mirrors/cosmopolitan
1
0
Fork 0
mirror of https://github.com/jart/cosmopolitan.git synced 2025-01-31 03:27:39 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
cosmopolitan/third_party/argon2
History
Justine Tunney 957c61cbbf
Release Cosmopolitan v3.3 
This change upgrades to GCC 12.3 and GNU binutils 2.42. The GNU linker
appears to have changed things so that only a single de-duplicated str
table is present in the binary, and it gets placed wherever the linker
wants, regardless of what the linker script says. To cope with that we
need to stop using .ident to embed licenses. As such, this change does
significant work to revamp how third party licenses are defined in the
codebase, using `.section .notice,"aR",@progbits`.

This new GCC 12.3 toolchain has support for GNU indirect functions. It
lets us support __target_clones__ for the first time. This is used for
optimizing the performance of libc string functions such as strlen and
friends so far on x86, by ensuring AVX systems favor a second codepath
that uses VEX encoding. It shaves some latency off certain operations.
It's a useful feature to have for scientific computing for the reasons
explained by the test/libcxx/openmp_test.cc example which compiles for
fifteen different microarchitectures. Thanks to the upgrades, it's now
also possible to use newer instruction sets, such as AVX512FP16, VNNI.

Cosmo now uses the %gs register on x86 by default for TLS. Doing it is
helpful for any program that links `cosmo_dlopen()`. Such programs had
to recompile their binaries at startup to change the TLS instructions.
That's not great, since it means every page in the executable needs to
be faulted. The work of rewriting TLS-related x86 opcodes, is moved to
fixupobj.com instead. This is great news for MacOS x86 users, since we
previously needed to morph the binary every time for that platform but
now that's no longer necessary. The only platforms where we need fixup
of TLS x86 opcodes at runtime are now Windows, OpenBSD, and NetBSD. On
Windows we morph TLS to point deeper into the TIB, based on a TlsAlloc
assignment, and on OpenBSD/NetBSD we morph %gs back into %fs since the
kernels do not allow us to specify a value for the %gs register.

OpenBSD users are now required to use APE Loader to run Cosmo binaries
and assimilation is no longer possible. OpenBSD kernel needs to change
to allow programs to specify a value for the %gs register, or it needs
to stop marking executable pages loaded by the kernel as mimmutable().

This release fixes __constructor__, .ctor, .init_array, and lastly the
.preinit_array so they behave the exact same way as glibc.

We no longer use hex constants to define math.h symbols like M_PI.
2024-02-20 13:27:59 -08:00
..
argon2.c Release Cosmopolitan v3.3 2024-02-20 13:27:59 -08:00
argon2.h Reduce header complexity 2023-11-28 14:39:42 -08:00
blake2-impl.h Reduce header complexity 2023-11-28 14:39:42 -08:00
blake2.h Reduce header complexity 2023-11-28 14:39:42 -08:00
blake2b.c Release Cosmopolitan v3.3 2024-02-20 13:27:59 -08:00
blamka-round-ref.h Reduce header complexity 2023-11-28 14:39:42 -08:00
BUILD.mk more modeline errata (#1019) 2023-12-16 23:07:10 -05:00
core.c Release Cosmopolitan v3.3 2024-02-20 13:27:59 -08:00
core.h Reduce header complexity 2023-11-28 14:39:42 -08:00
encoding.c Release Cosmopolitan v3.3 2024-02-20 13:27:59 -08:00
encoding.h Reduce header complexity 2023-11-28 14:39:42 -08:00
LICENSE Revert whitespace fixes to third_party (#501) 2022-07-21 21:46:07 -07:00
README.md Make numerous improvements 2021-09-28 01:52:34 -07:00
ref.c Release Cosmopolitan v3.3 2024-02-20 13:27:59 -08:00

README.md

Argon2

Build Status Build status codecov.io

This is the reference C implementation of Argon2, the password-hashing function that won the Password Hashing Competition (PHC).

Argon2 is a password-hashing function that summarizes the state of the art in the design of memory-hard functions and can be used to hash passwords for credential storage, key derivation, or other applications.

It has a simple design aimed at the highest memory filling rate and effective use of multiple computing units, while still providing defense against tradeoff attacks (by exploiting the cache and memory organization of the recent processors).

