
    memcpy(dst->v, src->v, sizeof(uint64_t) * ARGON2_QWORDS_IN_BLOCK);

321
}

322


323
static void xor_block(BLOCK *dst, const BLOCK *src)

324
{

325
    int i;

326


327
    for (i = 0; i < ARGON2_QWORDS_IN_BLOCK; ++i)

328
        dst->v[i] ^= src->v[i];

329
}

330


331
static void load_block(BLOCK *dst, const void *input)

332
{

333
    unsigned i;

334


335
    for (i = 0; i < ARGON2_QWORDS_IN_BLOCK; ++i)

336
        dst->v[i] = load64((const uint8_t *)input + i * sizeof(dst->v[i]));

337
}

338


339
static void store_block(void *output, const BLOCK *src)

340
{

341
    unsigned i;

342


343
    for (i = 0; i < ARGON2_QWORDS_IN_BLOCK; ++i)

344
        store64((uint8_t *)output + i * sizeof(src->v[i]), src->v[i]);

345
}

346


347
static void fill_first_blocks(uint8_t *blockhash, const KDF_ARGON2 *ctx)

348
{

349
    uint32_t l;

350
    uint8_t blockhash_bytes[ARGON2_BLOCK_SIZE];

351


352
    /*

353
     * Make the first and second block in each lane as G(H0||0||i)

354
     * or G(H0||1||i).

355
     */

356
    for (l = 0; l < ctx->lanes; ++l) {

357
        store32(blockhash + ARGON2_PREHASH_DIGEST_LENGTH, 0);

358
        store32(blockhash + ARGON2_PREHASH_DIGEST_LENGTH + 4, l);

359
        blake2b_long(ctx->md, ctx->mac, blockhash_bytes, ARGON2_BLOCK_SIZE,

360
                     blockhash, ARGON2_PREHASH_SEED_LENGTH);

361
        load_block(&ctx->memory[l * ctx->lane_length + 0],

362
                   blockhash_bytes);

363
        store32(blockhash + ARGON2_PREHASH_DIGEST_LENGTH, 1);

364
        blake2b_long(ctx->md, ctx->mac, blockhash_bytes, ARGON2_BLOCK_SIZE,

365
                     blockhash, ARGON2_PREHASH_SEED_LENGTH);

366
        load_block(&ctx->memory[l * ctx->lane_length + 1],

367
                   blockhash_bytes);

368
    }

369
    OPENSSL_cleanse(blockhash_bytes, ARGON2_BLOCK_SIZE);

370
}

371


372
static void fill_block(const BLOCK *prev, const BLOCK *ref,

373
                       BLOCK *next, int with_xor)

374
{

375
    BLOCK blockR, tmp;

376
    unsigned i;

377


378
    copy_block(&blockR, ref);

379
    xor_block(&blockR, prev);

380
    copy_block(&tmp, &blockR);

381


382
    if (with_xor)

383
        xor_block(&tmp, next);

384


385
    for (i = 0; i < 8; ++i)

386
        PERMUTATION_P_COLUMN(blockR.v, i);

387


388
    for (i = 0; i < 8; ++i)

389
        PERMUTATION_P_ROW(blockR.v, i);

390


391
    copy_block(next, &tmp);

392
    xor_block(next, &blockR);

393
}

394


395
static void next_addresses(BLOCK *address_block, BLOCK *input_block,

396
                           const BLOCK *zero_block)

397
{

398
    input_block->v[6]++;

399
    fill_block(zero_block, input_block, address_block, 0);

400
    fill_block(zero_block, address_block, address_block, 0);

401
}

402


403
static int data_indep_addressing(const KDF_ARGON2 *ctx, uint32_t pass,

404
                                 uint8_t slice)

405
{

406
    switch (ctx->type) {

407
    case ARGON2_I:

408
        return 1;

409
    case ARGON2_ID:

410
        return (pass == 0) && (slice < ARGON2_SYNC_POINTS / 2);

411
    case ARGON2_D:

412
    default:

413
        return 0;

414
    }

415
}

416


417
/*

418
 * Pass 0 (pass = 0):

419
 * This lane: all already finished segments plus already constructed blocks

420
 *            in this segment

421
 * Other lanes: all already finished segments

422
 *

423
 * Pass 1+:

424
 * This lane: (SYNC_POINTS - 1) last segments plus already constructed

425
 *            blocks in this segment

426
 * Other lanes: (SYNC_POINTS - 1) last segments

427
 */

428
static uint32_t index_alpha(const KDF_ARGON2 *ctx, uint32_t pass,

429
                            uint8_t slice, uint32_t index,

430
                            uint32_t pseudo_rand, int same_lane)

431
{

432
    uint32_t ref_area_sz;

433
    uint64_t rel_pos;

434
    uint32_t start_pos, abs_pos;

435


436
    start_pos = 0;

437
    switch (pass) {

438
    case 0:

439
        if (slice == 0)

440
            ref_area_sz = index - 1;

441
        else if (same_lane)

442
            ref_area_sz = slice * ctx->segment_length + index - 1;

443
        else

444
            ref_area_sz = slice * ctx->segment_length +

445
                ((index == 0) ? (-1) : 0);

446
        break;

447
    default:

448
        if (same_lane)

449
            ref_area_sz = ctx->lane_length - ctx->segment_length + index - 1;

450
        else

451
            ref_area_sz = ctx->lane_length - ctx->segment_length +

452
                ((index == 0) ? (-1) : 0);

453
        if (slice != ARGON2_SYNC_POINTS - 1)

454
            start_pos = (slice + 1) * ctx->segment_length;

455
        break;

456
    }

457


458
    rel_pos = pseudo_rand;

459
    rel_pos = rel_pos * rel_pos >> 32;

460
    rel_pos = ref_area_sz - 1 - (ref_area_sz * rel_pos >> 32);

461
    abs_pos = (start_pos + rel_pos) % ctx->lane_length;

462


463
    return abs_pos;

464
}

465


466
static void fill_segment(const KDF_ARGON2 *ctx, uint32_t pass, uint32_t lane,

467
                         uint8_t slice)

468
{

469
    BLOCK *ref_block = NULL, *curr_block = NULL;

470
    BLOCK address_block, input_block, zero_block;

471
    uint64_t rnd, ref_index, ref_lane;

