From a894ec93f26db8f06a9414cd82d1070c5844a9ca Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Sat, 5 Aug 2017 20:56:59 +0200 Subject: [PATCH 1/7] Add crypto_pwhash_str_alg() --- src/libsodium/crypto_pwhash/crypto_pwhash.c | 18 ++++++++++++++++++ src/libsodium/include/sodium/crypto_pwhash.h | 6 ++++++ test/default/pwhash.c | 8 ++++++++ 3 files changed, 32 insertions(+) diff --git a/src/libsodium/crypto_pwhash/crypto_pwhash.c b/src/libsodium/crypto_pwhash/crypto_pwhash.c index 3bccfe2b..bd4b14bf 100644 --- a/src/libsodium/crypto_pwhash/crypto_pwhash.c +++ b/src/libsodium/crypto_pwhash/crypto_pwhash.c @@ -2,6 +2,7 @@ #include #include +#include "core.h" #include "crypto_pwhash.h" int @@ -150,6 +151,23 @@ crypto_pwhash_str(char out[crypto_pwhash_STRBYTES], opslimit, memlimit); } +int +crypto_pwhash_str_alg(char out[crypto_pwhash_STRBYTES], + const char * const passwd, unsigned long long passwdlen, + unsigned long long opslimit, size_t memlimit, int alg) +{ + switch (alg) { + case crypto_pwhash_ALG_ARGON2I13: + return crypto_pwhash_argon2i_str(out, passwd, passwdlen, + opslimit, memlimit); + case crypto_pwhash_ALG_ARGON2ID13: + return crypto_pwhash_argon2id_str(out, passwd, passwdlen, + opslimit, memlimit); + default: + sodium_misuse(); + } +} + int crypto_pwhash_str_verify(const char str[crypto_pwhash_STRBYTES], const char * const passwd, diff --git a/src/libsodium/include/sodium/crypto_pwhash.h b/src/libsodium/include/sodium/crypto_pwhash.h index 4a5309c4..da5f5461 100644 --- a/src/libsodium/include/sodium/crypto_pwhash.h +++ b/src/libsodium/include/sodium/crypto_pwhash.h @@ -107,6 +107,12 @@ int crypto_pwhash_str(char out[crypto_pwhash_STRBYTES], unsigned long long opslimit, size_t memlimit) __attribute__ ((warn_unused_result)); +SODIUM_EXPORT +int crypto_pwhash_str_alg(char out[crypto_pwhash_STRBYTES], + const char * const passwd, unsigned long long passwdlen, + unsigned long long opslimit, size_t memlimit, int alg) + __attribute__ ((warn_unused_result)); + SODIUM_EXPORT int crypto_pwhash_str_verify(const char str[crypto_pwhash_STRBYTES], const char * const passwd, diff --git a/test/default/pwhash.c b/test/default/pwhash.c index 2a6fef79..dd4de052 100644 --- a/test/default/pwhash.c +++ b/test/default/pwhash.c @@ -349,6 +349,14 @@ main(void) "password", strlen("password")) != -1 || errno != EINVAL) { printf("pwhash_str_verify(invalid(11)) failure\n"); } + + assert(crypto_pwhash_str_alg(str_out, "test", 4, OPSLIMIT, MEMLIMIT, + crypto_pwhash_ALG_ARGON2I13) == 0); + assert(crypto_pwhash_argon2i_str_verify(str_out, "test", 4) == 0); + assert(crypto_pwhash_str_alg(str_out, "test", 4, OPSLIMIT, MEMLIMIT, + crypto_pwhash_ALG_ARGON2ID13) == 0); + assert(crypto_pwhash_argon2id_str_verify(str_out, "test", 4) == 0); + assert(crypto_pwhash_bytes_min() > 0U); assert(crypto_pwhash_bytes_max() > crypto_pwhash_bytes_min()); assert(crypto_pwhash_passwd_max() > crypto_pwhash_passwd_min()); From 9e0e77a3fd2f5b7cd99bf7989c462ab01670a9fb Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Sat, 5 Aug 2017 20:58:11 +0200 Subject: [PATCH 2/7] Update ChangeLog --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index 2ccfc117..ce502497 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,6 +28,8 @@ AVX* when temperature/power consumption is a concern. - `crypto_kx_*()` now aborts if called with no non-NULL pointers to store keys to. - SSE2 implementations of `crypto_verify_*()` have been added. + - Passwords can be hashed using a specific algorithm with the new +`crypto_pwhash_str_alg()` function. * Version 1.0.13 - Javascript: the sumo builds now include all symbols. They were From 9b7db7c3f34e40d2278a82b5bbb57d3539a3eea6 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Sun, 6 Aug 2017 19:11:19 +0200 Subject: [PATCH 3/7] Document crypto_aead_aes256gcm_*() limitations --- .../include/sodium/crypto_aead_aes256gcm.h | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/src/libsodium/include/sodium/crypto_aead_aes256gcm.h b/src/libsodium/include/sodium/crypto_aead_aes256gcm.h index 30bb7315..c3a98abc 100644 --- a/src/libsodium/include/sodium/crypto_aead_aes256gcm.h +++ b/src/libsodium/include/sodium/crypto_aead_aes256gcm.h @@ -1,6 +1,24 @@ #ifndef crypto_aead_aes256gcm_H #define crypto_aead_aes256gcm_H +/* + * WARNING: Despite being the most popular AEAD construction due to its + * use in TLS, safely using AES-GCM in a different context is tricky. + * + * No more than ~ 350 GB of input data should be encrypted with a given key. + * This is for ~ 16 KB messages -- Actual figures vary according to the + * message sizes. + * + * In addition, repeated nonces would totally destroy the security of this + * scheme. Nonces should thus come from atomic counters, which can be + * difficult to set up in a distributed environment. + * + * Unless you absolutely need AES-GCM, use crypto_aead_xchacha20poly1305_ietf_*() + * instead. It doesn't have any of these limitations. + * Or, if you don't need to authenticate additional data, just stick to + * crypto_secretbox(). + */ + #include #include "export.h" From 7e91aa3f891f0b5ae4f5093b5a0f035d216b44a4 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Sun, 6 Aug 2017 19:15:26 +0200 Subject: [PATCH 4/7] s/the// --- src/libsodium/include/sodium/crypto_aead_aes256gcm.