kdf: Support ARGON2I and ARGON2ID.gniibe/t5797

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

2 files changed, 42 insertions, 27 deletions

diff --git a/cipher/kdf.c b/cipher/kdf.c
index 9463d2ff..521bff0a 100644
--- a/cipher/kdf.c
+++ b/cipher/kdf.c
@@ -602,15 +602,6 @@ argon2_iterator (argon2_ctx_t a, int *action_p,
   return 0;
 }
 
-static void
-argon2_pseudo_rand_gen (argon2_ctx_t a, const struct argon2_thread_data *t,
-                        u32 *random_index)
-{
-  (void)a;
-  (void)t;
-  (void)random_index;
-}
-
 static u64 fBlaMka (u64 x, u64 y)
 {
   const u64 m = U64_C(0xFFFFFFFF);
@@ -656,7 +647,8 @@ fill_block (const u64 *prev_block, const u64 *ref_block, u64 *curr_block,
   int i;
 
   memcpy (block_r, ref_block, 1024);
-  xor_block (block_r, prev_block);
+  if (prev_block)
+    xor_block (block_r, prev_block);
   memcpy (block_tmp, block_r, 1024);
 
   if (with_xor)
@@ -684,6 +676,18 @@ fill_block (const u64 *prev_block, const u64 *ref_block, u64 *curr_block,
   xor_block (curr_block, block_r);
 }
 
+static void
+pseudo_random_generate (u64 *random_block, u64 *input_block)
+{
+  u64 v;
+
+  v = buf_get_le64 (&input_block[6]);
+  buf_put_le64 (&input_block[6], ++v);
+
+  fill_block (NULL, input_block, random_block, 0);
+  fill_block (NULL, random_block, random_block, 0);
+}
+
 static u32
 index_alpha (argon2_ctx_t a, const struct argon2_thread_data *t,
              int segment_index, u32 random, int same_lane)
@@ -734,22 +738,32 @@ static gpg_err_code_t
 argon2_compute_segment (argon2_ctx_t a, const struct argon2_thread_data *t)
 {
   gpg_err_code_t ec = 0;
-  u32 *random_index = NULL;
   int i;
   int prev_offset, curr_offset;
   u32 ref_index, ref_lane;
+  u64 input_block[1024/sizeof (u64)];
+  u64 address_block[1024/sizeof (u64)];
+  u64 *random_block = NULL;
 
   if (a->hash_type == GCRY_KDF_ARGON2I
       || (a->hash_type == GCRY_KDF_ARGON2ID && t->pass == 0 && t->slice < 2))
     {
-      random_index = xtrymalloc (2*sizeof (u32)*a->segment_length);
-      if (!random_index)
-        return gpg_err_code_from_errno (errno);
-      argon2_pseudo_rand_gen (a, t, random_index);
+      memset (input_block, 0, 1024);
+      buf_put_le64 ((unsigned char *)input_block+0*8, t->pass);
+      buf_put_le64 ((unsigned char *)input_block+1*8, t->lane);
+      buf_put_le64 ((unsigned char *)input_block+2*8, t->slice);
+      buf_put_le64 ((unsigned char *)input_block+3*8, a->memory_blocks);
+      buf_put_le64 ((unsigned char *)input_block+4*8, a->passes);
+      buf_put_le64 ((unsigned char *)input_block+5*8, a->hash_type);
+      random_block = address_block;
     }
 
   if (t->pass == 0 && t->slice == 0)
-    i = 2;
+    {
+      if (random_block)
+        pseudo_random_generate (random_block, input_block);
+      i = 2;
+    }
   else
     i = 0;
 
@@ -761,26 +775,28 @@ argon2_compute_segment (argon2_ctx_t a, const struct argon2_thread_data *t)
 
   for (; i < a->segment_length; i++, curr_offset++, prev_offset++)
     {
-      void *pseudo_rand;
+      void *rand64_p;
       u64 *ref_block, *curr_block;
 
       if ((curr_offset % a->lane_length) == 1)
         prev_offset = curr_offset - 1;
 
-      if (random_index)
+      if (random_block)
         {
-          /* not yet implemented */
-          pseudo_rand = &a->block[prev_offset*ARGON2_WORDS_IN_BLOCK];
+          if ((i % (1024/sizeof (u64))) == 0)
+            pseudo_random_generate (random_block, input_block);
+
+          rand64_p = &random_block[(i% (1024/sizeof (u64)))];
         }
       else
-        pseudo_rand = &a->block[prev_offset*ARGON2_WORDS_IN_BLOCK];
+        rand64_p = &a->block[prev_offset*ARGON2_WORDS_IN_BLOCK];
 
       if (t->pass == 0 && t->slice == 0)
         ref_lane = t->lane;
       else
-        ref_lane = buf_get_le32 ((unsigned char *)pseudo_rand+4) % a->lanes;
+        ref_lane = buf_get_le32 ((unsigned char *)rand64_p+4) % a->lanes;
 
-      ref_index = index_alpha (a, t, i, buf_get_le32 (pseudo_rand),
+      ref_index = index_alpha (a, t, i, buf_get_le32 (rand64_p),
                                ref_lane == t->lane);
       ref_block =
         &a->block[(a->lane_length * ref_lane + ref_index)* ARGON2_WORDS_IN_BLOCK];
@@ -790,7 +806,6 @@ argon2_compute_segment (argon2_ctx_t a, const struct argon2_thread_data *t)
                   curr_block, t->pass != 0);
     }
 
-  xfree (random_index);
   return ec;
 }
 
diff --git a/tests/t-kdf.c b/tests/t-kdf.c
index 7963b36d..2aa3b5fb 100644
--- a/tests/t-kdf.c
+++ b/tests/t-kdf.c
@@ -1376,7 +1376,7 @@ check_argon2 (void)
   const unsigned char ad[12] = { 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4 };
   unsigned char out[32];
   unsigned char expected[32] = {
-#if 1
+#if 0
     0x51, 0x2b, 0x39, 0x1b, 0x6f, 0x11, 0x62, 0x97,
     0x53, 0x71, 0xd3, 0x09, 0x19, 0x73, 0x42, 0x94,
     0xf8, 0x68, 0xe3, 0xbe, 0x39, 0x84, 0xf3, 0xc1,
@@ -1396,7 +1396,7 @@ check_argon2 (void)
   int i;
 
   err = my_kdf_derive (0,
-                       GCRY_KDF_ARGON2, GCRY_KDF_ARGON2D, param, 4,
+                       GCRY_KDF_ARGON2, GCRY_KDF_ARGON2ID, param, 4,
                        pass, 32, salt, 16, key, 8, ad, 12,
                        32, out);
   if (err)
@@ -1412,7 +1412,7 @@ check_argon2 (void)
 
 #ifdef HAVE_PTHREAD
   err = my_kdf_derive (1,
-                       GCRY_KDF_ARGON2, GCRY_KDF_ARGON2D, param, 5,
+                       GCRY_KDF_ARGON2, GCRY_KDF_ARGON2ID, param, 5,
                        pass, 32, salt, 16, key, 8, ad, 12,
                        32, out);
   if (err)