472
    uint32_t prev_offset;

473
    uint32_t start_idx;

474
    uint32_t j;

475
    uint32_t curr_offset; /* Offset of the current block */

476


477
    memset(&input_block, 0, sizeof(BLOCK));

478


479
    if (ctx == NULL)

480
        return;

481


482
    if (data_indep_addressing(ctx, pass, slice)) {

483
        init_block_value(&zero_block, 0);

484
        init_block_value(&input_block, 0);

485


486
        input_block.v[0] = pass;

487
        input_block.v[1] = lane;

488
        input_block.v[2] = slice;

489
        input_block.v[3] = ctx->memory_blocks;

490
        input_block.v[4] = ctx->passes;

491
        input_block.v[5] = ctx->type;

492
    }

493


494
    start_idx = 0;

495


496
    /* We've generated the first two blocks. Generate the 1st block of addrs. */

497
    if ((pass == 0) && (slice == 0)) {

498
        start_idx = 2;

499
        if (data_indep_addressing(ctx, pass, slice))

500
            next_addresses(&address_block, &input_block, &zero_block);

501
    }

502


503
    curr_offset = lane * ctx->lane_length + slice * ctx->segment_length

504
        + start_idx;

505


506
    if ((curr_offset % ctx->lane_length) == 0)

507
        prev_offset = curr_offset + ctx->lane_length - 1;

508
    else

509
        prev_offset = curr_offset - 1;

510


511
    for (j = start_idx; j < ctx->segment_length; ++j, ++curr_offset, ++prev_offset) {

512
        if (curr_offset % ctx->lane_length == 1)

513
            prev_offset = curr_offset - 1;

514


515
        /* Taking pseudo-random value from the previous block. */

516
        if (data_indep_addressing(ctx, pass, slice)) {

517
            if (j % ARGON2_ADDRESSES_IN_BLOCK == 0)

518
                next_addresses(&address_block, &input_block, &zero_block);

519
            rnd = address_block.v[j % ARGON2_ADDRESSES_IN_BLOCK];

520
        } else {

521
            rnd = ctx->memory[prev_offset].v[0];

522
        }

523


524
        /* Computing the lane of the reference block */

525
        ref_lane = ((rnd >> 32)) % ctx->lanes;

526
        /* Can not reference other lanes yet */

527
        if ((pass == 0) && (slice == 0))

528
            ref_lane = lane;

529


530
        /* Computing the number of possible reference block within the lane. */

531
        ref_index = index_alpha(ctx, pass, slice, j, rnd & 0xFFFFFFFF,

532
                                ref_lane == lane);

533


534
        /* Creating a new block */

535
        ref_block = ctx->memory + ctx->lane_length * ref_lane + ref_index;

536
        curr_block = ctx->memory + curr_offset;

537
        if (ARGON2_VERSION_10 == ctx->version) {

538
            /* Version 1.2.1 and earlier: overwrite, not XOR */

539
            fill_block(ctx->memory + prev_offset, ref_block, curr_block, 0);

540
            continue;

541
        }

542


543
        fill_block(ctx->memory + prev_offset, ref_block, curr_block,

544
                   pass == 0 ? 0 : 1);

545
    }

546
}

547


548
# if !defined(ARGON2_NO_THREADS)

549


550
static uint32_t fill_segment_thr(void *thread_data)

551
{

552
    ARGON2_THREAD_DATA *my_data;

553


554
    my_data = (ARGON2_THREAD_DATA *) thread_data;

555
    fill_segment(my_data->ctx, my_data->pos.pass, my_data->pos.lane,

556
                 my_data->pos.slice);

557


558
    return 0;

559
}

560


561
static int fill_mem_blocks_mt(KDF_ARGON2 *ctx)

562
{

563
    uint32_t r, s, l, ll;

564
    void **t;

565
    ARGON2_THREAD_DATA *t_data;

566


567
    t = OPENSSL_zalloc(sizeof(void *)*ctx->lanes);

568
    t_data = OPENSSL_zalloc(ctx->lanes * sizeof(ARGON2_THREAD_DATA));

569


570
    if (t == NULL || t_data == NULL)

571
        goto fail;

572


573
    for (r = 0; r < ctx->passes; ++r) {

574
        for (s = 0; s < ARGON2_SYNC_POINTS; ++s) {

575
            for (l = 0; l < ctx->lanes; ++l) {

576
                ARGON2_POS p;

577
                if (l >= ctx->threads) {

578
                    if (ossl_crypto_thread_join(t[l - ctx->threads], NULL) == 0)

579
                        goto fail;

580
                    if (ossl_crypto_thread_clean(t[l - ctx->threads]) == 0)

581
                        goto fail;

582
                    t[l] = NULL;

583
                }

584


585
                p.pass = r;

586
                p.lane = l;

587
                p.slice = (uint8_t)s;

588
                p.index = 0;

589


590
                t_data[l].ctx = ctx;

591
                memcpy(&(t_data[l].pos), &p, sizeof(ARGON2_POS));

592
                t[l] = ossl_crypto_thread_start(ctx->libctx, &fill_segment_thr,

593
                                                (void *) &t_data[l]);

594
                if (t[l] == NULL) {

595
                    for (ll = 0; ll < l; ++ll) {

596
                        if (ossl_crypto_thread_join(t[ll], NULL) == 0)

597
                            goto fail;

598
                        if (ossl_crypto_thread_clean(t[ll]) == 0)

599
                            goto fail;

600
                        t[ll] = NULL;

601
                    }

602
                    goto fail;

603
                }

604
            }

605
            for (l = ctx->lanes - ctx->threads; l < ctx->lanes; ++l) {

606
                if (ossl_crypto_thread_join(t[l], NULL) == 0)

607
                    goto fail;

608
                if (ossl_crypto_thread_clean(t[l]) == 0)

609
                    goto fail;

610
                t[l] = NULL;

611
            }

612
        }

613
    }

614


615
    OPENSSL_free(t_data);

616
    OPENSSL_free(t);

617


618
    return 1;

619


620
fail:

621
    if (t_data != NULL)

622
        OPENSSL_free(t_data);

623
    if (t != NULL)

624
        OPENSSL_free(t);

625
    return 0;