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libsodium/include/sodium/crypto_aead_aes256gcm.h b/src/libsodium/include/sodium/crypto_aead_aes256gcm.h index c3a98abc..2089d1e3 100644 --- a/src/libsodium/include/sodium/crypto_aead_aes256gcm.h +++ b/src/libsodium/include/sodium/crypto_aead_aes256gcm.h @@ -6,7 +6,7 @@ * use in TLS, safely using AES-GCM in a different context is tricky. * * No more than ~ 350 GB of input data should be encrypted with a given key. - * This is for ~ 16 KB messages -- Actual figures vary according to the + * This is for ~ 16 KB messages -- Actual figures vary according to * message sizes. * * In addition, repeated nonces would totally destroy the security of this From 5b141eb9ec84ba45e331c3839902ea4519a65f1e Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Sun, 6 Aug 2017 19:17:25 +0200 Subject: [PATCH 5/7] Add some blank lines for readability --- src/libsodium/include/sodium/crypto_aead_aes256gcm.h | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/libsodium/include/sodium/crypto_aead_aes256gcm.h b/src/libsodium/include/sodium/crypto_aead_aes256gcm.h index 2089d1e3..46a3800f 100644 --- a/src/libsodium/include/sodium/crypto_aead_aes256gcm.h +++ b/src/libsodium/include/sodium/crypto_aead_aes256gcm.h @@ -9,9 +9,11 @@ * This is for ~ 16 KB messages -- Actual figures vary according to * message sizes. * - * In addition, repeated nonces would totally destroy the security of this - * scheme. Nonces should thus come from atomic counters, which can be - * difficult to set up in a distributed environment. + * In addition, nonces are short and repeated nonces would totally destroy + * the security of this scheme. + * + * Nonces should thus come from atomic counters, which can be difficult to + * set up in a distributed environment. * * Unless you absolutely need AES-GCM, use crypto_aead_xchacha20poly1305_ietf_*() * instead. It doesn't have any of these limitations. From 1c573d4cb43ab33173cec4022b517f30d06b45dd Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Sun, 6 Aug 2017 22:32:58 +0200 Subject: [PATCH 6/7] Update --- THANKS | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/THANKS b/THANKS index b8b69be3..26cf3709 100644 --- a/THANKS +++ b/THANKS @@ -1,3 +1,6 @@ +Special thanks to people, companies and organizations having written +libsodium bindings for their favorite programming languages: + @alethia7 @artemisc @carblue @@ -70,12 +73,17 @@ Tony Garnock-Jones (@tonyg) Y. T. Chung (@zonyitoo) Bytecurry Software -Cisco -Coverity, Inc. Cryptotronix +Facebook FSF France MaidSafe -OVH Paragonie Initiative Enterprises Python Cryptographic Authority +(this list may not be complete, if you don't see your name, please +submit a pull request!) + +Also thanks to: + +- Coverity, Inc. to provide static analysis. +- FSF France for providing access to their compilation servers. From dd9416fd59b0ec6c696f402a1d02f91c728eff4b Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Tue, 8 Aug 2017 14:28:12 +0200 Subject: [PATCH 7/7] Doc --- src/libsodium/include/sodium/crypto_pwhash.h | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/libsodium/include/sodium/crypto_pwhash.h b/src/libsodium/include/sodium/crypto_pwhash.h index da5f5461..d0b8bba7 100644 --- a/src/libsodium/include/sodium/crypto_pwhash.h +++ b/src/libsodium/include/sodium/crypto_pwhash.h @@ -94,6 +94,10 @@ size_t crypto_pwhash_opslimit_sensitive(void); SODIUM_EXPORT size_t crypto_pwhash_memlimit_sensitive(void); +/* + * With this function, do not forget to store all parameters, including the + * algorithm identifier in order to produce deterministic output. + */ SODIUM_EXPORT int crypto_pwhash(unsigned char * const out, unsigned long long outlen, const char * const passwd, unsigned long long passwdlen, @@ -101,6 +105,11 @@ int crypto_pwhash(unsigned char * const out, unsigned long long outlen, unsigned long long opslimit, size_t memlimit, int alg) __attribute__ ((warn_unused_result)); +/* + * The output string already includes all the required parameters, including + * the algorithm identifier. The string is all that has to be stored in + * order to verify a password. + */ SODIUM_EXPORT int crypto_pwhash_str(char out[crypto_pwhash_STRBYTES], const char * const passwd, unsigned long long passwdlen,