1
0

argon2.c 25 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623
  1. /*
  2. * Implementation of the Argon2 password hash function.
  3. *
  4. * My sources for the algorithm description and test vectors (the latter in
  5. * test/cryptsuite.py) were the reference implementation on Github, and also
  6. * the Internet-Draft description:
  7. *
  8. * https://github.com/P-H-C/phc-winner-argon2
  9. * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-argon2-13
  10. */
  11. #include <assert.h>
  12. #ifndef WINSCP_VS
  13. #include "putty.h"
  14. #endif
  15. #include "ssh.h"
  16. #include "marshal.h"
  17. #ifndef WINSCP_VS
  18. /* ----------------------------------------------------------------------
  19. * Argon2 uses data marshalling rules similar to SSH but with 32-bit integers
  20. * stored little-endian. Start with some local BinarySink routines for storing
  21. * a uint32 and a string in that fashion.
  22. */
  23. static void BinarySink_put_uint32_le(BinarySink *bs, unsigned long val)
  24. {
  25. unsigned char data[4];
  26. PUT_32BIT_LSB_FIRST(data, val);
  27. bs->write(bs, data, sizeof(data));
  28. }
  29. static void BinarySink_put_stringpl_le(BinarySink *bs, ptrlen pl)
  30. {
  31. /* Check that the string length fits in a uint32, without doing a
  32. * potentially implementation-defined shift of more than 31 bits */
  33. assert((pl.len >> 31) < 2);
  34. BinarySink_put_uint32_le(bs, pl.len);
  35. bs->write(bs, pl.ptr, pl.len);
  36. }
  37. #define put_uint32_le(bs, val) \
  38. BinarySink_put_uint32_le(BinarySink_UPCAST(bs), val)
  39. #define put_stringpl_le(bs, val) \
  40. BinarySink_put_stringpl_le(BinarySink_UPCAST(bs), val)
  41. /* ----------------------------------------------------------------------
  42. * Argon2 defines a hash-function family that's an extension of BLAKE2b to
  43. * generate longer output digests, by repeatedly outputting half of a BLAKE2
  44. * hash output and then re-hashing the whole thing until there are 64 or fewer
  45. * bytes left to output. The spec calls this H' (a variant of the original
  46. * hash it calls H, which is the unmodified BLAKE2b).
  47. */
  48. static ssh_hash *hprime_new(unsigned length)
  49. {
  50. ssh_hash *h = blake2b_new_general(length > 64 ? 64 : length);
  51. put_uint32_le(h, length);
  52. return h;
  53. }
  54. static void hprime_final(ssh_hash *h, unsigned length, void *vout)
  55. {
  56. uint8_t *out = (uint8_t *)vout;
  57. while (length > 64) {
  58. uint8_t hashbuf[64];
  59. ssh_hash_final(h, hashbuf);
  60. memcpy(out, hashbuf, 32);
  61. out += 32;
  62. length -= 32;
  63. h = blake2b_new_general(length > 64 ? 64 : length);
  64. put_data(h, hashbuf, 64);
  65. smemclr(hashbuf, sizeof(hashbuf));
  66. }
  67. ssh_hash_final(h, out);
  68. }
  69. /* Externally visible entry point for the long hash function. This is only
  70. * used by testcrypt, so it would be overkill to set it up like a proper
  71. * ssh_hash. */
  72. strbuf *argon2_long_hash(unsigned length, ptrlen data)
  73. {
  74. ssh_hash *h = hprime_new(length);
  75. put_datapl(h, data);
  76. { // WINSCP
  77. strbuf *out = strbuf_new();
  78. hprime_final(h, length, strbuf_append(out, length));
  79. return out;
  80. } // WINSCP
  81. }
  82. #endif
  83. /* ----------------------------------------------------------------------
  84. * Argon2's own mixing function G, which operates on 1Kb blocks of data.
  85. *
  86. * The definition of G in the spec takes two 1Kb blocks as input and produces
  87. * a 1Kb output block. The first thing that happens to the input blocks is
  88. * that they get XORed together, and then only the XOR output is used, so you
  89. * could perfectly well regard G as a 1Kb->1Kb function.