626
}

627


628
# endif /* !defined(ARGON2_NO_THREADS) */

629


630
static int fill_mem_blocks_st(KDF_ARGON2 *ctx)

631
{

632
    uint32_t r, s, l;

633


634
    for (r = 0; r < ctx->passes; ++r)

635
        for (s = 0; s < ARGON2_SYNC_POINTS; ++s)

636
            for (l = 0; l < ctx->lanes; ++l)

637
                fill_segment(ctx, r, l, s);

638
    return 1;

639
}

640


641
static ossl_inline int fill_memory_blocks(KDF_ARGON2 *ctx)

642
{

643
# if !defined(ARGON2_NO_THREADS)

644
    return ctx->threads == 1 ? fill_mem_blocks_st(ctx) : fill_mem_blocks_mt(ctx);

645
# else

646
    return ctx->threads == 1 ? fill_mem_blocks_st(ctx) : 0;

647
# endif

648
}

649


650
static void initial_hash(uint8_t *blockhash, KDF_ARGON2 *ctx)

651
{

652
    EVP_MD_CTX *mdctx;

653
    uint8_t value[sizeof(uint32_t)];

654
    unsigned int tmp;

655
    uint32_t args[7];

656


657
    if (ctx == NULL || blockhash == NULL)

658
        return;

659


660
    args[0] = ctx->lanes;

661
    args[1] = ctx->outlen;

662
    args[2] = ctx->m_cost;

663
    args[3] = ctx->t_cost;

664
    args[4] = ctx->version;

665
    args[5] = (uint32_t) ctx->type;

666
    args[6] = ctx->pwdlen;

667


668
    mdctx = EVP_MD_CTX_create();

669
    if (mdctx == NULL || EVP_DigestInit_ex(mdctx, ctx->md, NULL) != 1)

670
        goto fail;

671


672
    for (tmp = 0; tmp < sizeof(args) / sizeof(uint32_t); ++tmp) {

673
        store32((uint8_t *) &value, args[tmp]);

674
        if (EVP_DigestUpdate(mdctx, &value, sizeof(value)) != 1)

675
            goto fail;

676
    }

677


678
    if (ctx->pwd != NULL) {

679
        if (EVP_DigestUpdate(mdctx, ctx->pwd, ctx->pwdlen) != 1)

680
            goto fail;

681
        if (ctx->early_clean) {

682
            OPENSSL_cleanse(ctx->pwd, ctx->pwdlen);

683
            ctx->pwdlen = 0;

684
        }

685
    }

686


687
    store32((uint8_t *) &value, ctx->saltlen);

688


689
    if (EVP_DigestUpdate(mdctx, &value, sizeof(value)) != 1)

690
        goto fail;

691


692
    if (ctx->salt != NULL)

693
        if (EVP_DigestUpdate(mdctx, ctx->salt, ctx->saltlen) != 1)

694
            goto fail;

695


696
    store32((uint8_t *) &value, ctx->secretlen);

697
    if (EVP_DigestUpdate(mdctx, &value, sizeof(value)) != 1)

698
        goto fail;

699


700
    if (ctx->secret != NULL) {

701
        if (EVP_DigestUpdate(mdctx, ctx->secret, ctx->secretlen) != 1)

702
            goto fail;

703
        if (ctx->early_clean) {

704
            OPENSSL_cleanse(ctx->secret, ctx->secretlen);

705
            ctx->secretlen = 0;

706
        }

707
    }

708


709
    store32((uint8_t *) &value, ctx->adlen);

710
    if (EVP_DigestUpdate(mdctx, &value, sizeof(value)) != 1)

711
        goto fail;

712


713
    if (ctx->ad != NULL)

714
        if (EVP_DigestUpdate(mdctx, ctx->ad, ctx->adlen) != 1)

715
            goto fail;

716


717
    tmp = ARGON2_PREHASH_DIGEST_LENGTH;

718
    if (EVP_DigestFinal_ex(mdctx, blockhash, &tmp) != 1)

719
        goto fail;

720


721
fail:

722
    EVP_MD_CTX_destroy(mdctx);

723
}

724


725
static int initialize(KDF_ARGON2 *ctx)

726
{

727
    uint8_t blockhash[ARGON2_PREHASH_SEED_LENGTH];

728


729
    if (ctx == NULL)

730
        return 0;

731


732
    if (ctx->memory_blocks * sizeof(BLOCK) / sizeof(BLOCK) != ctx->memory_blocks)

733
        return 0;

734


735
    if (ctx->type != ARGON2_D)

736
        ctx->memory = OPENSSL_secure_zalloc(ctx->memory_blocks *

737
                                            sizeof(BLOCK));

738
    else

739
        ctx->memory = OPENSSL_zalloc(ctx->memory_blocks *

740
                                     sizeof(BLOCK));

741


742
    if (ctx->memory == NULL) {

743
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_MEMORY_SIZE,

744
                       "cannot allocate required memory");

745
        return 0;

746
    }

747


748
    initial_hash(blockhash, ctx);

749
    OPENSSL_cleanse(blockhash + ARGON2_PREHASH_DIGEST_LENGTH,

750
                    ARGON2_PREHASH_SEED_LENGTH - ARGON2_PREHASH_DIGEST_LENGTH);

751
    fill_first_blocks(blockhash, ctx);

752
    OPENSSL_cleanse(blockhash, ARGON2_PREHASH_SEED_LENGTH);

753


754
    return 1;

755
}

756


757
static void finalize(const KDF_ARGON2 *ctx, void *out)

758
{

759
    BLOCK blockhash;

760
    uint8_t blockhash_bytes[ARGON2_BLOCK_SIZE];

761
    uint32_t last_block_in_lane;

762
    uint32_t l;

763


764
    if (ctx == NULL)

765
        return;

766


767
    copy_block(&blockhash, ctx->memory + ctx->lane_length - 1);

768


769
    /* XOR the last blocks */

770
    for (l = 1; l < ctx->lanes; ++l) {

771
        last_block_in_lane = l * ctx->lane_length + (ctx->lane_length - 1);

772
        xor_block(&blockhash, ctx->memory + last_block_in_lane);

773
    }

774


775
    /* Hash the result */

776
    store_block(blockhash_bytes, &blockhash);