Argon2 has three variants: Argon2i, Argon2d, and Argon2id. Argon2d is faster and uses data-depending memory access, which makes it highly resistant against GPU cracking attacks and suitable for applications with no threats from side-channel timing attacks (eg. cryptocurrencies). Argon2i instead uses data-independent memory access, which is preferred for password hashing and password-based key derivation, but it is slower as it makes more passes over the memory to protect from tradeoff attacks. Argon2id is a hybrid of Argon2i and Argon2d, using a combination of data-depending and data-independent memory accesses, which gives some of Argon2i's resistance to side-channel cache timing attacks and much of Argon2d's resistance to GPU cracking attacks.

Argon2i, Argon2d, and Argon2id are parametrized by:

  • A time cost, which defines the amount of computation realized and therefore the execution time, given in number of iterations
  • A memory cost, which defines the memory usage, given in kibibytes
  • A parallelism degree, which defines the number of parallel threads

The Argon2 document gives detailed specs and design rationale.

Please report bugs as issues on this repository.

Usage

make builds the executable argon2, the static library libargon2.a, and the shared library libargon2.so (or on macOS, the dynamic library libargon2.dylib -- make sure to specify the installation prefix when you compile: make PREFIX=/usr). Make sure to run make test to verify that your build produces valid results. sudo make install PREFIX=/usr installs it to your system.

Command-line utility

argon2 is a command-line utility to test specific Argon2 instances on your system. To show usage instructions, run ./argon2 -h as

Usage:  ./argon2 [-h] salt [-i|-d|-id] [-t iterations] [-m memory] [-p parallelism] [-l hash length] [-e|-r] [-v (10|13)]
        Password is read from stdin
Parameters:
        salt            The salt to use, at least 8 characters
        -i              Use Argon2i (this is the default)
        -d              Use Argon2d instead of Argon2i
        -id             Use Argon2id instead of Argon2i
        -t N            Sets the number of iterations to N (default = 3)
        -m N            Sets the memory usage of 2^N KiB (default 12)
        -p N            Sets parallelism to N threads (default 1)
        -l N            Sets hash output length to N bytes (default 32)
        -e              Output only encoded hash
        -r              Output only the raw bytes of the hash
        -v (10|13)      Argon2 version (defaults to the most recent version, currently 13)
        -h              Print argon2 usage

For example, to hash "password" using "somesalt" as a salt and doing 2 iterations, consuming 64 MiB, using four parallel threads and an output hash of 24 bytes

$ echo -n "password" | ./argon2 somesalt -t 2 -m 16 -p 4 -l 24
Type:           Argon2i
Iterations:     2
Memory:         65536 KiB
Parallelism:    4
Hash:           45d7ac72e76f242b20b77b9bf9bf9d5915894e669a24e6c6
Encoded:        $argon2i$v=19$m=65536,t=2,p=4$c29tZXNhbHQ$RdescudvJCsgt3ub+b+dWRWJTmaaJObG
0.188 seconds
Verification ok

Library

libargon2 provides an API to both low-level and high-level functions for using Argon2.

The example program below hashes the string "password" with Argon2i using the high-level API and then using the low-level API. While the high-level API takes the three cost parameters (time, memory, and parallelism), the password input buffer, the salt input buffer, and the output buffers, the low-level API takes in these and additional parameters , as defined in include/argon2.h.

There are many additional parameters, but we will highlight three of them here.

  1. The secret parameter, which is used for keyed hashing. This allows a secret key to be input at hashing time (from some external location) and be folded into the value of the hash. This means that even if your salts and hashes are compromised, an attacker cannot brute-force to find the password without the key.

  2. The ad parameter, which is used to fold any additional data into the hash value. Functionally, this behaves almost exactly like the secret or salt parameters; the ad parameter is folding into the value of the hash. However, this parameter is used for different data. The salt should be a random string stored alongside your password. The secret should be a random key only usable at hashing time. The ad is for any other data.

  3. The flags parameter, which determines which memory should be securely erased. This is useful if you want to securely delete the pwd or secret fields right after they are used. To do this set flags to either ARGON2_FLAG_CLEAR_PASSWORD or ARGON2_FLAG_CLEAR_SECRET. To change how internal memory is cleared, change the global flag FLAG_clear_internal_memory (defaults to clearing internal memory).

Here the time cost t_cost is set to 2 iterations, the memory cost m_cost is set to 216 kibibytes (64 mebibytes), and parallelism is set to 1 (single-thread).

Compile for example as gcc test.c libargon2.a -Isrc -o test, if the program below is named test.c and placed in the project's root directory.