  90. */
  91. #ifdef WINSCP_VS
  92. static inline uint64_t ror(uint64_t x, unsigned rotation)
  93. {
  94. #pragma warning(suppress: 4068)
  95. #pragma warning(suppress: 4146)
  96. unsigned lshift = 63 & -rotation, rshift = 63 & rotation;
  97. return (x << lshift) | (x >> rshift);
  98. }
  99. static inline uint64_t trunc32(uint64_t x)
  100. {
  101. return x & 0xFFFFFFFF;
  102. }
  103. /* Internal function similar to the BLAKE2b round, which mixes up four 64-bit
  104. * words */
  105. static inline void GB(uint64_t *a, uint64_t *b, uint64_t *c, uint64_t *d)
  106. {
  107. *a += *b + 2 * trunc32(*a) * trunc32(*b);
  108. *d = ror(*d ^ *a, 32);
  109. *c += *d + 2 * trunc32(*c) * trunc32(*d);
  110. *b = ror(*b ^ *c, 24);
  111. *a += *b + 2 * trunc32(*a) * trunc32(*b);
  112. *d = ror(*d ^ *a, 16);
  113. *c += *d + 2 * trunc32(*c) * trunc32(*d);
  114. *b = ror(*b ^ *c, 63);
  115. }
  116. /* Higher-level internal function which mixes up sixteen 64-bit words. This is
  117. * applied to different subsets of the 128 words in a kilobyte block, and the
  118. * API here is designed to make it easy to apply in the circumstances the spec
  119. * requires. In every call, the sixteen words form eight pairs adjacent in
  120. * memory, whose addresses are in arithmetic progression. So the 16 input
  121. * words are in[0], in[1], in[instep], in[instep+1], ..., in[7*instep],
  122. * in[7*instep+1], and the 16 output words similarly. */
  123. static inline void P(uint64_t *out, unsigned outstep,
  124. uint64_t *in, unsigned instep)
  125. {
  126. unsigned i; // WINSCP
  127. for (i = 0; i < 8; i++) {
  128. out[i*outstep] = in[i*instep];
  129. out[i*outstep+1] = in[i*instep+1];
  130. }
  131. GB(out+0*outstep+0, out+2*outstep+0, out+4*outstep+0, out+6*outstep+0);
  132. GB(out+0*outstep+1, out+2*outstep+1, out+4*outstep+1, out+6*outstep+1);
  133. GB(out+1*outstep+0, out+3*outstep+0, out+5*outstep+0, out+7*outstep+0);
  134. GB(out+1*outstep+1, out+3*outstep+1, out+5*outstep+1, out+7*outstep+1);
  135. GB(out+0*outstep+0, out+2*outstep+1, out+5*outstep+0, out+7*outstep+1);
  136. GB(out+0*outstep+1, out+3*outstep+0, out+5*outstep+1, out+6*outstep+0);
  137. GB(out+1*outstep+0, out+3*outstep+1, out+4*outstep+0, out+6*outstep+1);
  138. GB(out+1*outstep+1, out+2*outstep+0, out+4*outstep+1, out+7*outstep+0);
  139. }
  140. #endif
  141. /* The full G function, taking input blocks X and Y. The result of G is most
  142. * often XORed into an existing output block, so this API is designed with
  143. * that in mind: the mixing function's output is always XORed into whatever
  144. * 1Kb of data is already at 'out'. */
  145. /*static*/ void G_xor(uint8_t *out, const uint8_t *X, const uint8_t *Y)
  146. #ifndef WINSCP_VS
  147. ;
  148. #else
  149. {
  150. uint64_t R[128], Q[128], Z[128];
  151. unsigned i; // WINSCP
  152. for (i = 0; i < 128; i++)
  153. R[i] = GET_64BIT_LSB_FIRST(X + 8*i) ^ GET_64BIT_LSB_FIRST(Y + 8*i);
  154. for (i = 0; i < 8; i++) // WINSCP
  155. P(Q+16*i, 2, R+16*i, 2);
  156. for (i = 0; i < 8; i++) // WINSCP
  157. P(Z+2*i, 16, Q+2*i, 16);
  158. for (i = 0; i < 128; i++) // WINSCP
  159. PUT_64BIT_LSB_FIRST(out + 8*i,
  160. GET_64BIT_LSB_FIRST(out + 8*i) ^ R[i] ^ Z[i]);
  161. smemclr(R, sizeof(R));
  162. smemclr(Q, sizeof(Q));
  163. smemclr(Z, sizeof(Z));
  164. }
  165. #endif
  166. struct blk { uint8_t data[1024]; };
  167. #ifndef WINSCP_VS
  168. void argon2_internal_vs(size_t jstart, size_t SL, size_t q, unsigned slice, bool d_mode, struct blk *B, size_t i, uint32_t p, struct blk * pin2i, size_t pass, size_t mprime, uint32_t t, uint32_t y, struct blk * ptmp2i, struct blk * pout2i);
  169. /* ----------------------------------------------------------------------
  170. * The main Argon2 function.