777
    blake2b_long(ctx->md, ctx->mac, out, ctx->outlen, blockhash_bytes,

778
                 ARGON2_BLOCK_SIZE);

779
    OPENSSL_cleanse(blockhash.v, ARGON2_BLOCK_SIZE);

780
    OPENSSL_cleanse(blockhash_bytes, ARGON2_BLOCK_SIZE);

781


782
    if (ctx->type != ARGON2_D)

783
        OPENSSL_secure_clear_free(ctx->memory,

784
                                  ctx->memory_blocks * sizeof(BLOCK));

785
    else

786
        OPENSSL_clear_free(ctx->memory,

787
                           ctx->memory_blocks * sizeof(BLOCK));

788
}

789


790
static int blake2b_mac(EVP_MAC *mac, void *out, size_t outlen, const void *in,

791
                       size_t inlen, const void *key, size_t keylen)

792
{

793
    int ret = 0;

794
    size_t par_n = 0, out_written;

795
    EVP_MAC_CTX *ctx = NULL;

796
    OSSL_PARAM par[3];

797


798
    if ((ctx = EVP_MAC_CTX_new(mac)) == NULL)

799
        goto fail;

800


801
    par[par_n++] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,

802
                                                     (void *) key, keylen);

803
    par[par_n++] = OSSL_PARAM_construct_size_t(OSSL_MAC_PARAM_SIZE, &outlen);

804
    par[par_n++] = OSSL_PARAM_construct_end();

805


806
    ret = EVP_MAC_CTX_set_params(ctx, par) == 1

807
        && EVP_MAC_init(ctx, NULL, 0, NULL) == 1

808
        && EVP_MAC_update(ctx, in, inlen) == 1

809
        && EVP_MAC_final(ctx, out, (size_t *) &out_written, outlen) == 1;

810


811
fail:

812
    EVP_MAC_CTX_free(ctx);

813
    return ret;

814
}

815


816
static int blake2b_md(EVP_MD *md, void *out, size_t outlen, const void *in,

817
                      size_t inlen)

818
{

819
    int ret = 0;

820
    EVP_MD_CTX *ctx = NULL;

821
    OSSL_PARAM par[2];

822


823
    if ((ctx = EVP_MD_CTX_create()) == NULL)

824
        return 0;

825


826
    par[0] = OSSL_PARAM_construct_size_t(OSSL_DIGEST_PARAM_SIZE, &outlen);

827
    par[1] = OSSL_PARAM_construct_end();

828


829
    ret = EVP_DigestInit_ex2(ctx, md, par) == 1

830
        && EVP_DigestUpdate(ctx, in, inlen) == 1

831
        && EVP_DigestFinal_ex(ctx, out, NULL) == 1;

832


833
    EVP_MD_CTX_free(ctx);

834
    return ret;

835
}

836


837
static int blake2b(EVP_MD *md, EVP_MAC *mac, void *out, size_t outlen,

838
                   const void *in, size_t inlen, const void *key, size_t keylen)

839
{

840
    if (out == NULL || outlen == 0)

841
        return 0;

842


843
    if (key == NULL || keylen == 0)

844
        return blake2b_md(md, out, outlen, in, inlen);

845


846
    return blake2b_mac(mac, out, outlen, in, inlen, key, keylen);

847
}

848


849
static int blake2b_long(EVP_MD *md, EVP_MAC *mac, unsigned char *out,

850
                        size_t outlen, const void *in, size_t inlen)

851
{

852
    int ret = 0;

853
    EVP_MD_CTX *ctx = NULL;

854
    uint32_t outlen_curr;

855
    uint8_t outbuf[BLAKE2B_OUTBYTES];

856
    uint8_t inbuf[BLAKE2B_OUTBYTES];

857
    uint8_t outlen_bytes[sizeof(uint32_t)] = {0};

858
    OSSL_PARAM par[2];

859
    size_t outlen_md;

860


861
    if (out == NULL || outlen == 0)

862
        return 0;

863


864
    /* Ensure little-endian byte order */

865
    store32(outlen_bytes, (uint32_t)outlen);

866


867
    if ((ctx = EVP_MD_CTX_create()) == NULL)

868
        return 0;

869


870
    outlen_md = (outlen <= BLAKE2B_OUTBYTES) ? outlen : BLAKE2B_OUTBYTES;

871
    par[0] = OSSL_PARAM_construct_size_t(OSSL_DIGEST_PARAM_SIZE, &outlen_md);

872
    par[1] = OSSL_PARAM_construct_end();

873


874
    ret = EVP_DigestInit_ex2(ctx, md, par) == 1

875
        && EVP_DigestUpdate(ctx, outlen_bytes, sizeof(outlen_bytes)) == 1

876
        && EVP_DigestUpdate(ctx, in, inlen) == 1

877
        && EVP_DigestFinal_ex(ctx, (outlen > BLAKE2B_OUTBYTES) ? outbuf : out,

878
                              NULL) == 1;

879


880
    if (ret == 0)

881
        goto fail;

882


883
    if (outlen > BLAKE2B_OUTBYTES) {

884
        memcpy(out, outbuf, BLAKE2B_OUTBYTES / 2);

885
        out += BLAKE2B_OUTBYTES / 2;

886
        outlen_curr = (uint32_t) outlen - BLAKE2B_OUTBYTES / 2;

887


888
        while (outlen_curr > BLAKE2B_OUTBYTES) {

889
            memcpy(inbuf, outbuf, BLAKE2B_OUTBYTES);

890
            if (blake2b(md, mac, outbuf, BLAKE2B_OUTBYTES, inbuf,

891
                        BLAKE2B_OUTBYTES, NULL, 0) != 1)

892
                goto fail;

893
            memcpy(out, outbuf, BLAKE2B_OUTBYTES / 2);

894
            out += BLAKE2B_OUTBYTES / 2;

895
            outlen_curr -= BLAKE2B_OUTBYTES / 2;

896
        }

897


898
        memcpy(inbuf, outbuf, BLAKE2B_OUTBYTES);

899
        if (blake2b(md, mac, outbuf, outlen_curr, inbuf, BLAKE2B_OUTBYTES,

900
                    NULL, 0) != 1)

901
            goto fail;

902
        memcpy(out, outbuf, outlen_curr);