#include "third_party/argon2/argon2.h"

#define HASHLEN 32
#define SALTLEN 16
#define PWD "password"

int main(void)
{
    uint8_t hash1[HASHLEN];
    uint8_t hash2[HASHLEN];

    uint8_t salt[SALTLEN];
    memset( salt, 0x00, SALTLEN );

    uint8_t *pwd = (uint8_t *)strdup(PWD);
    uint32_t pwdlen = strlen((char *)pwd);

    uint32_t t_cost = 2;            // 2-pass computation
    uint32_t m_cost = (1<<16);      // 64 mebibytes memory usage
    uint32_t parallelism = 1;       // number of threads and lanes

    // high-level API
    argon2i_hash_raw(t_cost, m_cost, parallelism, pwd, pwdlen, salt, SALTLEN, hash1, HASHLEN);

    // low-level API
    argon2_context context = {
        hash2,  /* output array, at least HASHLEN in size */
        HASHLEN, /* digest length */
        pwd, /* password array */
        pwdlen, /* password length */
        salt,  /* salt array */
        SALTLEN, /* salt length */
        NULL, 0, /* optional secret data */
        NULL, 0, /* optional associated data */
        t_cost, m_cost, parallelism, parallelism,
        ARGON2_VERSION_13, /* algorithm version */
        NULL, NULL, /* custom memory allocation / deallocation functions */
        /* by default only internal memory is cleared (pwd is not wiped) */
        ARGON2_DEFAULT_FLAGS
    };

    int rc = argon2i_ctx( &context );
    if(ARGON2_OK != rc) {
        printf("Error: %s\n", argon2_error_message(rc));
        exit(1);
    }
    free(pwd);

    for( int i=0; i<HASHLEN; ++i ) printf( "%02x", hash1[i] ); printf( "\n" );
    if (memcmp(hash1, hash2, HASHLEN)) {
        for( int i=0; i<HASHLEN; ++i ) {
            printf( "%02x", hash2[i] );
        }
        printf("\nfail\n");
    }
    else printf("ok\n");
    return 0;
}

To use Argon2d instead of Argon2i call argon2d_hash_raw instead of argon2i_hash_raw using the high-level API, and argon2d instead of argon2i using the low-level API. Similarly for Argon2id, call argon2id_hash_raw and argon2id.

To produce the crypt-like encoding rather than the raw hash, call argon2i_hash_encoded for Argon2i, argon2d_hash_encoded for Argon2d, and argon2id_hash_encoded for Argon2id

See include/argon2.h for API details.

Note: in this example the salt is set to the all-0x00 string for the sake of simplicity, but in your application you should use a random salt.

Benchmarks

make bench creates the executable bench, which measures the execution time of various Argon2 instances:

$ ./bench
Argon2d 1 iterations  1 MiB 1 threads:  5.91 cpb 5.91 Mcycles
Argon2i 1 iterations  1 MiB 1 threads:  4.64 cpb 4.64 Mcycles
0.0041 seconds

Argon2d 1 iterations  1 MiB 2 threads:  2.76 cpb 2.76 Mcycles
Argon2i 1 iterations  1 MiB 2 threads:  2.87 cpb 2.87 Mcycles
0.0038 seconds

Argon2d 1 iterations  1 MiB 4 threads:  3.25 cpb 3.25 Mcycles
Argon2i 1 iterations  1 MiB 4 threads:  3.57 cpb 3.57 Mcycles
0.0048 seconds

(...)

Argon2d 1 iterations  4096 MiB 2 threads:  2.15 cpb 8788.08 Mcycles
Argon2i 1 iterations  4096 MiB 2 threads:  2.15 cpb 8821.59 Mcycles
13.0112 seconds

Argon2d 1 iterations  4096 MiB 4 threads:  1.79 cpb 7343.72 Mcycles
Argon2i 1 iterations  4096 MiB 4 threads:  2.72 cpb 11124.86 Mcycles
19.3974 seconds

(...)

Bindings

Bindings are available for the following languages (make sure to read their documentation):

Test suite

There are two sets of test suites. One is a low level test for the hash function, the other tests the higher level API. Both of these are built and executed by running:

make test

Intellectual property

Except for the components listed below, the Argon2 code in this repository is copyright (c) 2015 Daniel Dinu, Dmitry Khovratovich (main authors), Jean-Philippe Aumasson and Samuel Neves, and dual licensed under the CC0 License and the Apache 2.0 License. For more info see the LICENSE file.

The string encoding routines in src/encoding.c are copyright (c) 2015 Thomas Pornin, and under CC0 License.

The BLAKE2 code in src/blake2/ is copyright (c) Samuel Neves, 2013-2015, and under CC0 License.

All licenses are therefore GPL-compatible.