  171. */
  172. static void argon2_internal(uint32_t p, uint32_t T, uint32_t m, uint32_t t,
  173. uint32_t y, ptrlen P, ptrlen S, ptrlen K, ptrlen X,
  174. uint8_t *out)
  175. {
  176. /*
  177. * Start by hashing all the input data together: the four string arguments
  178. * (password P, salt S, optional secret key K, optional associated data
  179. * X), plus all the parameters for the function's memory and time usage.
  180. *
  181. * The output of this hash is the sole input to the subsequent mixing
  182. * step: Argon2 does not preserve any more entropy from the inputs, it
  183. * just makes it extra painful to get the final answer.
  184. */
  185. uint8_t h0[64];
  186. {
  187. ssh_hash *h = blake2b_new_general(64);
  188. put_uint32_le(h, p);
  189. put_uint32_le(h, T);
  190. put_uint32_le(h, m);
  191. put_uint32_le(h, t);
  192. put_uint32_le(h, 0x13); /* hash function version number */
  193. put_uint32_le(h, y);
  194. put_stringpl_le(h, P);
  195. put_stringpl_le(h, S);
  196. put_stringpl_le(h, K);
  197. put_stringpl_le(h, X);
  198. ssh_hash_final(h, h0);
  199. }
  200. { // WINSCP
  201. // WINSCP struct blk { uint8_t data[1024]; };
  202. /*
  203. * Array of 1Kb blocks. The total size is (approximately) m, the
  204. * caller-specified parameter for how much memory to use; the blocks are
  205. * regarded as a rectangular array of p rows ('lanes') by q columns, where
  206. * p is the 'parallelism' input parameter (the lanes can be processed
  207. * concurrently up to a point) and q is whatever makes the product pq come
  208. * to m.
  209. *
  210. * Additionally, each row is divided into four equal 'segments', which are
  211. * important to the way the algorithm decides which blocks to use as input
  212. * to each step of the function.
  213. *
  214. * The term 'slice' refers to a whole set of vertically aligned segments,
  215. * i.e. slice 0 is the whole left quarter of the array, and slice 3 the
  216. * whole right quarter.
  217. */
  218. size_t SL = m / (4*p); /* segment length: # of 1Kb blocks in a segment */
  219. size_t q = 4 * SL; /* width of the array: 4 segments times SL */
  220. size_t mprime = q * p; /* total size of the array, approximately m */
  221. /* Allocate the memory. */
  222. struct blk *B = snewn(mprime, struct blk);
  223. memset(B, 0, mprime * sizeof(struct blk));
  224. /*
  225. * Initial setup: fill the first two full columns of the array with data
  226. * expanded from the starting hash h0. Each block is the result of using
  227. * the long-output hash function H' to hash h0 itself plus the block's
  228. * coordinates in the array.
  229. */
  230. { // WINSCP
  231. size_t i; // WINSCP
  232. for (i = 0; i < p; i++) {
  233. ssh_hash *h = hprime_new(1024);
  234. put_data(h, h0, 64);
  235. put_uint32_le(h, 0);
  236. put_uint32_le(h, i);
  237. hprime_final(h, 1024, B[i].data);
  238. }
  239. for (i = 0; i < p; i++) { // WINSCP
  240. ssh_hash *h = hprime_new(1024);
  241. put_data(h, h0, 64);
  242. put_uint32_le(h, 1);
  243. put_uint32_le(h, i);
  244. hprime_final(h, 1024, B[i+p].data);
  245. }
  246. /*
  247. * Declarations for the main loop.
  248. *
  249. * The basic structure of the main loop is going to involve processing the
  250. * array one whole slice (vertically divided quarter) at a time. Usually
  251. * we'll write a new value into every single block in the slice, except
  252. * that in the initial slice on the first pass, we've already written
  253. * values into the first two columns during the initial setup above. So
  254. * 'jstart' indicates the starting index in each segment we process; it
  255. * starts off as 2 so that we don't overwrite the initial setup, and then
  256. * after the first slice is done, we set it to 0, and it stays there.
  257. *
  258. * d_mode indicates whether we're being data-dependent (true) or
  259. * data-independent (false). In the hybrid Argon2id mode, we start off
  260. * independent, and then once we've mixed things up enough, switch over to
  261. * dependent mode to force long serial chains of computation.