903
    }

904
    ret = 1;

905


906
fail:

907
    EVP_MD_CTX_free(ctx);

908
    return ret;

909
}

910


911
static void kdf_argon2_init(KDF_ARGON2 *c, ARGON2_TYPE type)

912
{

913
    OSSL_LIB_CTX *libctx;

914


915
    libctx = c->libctx;

916
    memset(c, 0, sizeof(*c));

917


918
    c->libctx = libctx;

919
    c->outlen = ARGON2_DEFAULT_OUTLEN;

920
    c->t_cost = ARGON2_DEFAULT_T_COST;

921
    c->m_cost = ARGON2_DEFAULT_M_COST;

922
    c->lanes = ARGON2_DEFAULT_LANES;

923
    c->threads = ARGON2_DEFAULT_THREADS;

924
    c->version = ARGON2_DEFAULT_VERSION;

925
    c->type = type;

926
}

927


928
static void *kdf_argon2d_new(void *provctx)

929
{

930
    KDF_ARGON2 *ctx;

931


932
    if (!ossl_prov_is_running())

933
        return NULL;

934


935
    ctx = OPENSSL_zalloc(sizeof(*ctx));

936
    if (ctx == NULL) {

937
        ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);

938
        return NULL;

939
    }

940


941
    ctx->libctx = PROV_LIBCTX_OF(provctx);

942


943
    kdf_argon2_init(ctx, ARGON2_D);

944
    return ctx;

945
}

946


947
static void *kdf_argon2i_new(void *provctx)

948
{

949
    KDF_ARGON2 *ctx;

950


951
    if (!ossl_prov_is_running())

952
        return NULL;

953


954
    ctx = OPENSSL_zalloc(sizeof(*ctx));

955
    if (ctx == NULL) {

956
        ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);

957
        return NULL;

958
    }

959


960
    ctx->libctx = PROV_LIBCTX_OF(provctx);

961


962
    kdf_argon2_init(ctx, ARGON2_I);

963
    return ctx;

964
}

965


966
static void *kdf_argon2id_new(void *provctx)

967
{

968
    KDF_ARGON2 *ctx;

969


970
    if (!ossl_prov_is_running())

971
        return NULL;

972


973
    ctx = OPENSSL_zalloc(sizeof(*ctx));

974
    if (ctx == NULL) {

975
        ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);

976
        return NULL;

977
    }

978


979
    ctx->libctx = PROV_LIBCTX_OF(provctx);

980


981
    kdf_argon2_init(ctx, ARGON2_ID);

982
    return ctx;

983
}

984


985
static void kdf_argon2_free(void *vctx)

986
{

987
    KDF_ARGON2 *ctx = (KDF_ARGON2 *)vctx;

988


989
    if (ctx == NULL)

990
        return;

991


992
    if (ctx->pwd != NULL)

993
        OPENSSL_clear_free(ctx->pwd, ctx->pwdlen);

994


995
    if (ctx->salt != NULL)

996
        OPENSSL_clear_free(ctx->salt, ctx->saltlen);

997


998
    if (ctx->secret != NULL)

999
        OPENSSL_clear_free(ctx->secret, ctx->secretlen);

1000


1001
    if (ctx->ad != NULL)

1002
        OPENSSL_clear_free(ctx->ad, ctx->adlen);

1003


1004
    EVP_MD_free(ctx->md);

1005
    EVP_MAC_free(ctx->mac);

1006


1007
    OPENSSL_free(ctx->propq);

1008


1009
    memset(ctx, 0, sizeof(*ctx));

1010


1011
    OPENSSL_free(ctx);

1012
}

1013


1014
static int kdf_argon2_derive(void *vctx, unsigned char *out, size_t outlen,

1015
                             const OSSL_PARAM params[])

1016
{

1017
    KDF_ARGON2 *ctx;

1018
    uint32_t memory_blocks, segment_length;

1019


1020
    ctx = (KDF_ARGON2 *)vctx;

1021


1022
    if (!ossl_prov_is_running() || !kdf_argon2_set_ctx_params(vctx, params))

1023
        return 0;

1024


1025
    if (ctx->mac == NULL)

1026
        ctx->mac = EVP_MAC_fetch(ctx->libctx, "blake2bmac", ctx->propq);

1027
    if (ctx->mac == NULL) {

1028
        ERR_raise_data(ERR_LIB_PROV, PROV_R_MISSING_MAC,

1029
                       "cannot fetch blake2bmac");

1030
        return 0;

1031
    }

1032


1033
    if (ctx->md == NULL)

1034
        ctx->md = EVP_MD_fetch(ctx->libctx, "blake2b512", ctx->propq);

1035
    if (ctx->md == NULL) {

1036
        ERR_raise_data(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST,

1037
                       "cannot fetch blake2b512");

1038
        return 0;

1039
    }

1040


1041
    if (ctx->salt == NULL || ctx->saltlen == 0) {

1042
        ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SALT);

1043
        return 0;

1044
    }

1045


1046
    if (outlen != ctx->outlen) {

1047
        if (OSSL_PARAM_locate((OSSL_PARAM *)params, "size") != NULL) {

1048
            ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);

1049
            return 0;

1050
        }

1051
        if (!kdf_argon2_ctx_set_out_length(ctx, (uint32_t) outlen))

1052
            return 0;

1053
    }

1054


1055
    switch (ctx->type) {

1056
    case ARGON2_D:

1057
    case ARGON2_I:

1058
    case ARGON2_ID:

1059
        break;

1060
    default:

1061
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_MODE, "invalid Argon2 type");

1062
        return 0;

1063
    }

1064


1065
    if (ctx->threads > 1) {

1066
# ifdef ARGON2_NO_THREADS

1067
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_THREAD_POOL_SIZE,

1068
                       "requested %u threads, single-threaded mode supported only",

1069
                       ctx->threads);

1070
        return 0;

1071
# else

1072
        if (ctx->threads > ossl_get_avail_threads(ctx->libctx)) {

1073
            ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_THREAD_POOL_SIZE,

1074
                           "requested %u threads, available: %u",

1075
                           ctx->threads, ossl_get_avail_threads(ctx->libctx));

1076
            return 0;

1077
        }

1078
# endif

1079
        if (ctx->threads > ctx->lanes) {

1080
            ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_THREAD_POOL_SIZE,