  262. */
  263. { // WINSCP
  264. size_t jstart = 2;
  265. bool d_mode = (y == 0);
  266. struct blk out2i, tmp2i, in2i;
  267. /* Outermost loop: t whole passes from left to right over the array */
  268. size_t pass; // WINSCP
  269. for (pass = 0; pass < t; pass++) {
  270. /* Within that, we process the array in its four main slices */
  271. unsigned slice; // WINSCP
  272. for (slice = 0; slice < 4; slice++) {
  273. /* In Argon2id mode, if we're half way through the first pass,
  274. * this is the moment to switch d_mode from false to true */
  275. if (pass == 0 && slice == 2 && y == 2)
  276. d_mode = true;
  277. /* Loop over every segment in the slice (i.e. every row). So i is
  278. * the y-coordinate of each block we process. */
  279. { // WINSCP
  280. size_t i; // WINSCP
  281. for (i = 0; i < p; i++) {
  282. argon2_internal_vs(jstart, SL, q, slice, d_mode, B, i, p, &in2i, pass, mprime, t, y, &tmp2i, &out2i); // WINSCP
  283. #endif
  284. #ifdef WINSCP_VS
  285. void argon2_internal_vs(size_t jstart, size_t SL, size_t q, unsigned slice, bool d_mode, struct blk *B, size_t i, uint32_t p, struct blk * pin2i, size_t pass, size_t mprime, uint32_t t, uint32_t y, struct blk * ptmp2i, struct blk * pout2i)
  286. {
  287. #define in2i (*pin2i)
  288. #define tmp2i (*ptmp2i)
  289. #define out2i (*pout2i)
  290. /* And within that segment, process the blocks from left to
  291. * right, starting at 'jstart' (usually 0, but 2 in the first
  292. * slice). */
  293. size_t jpre; // WINSCP
  294. for (jpre = jstart; jpre < SL; jpre++) {
  295. /* j is the x-coordinate of each block we process, made up
  296. * of the slice number and the index 'jpre' within the
  297. * segment. */
  298. size_t j = slice * SL + jpre;
  299. /* jm1 is j-1 (mod q) */
  300. uint32_t jm1 = (j == 0 ? q-1 : j-1);
  301. /*
  302. * Construct two 32-bit pseudorandom integers J1 and J2.
  303. * This is the part of the algorithm that varies between
  304. * the data-dependent and independent modes.
  305. */
  306. uint32_t J1, J2;
  307. if (d_mode) {
  308. /*
  309. * Data-dependent: grab the first 64 bits of the block
  310. * to the left of this one.
  311. */
  312. J1 = GET_32BIT_LSB_FIRST(B[i + p * jm1].data);
  313. J2 = GET_32BIT_LSB_FIRST(B[i + p * jm1].data + 4);
  314. } else {
  315. /*
  316. * Data-independent: generate pseudorandom data by
  317. * hashing a sequence of preimage blocks that include
  318. * all our input parameters, plus the coordinates of
  319. * this point in the algorithm (array position and
  320. * pass number) to make all the hash outputs distinct.
  321. *
  322. * The hash we use is G itself, applied twice. So we
  323. * generate 1Kb of data at a time, which is enough for
  324. * 128 (J1,J2) pairs. Hence we only need to do the
  325. * hashing if our index within the segment is a
  326. * multiple of 128, or if we're at the very start of
  327. * the algorithm (in which case we started at 2 rather
  328. * than 0). After that we can just keep picking data
  329. * out of our most recent hash output.
  330. */
  331. if (jpre == jstart || jpre % 128 == 0) {
  332. /*
  333. * Hash preimage is mostly zeroes, with a
  334. * collection of assorted integer values we had
  335. * anyway.
  336. */
  337. memset(in2i.data, 0, sizeof(in2i.data));
  338. PUT_64BIT_LSB_FIRST(in2i.data + 0, pass);
  339. PUT_64BIT_LSB_FIRST(in2i.data + 8, i);
  340. PUT_64BIT_LSB_FIRST(in2i.data + 16, slice);
  341. PUT_64BIT_LSB_FIRST(in2i.data + 24, mprime);
  342. PUT_64BIT_LSB_FIRST(in2i.data + 32, t);
  343. PUT_64BIT_LSB_FIRST(in2i.data + 40, y);
  344. PUT_64BIT_LSB_FIRST(in2i.data + 48, jpre / 128 + 1);
  345. /*
  346. * Now apply G twice to generate the hash output
  347. * in out2i.