1081
                           "requested more threads (%u) than lanes (%u)",

1082
                           ctx->threads, ctx->lanes);

1083
            return 0;

1084
        }

1085
    }

1086


1087
    if (ctx->m_cost < 8 * ctx->lanes) {

1088
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_MEMORY_SIZE,

1089
                       "m_cost must be greater or equal than 8 times the number of lanes");

1090
        return 0;

1091
    }

1092


1093
    memory_blocks = ctx->m_cost;

1094
    if (memory_blocks < 2 * ARGON2_SYNC_POINTS * ctx->lanes)

1095
        memory_blocks = 2 * ARGON2_SYNC_POINTS * ctx->lanes;

1096


1097
    /* Ensure that all segments have equal length */

1098
    segment_length = memory_blocks / (ctx->lanes * ARGON2_SYNC_POINTS);

1099
    memory_blocks = segment_length * (ctx->lanes * ARGON2_SYNC_POINTS);

1100


1101
    ctx->memory = NULL;

1102
    ctx->memory_blocks = memory_blocks;

1103
    ctx->segment_length = segment_length;

1104
    ctx->passes = ctx->t_cost;

1105
    ctx->lane_length = segment_length * ARGON2_SYNC_POINTS;

1106


1107
    if (initialize(ctx) != 1)

1108
        return 0;

1109


1110
    if (fill_memory_blocks(ctx) != 1)

1111
        return 0;

1112


1113
    finalize(ctx, out);

1114


1115
    return 1;

1116
}

1117


1118
static void kdf_argon2_reset(void *vctx)

1119
{

1120
    OSSL_LIB_CTX *libctx;

1121
    KDF_ARGON2 *ctx;

1122
    ARGON2_TYPE type;

1123


1124
    ctx = (KDF_ARGON2 *) vctx;

1125
    type = ctx->type;

1126
    libctx = ctx->libctx;

1127


1128
    EVP_MD_free(ctx->md);

1129
    EVP_MAC_free(ctx->mac);

1130


1131
    OPENSSL_free(ctx->propq);

1132


1133
    if (ctx->pwd != NULL)

1134
        OPENSSL_clear_free(ctx->pwd, ctx->pwdlen);

1135


1136
    if (ctx->salt != NULL)

1137
        OPENSSL_clear_free(ctx->salt, ctx->saltlen);

1138


1139
    if (ctx->secret != NULL)

1140
        OPENSSL_clear_free(ctx->secret, ctx->secretlen);

1141


1142
    if (ctx->ad != NULL)

1143
        OPENSSL_clear_free(ctx->ad, ctx->adlen);

1144


1145
    memset(ctx, 0, sizeof(*ctx));

1146
    ctx->libctx = libctx;

1147
    kdf_argon2_init(ctx, type);

1148
}

1149


1150
static int kdf_argon2_ctx_set_threads(KDF_ARGON2 *ctx, uint32_t threads)

1151
{

1152
    if (threads < ARGON2_MIN_THREADS) {

1153
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_THREAD_POOL_SIZE,

1154
                       "min threads: %u", ARGON2_MIN_THREADS);

1155
        return 0;

1156
    }

1157


1158
    if (threads > ARGON2_MAX_THREADS) {

1159
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_THREAD_POOL_SIZE,

1160
                       "max threads: %u", ARGON2_MAX_THREADS);

1161
        return 0;

1162
    }

1163


1164
    ctx->threads = threads;

1165
    return 1;

1166
}

1167


1168
static int kdf_argon2_ctx_set_lanes(KDF_ARGON2 *ctx, uint32_t lanes)

1169
{

1170
    if (lanes > ARGON2_MAX_LANES) {

1171
        ERR_raise_data(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER,

1172
                       "max lanes: %u", ARGON2_MAX_LANES);

1173
        return 0;

1174
    }

1175


1176
    if (lanes < ARGON2_MIN_LANES) {

1177
        ERR_raise_data(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER,

1178
                       "min lanes: %u", ARGON2_MIN_LANES);

1179
        return 0;

1180
    }

1181


1182
    ctx->lanes = lanes;

1183
    return 1;

1184
}

1185


1186
static int kdf_argon2_ctx_set_t_cost(KDF_ARGON2 *ctx, uint32_t t_cost)

1187
{

1188
    /* ARGON2_MAX_MEMORY == max m_cost value, so skip check  */

1189


1190
    if (t_cost < ARGON2_MIN_TIME) {

1191
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_ITERATION_COUNT,

1192
                       "min: %u", ARGON2_MIN_TIME);

1193
        return 0;

1194
    }

1195


1196
    ctx->t_cost = t_cost;

1197
    return 1;

1198
}

1199


1200
static int kdf_argon2_ctx_set_m_cost(KDF_ARGON2 *ctx, uint32_t m_cost)

1201
{

1202
    /* ARGON2_MAX_MEMORY == max m_cost value, so skip check */

1203


1204
    if (m_cost < ARGON2_MIN_MEMORY) {

1205
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_MEMORY_SIZE, "min: %u",

1206
                       ARGON2_MIN_MEMORY);

1207
        return 0;

1208
    }

1209


1210
    ctx->m_cost = m_cost;

1211
    return 1;

1212
}

1213


1214
static int kdf_argon2_ctx_set_out_length(KDF_ARGON2 *ctx, uint32_t outlen)

1215
{

1216
    /*

1217
     * ARGON2_MAX_OUT_LENGTH == max outlen value, so upper bounds checks

1218
     * are always satisfied; to suppress compiler if statement tautology

1219
     * warnings, these checks are skipped.