  348. */
  349. memset(tmp2i.data, 0, sizeof(tmp2i.data));
  350. G_xor(tmp2i.data, tmp2i.data, in2i.data);
  351. memset(out2i.data, 0, sizeof(out2i.data));
  352. G_xor(out2i.data, out2i.data, tmp2i.data);
  353. }
  354. /*
  355. * Extract J1 and J2 from the most recent hash output
  356. * (whether we've just computed it or not).
  357. */
  358. J1 = GET_32BIT_LSB_FIRST(
  359. out2i.data + 8 * (jpre % 128));
  360. J2 = GET_32BIT_LSB_FIRST(
  361. out2i.data + 8 * (jpre % 128) + 4);
  362. }
  363. /*
  364. * Now convert J1 and J2 into the index of an existing
  365. * block of the array to use as input to this step. This
  366. * is fairly fiddly.
  367. *
  368. * The easy part: the y-coordinate of the input block is
  369. * obtained by reducing J2 mod p, except that at the very
  370. * start of the algorithm (processing the first slice on
  371. * the first pass) we simply use the same y-coordinate as
  372. * our output block.
  373. *
  374. * Note that it's safe to use the ordinary % operator
  375. * here, without any concern for timing side channels: in
  376. * data-independent mode J2 is not correlated to any
  377. * secrets, and in data-dependent mode we're going to be
  378. * giving away side-channel data _anyway_ when we use it
  379. * as an array index (and by assumption we don't care,
  380. * because it's already massively randomised from the real
  381. * inputs).
  382. */
  383. { // WINSCP
  384. uint32_t index_l = (pass == 0 && slice == 0) ? i : J2 % p;
  385. /*
  386. * The hard part: which block in this array row do we use?
  387. *
  388. * First, we decide what the possible candidates are. This
  389. * requires some case analysis, and depends on whether the
  390. * array row is the same one we're writing into or not.
  391. *
  392. * If it's not the same row: we can't use any block from
  393. * the current slice (because the segments within a slice
  394. * have to be processable in parallel, so in a concurrent
  395. * implementation those blocks are potentially in the
  396. * process of being overwritten by other threads). But the
  397. * other three slices are fair game, except that in the
  398. * first pass, slices to the right of us won't have had
  399. * any values written into them yet at all.
  400. *
  401. * If it is the same row, we _are_ allowed to use blocks
  402. * from the current slice, but only the ones before our
  403. * current position.
  404. *
  405. * In both cases, we also exclude the individual _column_
  406. * just to the left of the current one. (The block
  407. * immediately to our left is going to be the _other_
  408. * input to G, but the spec also says that we avoid that
  409. * column even in a different row.)
  410. *
  411. * All of this means that we end up choosing from a
  412. * cyclically contiguous interval of blocks within this
  413. * lane, but the start and end points require some thought
  414. * to get them right.
  415. */
  416. /* Start position is the beginning of the _next_ slice
  417. * (containing data from the previous pass), unless we're
  418. * on pass 0, where the start position has to be 0. */
  419. uint32_t Wstart = (pass == 0 ? 0 : (slice + 1) % 4 * SL);
  420. /* End position splits up by cases. */
  421. uint32_t Wend;
  422. if (index_l == i) {
  423. /* Same lane as output: we can use anything up to (but
  424. * not including) the block immediately left of us. */
  425. Wend = jm1;
  426. } else {
  427. /* Different lane from output: we can use anything up
  428. * to the previous slice boundary, or one less than
  429. * that if we're at the very left edge of our slice
  430. * right now. */
  431. Wend = SL * slice;
  432. if (jpre == 0)
  433. Wend = (Wend + q-1) % q;
  434. }
  435. /* Total number of blocks available to choose from */
  436. { // WINSCP
  437. uint32_t Wsize = (Wend + q - Wstart) % q;
  438. /* Fiddly computation from the spec that chooses from the
  439. * available blocks, in a deliberately non-uniform
  440. * fashion, using J1 as pseudorandom input data. Output is
  441. * zz which is the index within our contiguous interval. */
  442. uint32_t x = ((uint64_t)J1 * J1) >> 32;
  443. uint32_t y = ((uint64_t)Wsize * x) >> 32;
  444. uint32_t zz = Wsize - 1 - y;
  445. /* And index_z is the actual x coordinate of the block we
  446. * want. */
  447. uint32_t index_z = (Wstart + zz) % q;
  448. /* Phew! Combine that block with the one immediately to
  449. * our left, and XOR over the top of whatever is already
  450. * in our current output block. */
  451. G_xor(B[i + p * j].data, B[i + p * jm1].data,
  452. B[index_l + p * index_z].data);
  453. } // WINSCP
  454. } // WINSCP
  455. }
  456. #undef in2i
  457. #undef tmp2i
  458. #undef out2i
  459. }
  460. #endif
  461. #ifndef WINSCP_VS
  462. }
  463. /* We've finished processing a slice. Reset jstart to 0. It will
  464. * onily _not_ have been 0 if this was pass 0 slice 0, in which
  465. * case it still had its initial value of 2 to avoid the starting
  466. * data. */
  467. jstart = 0;
  468. } // WINSCP
  469. }
  470. }
  471. /*
  472. * The main output is all done. Final output works by taking the XOR of
  473. * all the blocks in the rightmost column of the array, and then using
  474. * that as input to our long hash H'. The output of _that_ is what we
  475. * deliver to the caller.