1220
     */

1221


1222
    if (outlen < ARGON2_MIN_OUT_LENGTH) {

1223
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH, "min: %u",

1224
                       ARGON2_MIN_OUT_LENGTH);

1225
        return 0;

1226
    }

1227


1228
    ctx->outlen = outlen;

1229
    return 1;

1230
}

1231


1232
static int kdf_argon2_ctx_set_secret(KDF_ARGON2 *ctx, const OSSL_PARAM *p)

1233
{

1234
    size_t buflen;

1235


1236
    if (p->data == NULL)

1237
        return 0;

1238


1239
    if (ctx->secret != NULL) {

1240
        OPENSSL_clear_free(ctx->secret, ctx->secretlen);

1241
        ctx->secret = NULL;

1242
        ctx->secretlen = 0U;

1243
    }

1244


1245
    if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->secret, 0, &buflen))

1246
        return 0;

1247


1248
    if (buflen > ARGON2_MAX_SECRET) {

1249
        OPENSSL_free(ctx->secret);

1250
        ctx->secret = NULL;

1251
        ctx->secretlen = 0U;

1252
        return 0;

1253
    }

1254


1255
    ctx->secretlen = (uint32_t) buflen;

1256
    return 1;

1257
}

1258


1259
static int kdf_argon2_ctx_set_pwd(KDF_ARGON2 *ctx, const OSSL_PARAM *p)

1260
{

1261
    size_t buflen;

1262


1263
    if (p->data == NULL)

1264
        return 0;

1265


1266
    if (ctx->pwd != NULL) {

1267
        OPENSSL_clear_free(ctx->pwd, ctx->pwdlen);

1268
        ctx->pwd = NULL;

1269
        ctx->pwdlen = 0U;

1270
    }

1271


1272
    if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->pwd, 0, &buflen))

1273
        return 0;

1274


1275
    if (buflen > ARGON2_MAX_PWD_LENGTH) {

1276
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH, "max: %u",

1277
                       ARGON2_MAX_PWD_LENGTH);

1278
        goto fail;

1279
    }

1280


1281
    ctx->pwdlen = (uint32_t) buflen;

1282
    return 1;

1283


1284
fail:

1285
    OPENSSL_free(ctx->pwd);

1286
    ctx->pwd = NULL;

1287
    ctx->pwdlen = 0U;

1288
    return 0;

1289
}

1290


1291
static int kdf_argon2_ctx_set_salt(KDF_ARGON2 *ctx, const OSSL_PARAM *p)

1292
{

1293
    size_t buflen;

1294


1295
    if (p->data == NULL)

1296
        return 0;

1297


1298
    if (ctx->salt != NULL) {

1299
        OPENSSL_clear_free(ctx->salt, ctx->saltlen);

1300
        ctx->salt = NULL;

1301
        ctx->saltlen = 0U;

1302
    }

1303


1304
    if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->salt, 0, &buflen))

1305
        return 0;

1306


1307
    if (buflen < ARGON2_MIN_SALT_LENGTH) {

1308
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH, "min: %u",

1309
                       ARGON2_MIN_SALT_LENGTH);

1310
        goto fail;

1311
    }

1312


1313
    if (buflen > ARGON2_MAX_SALT_LENGTH) {

1314
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH, "max: %u",

1315
                       ARGON2_MAX_SALT_LENGTH);

1316
        goto fail;

1317
    }

1318


1319
    ctx->saltlen = (uint32_t) buflen;

1320
    return 1;

1321


1322
fail:

1323
    OPENSSL_free(ctx->salt);

1324
    ctx->salt = NULL;

1325
    ctx->saltlen = 0U;

1326
    return 0;

1327
}

1328


1329
static int kdf_argon2_ctx_set_ad(KDF_ARGON2 *ctx, const OSSL_PARAM *p)

1330
{

1331
    size_t buflen;

1332


1333
    if (p->data == NULL)

1334
        return 0;

1335


1336
    if (ctx->ad != NULL) {

1337
        OPENSSL_clear_free(ctx->ad, ctx->adlen);

1338
        ctx->ad = NULL;

1339
        ctx->adlen = 0U;

1340
    }

1341


1342
    if (!OSSL_PARAM_get_octet_string(p, (void **)&ctx->ad, 0, &buflen))

1343
        return 0;

1344


1345
    if (buflen > ARGON2_MAX_AD_LENGTH) {

1346
        OPENSSL_free(ctx->ad);

1347
        ctx->ad = NULL;

1348
        ctx->adlen = 0U;

1349
        return 0;

1350
    }

1351


1352
    ctx->adlen = (uint32_t) buflen;

1353
    return 1;

1354
}

1355


1356
static void kdf_argon2_ctx_set_flag_early_clean(KDF_ARGON2 *ctx, uint32_t f)

1357
{

1358
    ctx->early_clean = !!(f);

1359
}

1360


1361
static int kdf_argon2_ctx_set_version(KDF_ARGON2 *ctx, uint32_t version)

1362
{

1363
    switch (version) {

1364
    case ARGON2_VERSION_10:

1365
    case ARGON2_VERSION_13:

1366
        ctx->version = version;

1367
        return 1;

1368
    default:

1369
        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_MODE,

1370
                       "invalid Argon2 version");

1371
        return 0;

1372
    }

1373
}

1374


1375
static int set_property_query(KDF_ARGON2 *ctx, const char *propq)

1376
{

1377
    OPENSSL_free(ctx->propq);

1378
    ctx->propq = NULL;

1379
    if (propq != NULL) {

1380
        ctx->propq = OPENSSL_strdup(propq);

1381
        if (ctx->propq == NULL)

1382
            return 0;

1383
    }

1384
    EVP_MD_free(ctx->md);

1385
    ctx->md = NULL;

1386
    EVP_MAC_free(ctx->mac);

1387
    ctx->mac = NULL;

1388
    return 1;

1389
}

1390


1391
static int kdf_argon2_set_ctx_params(void *vctx, const OSSL_PARAM params[])

1392
{

1393
    const OSSL_PARAM *p;

1394
    KDF_ARGON2 *ctx;

1395
    uint32_t u32_value;

1396


1397
    if (ossl_param_is_empty(params))

1398
        return 1;

1399


1400
    ctx = (KDF_ARGON2 *) vctx;

1401
    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL)

1402
        if (!kdf_argon2_ctx_set_pwd(ctx, p))

1403
            return 0;

1404


1405
    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL)

1406
        if (!kdf_argon2_ctx_set_salt(ctx, p))

1407
            return 0;

1408


1409
    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL)

1410
        if (!kdf_argon2_ctx_set_secret(ctx, p))

1411
            return 0;

1412


1413
    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_ARGON2_AD)) != NULL)

1414
        if (!kdf_argon2_ctx_set_ad(ctx, p))

1415
            return 0;