  476. */
  477. { // WINSCP
  478. struct blk C = B[p * (q-1)];
  479. size_t i; // WINSCP
  480. for (i = 1; i < p; i++)
  481. memxor(C.data, C.data, B[i + p * (q-1)].data, 1024);
  482. {
  483. ssh_hash *h = hprime_new(T);
  484. put_data(h, C.data, 1024);
  485. hprime_final(h, T, out);
  486. }
  487. /*
  488. * Clean up.
  489. */
  490. smemclr(out2i.data, sizeof(out2i.data));
  491. smemclr(tmp2i.data, sizeof(tmp2i.data));
  492. smemclr(in2i.data, sizeof(in2i.data));
  493. smemclr(C.data, sizeof(C.data));
  494. smemclr(B, mprime * sizeof(struct blk));
  495. sfree(B);
  496. } // WINSCP
  497. } // WINSCP
  498. } // WINSCP
  499. } // WINSCP
  500. }
  501. /*
  502. * Wrapper function that appends to a strbuf (which sshpubk.c will want).
  503. */
  504. void argon2(Argon2Flavour flavour, uint32_t mem, uint32_t passes,
  505. uint32_t parallel, uint32_t taglen,
  506. ptrlen P, ptrlen S, ptrlen K, ptrlen X, strbuf *out)
  507. {
  508. argon2_internal(parallel, taglen, mem, passes, flavour,
  509. P, S, K, X, strbuf_append(out, taglen));
  510. }
  511. /*
  512. * Wrapper function which dynamically chooses the number of passes to run in
  513. * order to hit an approximate total amount of CPU time. Writes the result
  514. * into 'passes'.
  515. */
  516. void argon2_choose_passes(
  517. Argon2Flavour flavour, uint32_t mem,
  518. uint32_t milliseconds, uint32_t *passes,
  519. uint32_t parallel, uint32_t taglen,
  520. ptrlen P, ptrlen S, ptrlen K, ptrlen X,
  521. strbuf *out)
  522. {
  523. unsigned long desired_time = (TICKSPERSEC * milliseconds) / 1000 /*WINSCP*/ * 3;
  524. /*
  525. * We only need the time taken to be approximately right, so we
  526. * scale up the number of passes geometrically, which avoids
  527. * taking O(t^2) time to find a pass count taking time t.
  528. *
  529. * Using the Fibonacci numbers is slightly nicer than the obvious
  530. * approach of powers of 2, because it's still very easy to
  531. * compute, and grows less fast (powers of 1.6 instead of 2), so
  532. * you get just a touch more precision.
  533. */
  534. uint32_t a = 1, b = 1;
  535. while (true) {
  536. unsigned long start_time = GETTICKCOUNT();
  537. argon2(flavour, mem, b, parallel, taglen, P, S, K, X, out);
  538. { // WINSCP
  539. unsigned long ticks = GETTICKCOUNT() - start_time;
  540. /* But just in case computers get _too_ fast, we have to cap
  541. * the growth before it gets past the uint32_t upper bound! So
  542. * if computing a+b would overflow, stop here. */
  543. if (ticks >= desired_time || a > (uint32_t)~b) {
  544. *passes = b;
  545. return;
  546. } else {
  547. strbuf_clear(out);
  548. /* Next Fibonacci number: replace (a, b) with (b, a+b) */
  549. b += a;
  550. a = b - a;
  551. }
  552. } // WINSCP
  553. }
  554. }
  555. #endif