1416


1417
    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SIZE)) != NULL) {

1418
        if (!OSSL_PARAM_get_uint32(p, &u32_value))

1419
            return 0;

1420
        if (!kdf_argon2_ctx_set_out_length(ctx, u32_value))

1421
            return 0;

1422
    }

1423


1424
    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_ITER)) != NULL) {

1425
        if (!OSSL_PARAM_get_uint32(p, &u32_value))

1426
            return 0;

1427
        if (!kdf_argon2_ctx_set_t_cost(ctx, u32_value))

1428
            return 0;

1429
    }

1430


1431
    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_THREADS)) != NULL) {

1432
        if (!OSSL_PARAM_get_uint32(p, &u32_value))

1433
            return 0;

1434
        if (!kdf_argon2_ctx_set_threads(ctx, u32_value))

1435
            return 0;

1436
    }

1437


1438
    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_ARGON2_LANES)) != NULL) {

1439
        if (!OSSL_PARAM_get_uint32(p, &u32_value))

1440
            return 0;

1441
        if (!kdf_argon2_ctx_set_lanes(ctx, u32_value))

1442
            return 0;

1443
    }

1444


1445
    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_ARGON2_MEMCOST)) != NULL) {

1446
        if (!OSSL_PARAM_get_uint32(p, &u32_value))

1447
            return 0;

1448
        if (!kdf_argon2_ctx_set_m_cost(ctx, u32_value))

1449
            return 0;

1450
    }

1451


1452
    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_EARLY_CLEAN)) != NULL) {

1453
        if (!OSSL_PARAM_get_uint32(p, &u32_value))

1454
            return 0;

1455
        kdf_argon2_ctx_set_flag_early_clean(ctx, u32_value);

1456
    }

1457


1458
    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_ARGON2_VERSION)) != NULL) {

1459
        if (!OSSL_PARAM_get_uint32(p, &u32_value))

1460
            return 0;

1461
        if (!kdf_argon2_ctx_set_version(ctx, u32_value))

1462
            return 0;

1463
    }

1464


1465
    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PROPERTIES)) != NULL) {

1466
        if (p->data_type != OSSL_PARAM_UTF8_STRING

1467
            || !set_property_query(ctx, p->data))

1468
            return 0;

1469
    }

1470


1471
    return 1;

1472
}

1473


1474
static const OSSL_PARAM *kdf_argon2_settable_ctx_params(ossl_unused void *ctx,

1475
                                                        ossl_unused void *p_ctx)

1476
{

1477
    static const OSSL_PARAM known_settable_ctx_params[] = {

1478
        OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PASSWORD, NULL, 0),

1479
        OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0),

1480
        OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SECRET, NULL, 0),

1481
        OSSL_PARAM_octet_string(OSSL_KDF_PARAM_ARGON2_AD, NULL, 0),

1482
        OSSL_PARAM_uint32(OSSL_KDF_PARAM_SIZE, NULL),

1483
        OSSL_PARAM_uint32(OSSL_KDF_PARAM_ITER, NULL),

1484
        OSSL_PARAM_uint32(OSSL_KDF_PARAM_THREADS, NULL),

1485
        OSSL_PARAM_uint32(OSSL_KDF_PARAM_ARGON2_LANES, NULL),

1486
        OSSL_PARAM_uint32(OSSL_KDF_PARAM_ARGON2_MEMCOST, NULL),

1487
        OSSL_PARAM_uint32(OSSL_KDF_PARAM_EARLY_CLEAN, NULL),

1488
        OSSL_PARAM_uint32(OSSL_KDF_PARAM_ARGON2_VERSION, NULL),

1489
        OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0),

1490
        OSSL_PARAM_END

1491
    };

1492


1493
    return known_settable_ctx_params;

1494
}

1495


1496
static int kdf_argon2_get_ctx_params(void *vctx, OSSL_PARAM params[])

1497
{

1498
    OSSL_PARAM *p;

1499


1500
    (void) vctx;

1501
    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)

1502
        return OSSL_PARAM_set_size_t(p, SIZE_MAX);

1503


1504
    return -2;

1505
}

1506


1507
static const OSSL_PARAM *kdf_argon2_gettable_ctx_params(ossl_unused void *ctx,

1508
                                                        ossl_unused void *p_ctx)

1509
{

1510
    static const OSSL_PARAM known_gettable_ctx_params[] = {

1511
        OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),

1512
        OSSL_PARAM_END

1513
    };

1514


1515
    return known_gettable_ctx_params;

1516
}

1517


1518
const OSSL_DISPATCH ossl_kdf_argon2i_functions[] = {

1519
    { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_argon2i_new },

1520
    { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_argon2_free },

1521
    { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_argon2_reset },

1522
    { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_argon2_derive },

1523
    { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,

1524
      (void(*)(void))kdf_argon2_settable_ctx_params },

1525
    { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_argon2_set_ctx_params },

1526
    { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,

1527
      (void(*)(void))kdf_argon2_gettable_ctx_params },

1528
    { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_argon2_get_ctx_params },

1529
    OSSL_DISPATCH_END

1530
};

1531


1532
const OSSL_DISPATCH ossl_kdf_argon2d_functions[] = {

1533
    { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_argon2d_new },

1534
    { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_argon2_free },

1535
    { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_argon2_reset },

1536
    { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_argon2_derive },

1537
    { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,

1538
      (void(*)(void))kdf_argon2_settable_ctx_params },

1539
    { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_argon2_set_ctx_params },

1540
    { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,

1541
      (void(*)(void))kdf_argon2_gettable_ctx_params },

1542
    { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_argon2_get_ctx_params },

1543
    OSSL_DISPATCH_END

1544
};

1545


1546
const OSSL_DISPATCH ossl_kdf_argon2id_functions[] = {

1547
    { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_argon2id_new },

1548
    { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_argon2_free },

1549
    { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_argon2_reset },

1550
    { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_argon2_derive },

1551
    { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,

1552
      (void(*)(void))kdf_argon2_settable_ctx_params },

1553
    { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_argon2_set_ctx_params },

1554
    { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,

1555
      (void(*)(void))kdf_argon2_gettable_ctx_params },

1556
    { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_argon2_get_ctx_params },

1557
    OSSL_DISPATCH_END

1558
};

1559


1560
#endif

1561


1562