From 407c937a1ce70bf12d53e4b3854eb0581610ab71 Mon Sep 17 00:00:00 2001 From: Mattias Andrée Date: Wed, 16 Feb 2022 22:53:34 +0100 Subject: Strict parameter order in parameter string (this is what is done in the reference implementation and is the desirable behaviour) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Mattias Andrée --- libar2_decode_params.c | 61 +++++++++++++++++--------------------------------- test.c | 19 +++++++++++----- 2 files changed, 34 insertions(+), 46 deletions(-) diff --git a/libar2_decode_params.c b/libar2_decode_params.c index c42a937..1f7d270 100644 --- a/libar2_decode_params.c +++ b/libar2_decode_params.c @@ -31,8 +31,7 @@ size_t libar2_decode_params(const char *str, struct libar2_argon2_parameters *params, char **bufp, struct libar2_context *ctx) { const char *start = str; - uint_least32_t u32, *u32p; - int have_t = 0, have_m = 0, have_p = 0; + uint_least32_t u32; size_t n, q, r; *bufp = NULL; @@ -68,47 +67,29 @@ libar2_decode_params(const char *str, struct libar2_argon2_parameters *params, c params->version = 0; /* implicit LIBAR2_ARGON2_VERSION_10 */ } - while (*str && *str != '$') { - if (str[0] == 't' && str[1] == '=') { - if (have_t) - goto einval; - have_t = 1; - u32p = ¶ms->t_cost; - str += 2; - - } else if (str[0] == 'm' && str[1] == '=') { - if (have_m) - goto einval; - have_m = 1; - u32p = ¶ms->m_cost; - str += 2; - - } else if (str[0] == 'p' && str[1] == '=') { - if (have_p) - goto einval; - have_p = 1; - u32p = ¶ms->lanes; - str += 2; - - } else { - goto einval; - } + if (str[0] != 'm' || str[1] != '=') + goto einval; + str += 2; + n = decode_u32(str, ¶ms->m_cost); + if (!n) + goto fail; + str += n; - n = decode_u32(str, u32p); - if (!n) - goto fail; - str += n; - if (*str == '$') - break; - if (*str != ',') - goto einval; - str++; - if (*str == '$') - goto einval; - } + if (str[0] != ',' || str[1] != 't' || str[2] != '=') + goto einval; + str += 3; + n = decode_u32(str, ¶ms->t_cost); + if (!n) + goto fail; + str += n; - if (have_t + have_m + have_p != 3) + if (str[0] != ',' || str[1] != 'p' || str[2] != '=') goto einval; + str += 3; + n = decode_u32(str, ¶ms->lanes); + if (!n) + goto fail; + str += n; if (*str++ != '$') goto einval; diff --git a/test.c b/test.c index 4e9e8fb..24f8ba7 100644 --- a/test.c +++ b/test.c @@ -914,7 +914,8 @@ check_libar2_hash(void) CHECK("test", "$argon2i$v=19$m=4096,t=3,p=1$fn5/f35+f38$9tqKA4WMEsSAOEUwatjxvJLSqL1j0GQkgbsfnpresDw"); CHECK("\x00", "$argon2id$v=16$m=8,t=1,p=1$ICAgICAgICA$fXq1aUbp9yhbn+EQc4AzUUE6AKnHAkvzIXsN6J4ukvE"); CHECK("", "$argon2d$v=16$m=8,t=1,p=1$ICAgICAgICA$X54KZYxUSfMUihzebb70sKbheabHilo8gsUldrVU4IU"); - CHECK("", "$argon2d$v=16$m=8,t=1,p=1$ICAgICAgICA$NjODMrWrS7zeivNNpHsuxD9c6uDmUQ6YqPRhb8H5DSNw9n683FUCJZ3tyxgfJpYYANI+01WT/S5zp1UVs+qNRwnkdEyLKZMg+DIOXVc9z1po9ZlZG8+Gp4g5brqfza3lvkR9vw"); + CHECK("", "$argon2d$v=16$m=8,t=1,p=1$ICAgICAgICA$NjODMrWrS7zeivNNpHsuxD9c6uDmUQ6YqPRhb8H5DSNw9" + "n683FUCJZ3tyxgfJpYYANI+01WT/S5zp1UVs+qNRwnkdEyLKZMg+DIOXVc9z1po9ZlZG8+Gp4g5brqfza3lvkR9vw"); CHECK("", "$argon2ds$v=16$m=8,t=1,p=1$ICAgICAgICA$zgdykk9ZjN5VyrW0LxGw8LmrJ1Z6fqSC+3jPQtn4n0s"); CHECK("password", "$argon2i$m=65536,t=2,p=1$c29tZXNhbHQ$9sTbSlTio3Biev89thdrlKKiCaYsjjYVJxGAL3swxpQ"); @@ -940,8 +941,8 @@ check_libar2_hash(void) CHECK("password", "$argon2id$v=19$m=262144,t=2,p=1$c29tZXNhbHQ$eP4eyR+zqlZX1y5xCFTkw9m5GYx0L5YWwvCFvtlbLow"); CHECK("password", "$argon2id$v=19$m=256,t=2,p=1$c29tZXNhbHQ$nf65EOgLrQMR/uIPnA4rEsF5h7TKyQwu9U1bMCHGi/4"); CHECK("password", "$argon2id$v=19$m=256,t=2,p=2$c29tZXNhbHQ$bQk8UB/VmZZF4Oo79iDXuL5/0ttZwg2f/5U52iv1cDc"); - CHECK("password", "$argon2id$v=19$m=65536,p=1,t=1$c29tZXNhbHQ$9qWtwbpyPd3vm1rB1GThgPzZ3/ydHL92zKL+15XZypg"); - CHECK("password", "$argon2id$v=19$t=4,p=1,m=65536$c29tZXNhbHQ$kCXUjmjvc5XMqQedpMTsOv+zyJEf5PhtGiUghW9jFyw"); + CHECK("password", "$argon2id$v=19$m=65536,t=1,p=1$c29tZXNhbHQ$9qWtwbpyPd3vm1rB1GThgPzZ3/ydHL92zKL+15XZypg"); + CHECK("password", "$argon2id$v=19$m=65536,t=4,p=1$c29tZXNhbHQ$kCXUjmjvc5XMqQedpMTsOv+zyJEf5PhtGiUghW9jFyw"); CHECK("differentpassword", "$argon2id$v=19$m=65536,t=2,p=1$c29tZXNhbHQ$C4TWUs9rDEvq7w3+J4umqA32aWKB1+DSiRuBfYxFj94"); CHECK("password", "$argon2id$v=19$m=65536,t=2,p=1$ZGlmZnNhbHQ$vfMrBczELrFdWP0ZsfhWsRPaHppYdP3MVEMIVlqoFBw"); @@ -955,7 +956,7 @@ check_libar2_hash(void) CHECK("password", "$argon2i$m=256,t=2,p=2$c29tZXNhbHQ$tsEVYKap1h6scGt5ovl9aLRGOqOth+AMB+KwHpDFZPs"); CHECK("", "$argon2ds$v=16$m=8,t=1,p=2$ICAgICAgICA$+6+yBnWbuV7mLs6rKMhvi+SLbkzb5CB6Jd2pSWuC/Kw"); /* verified above */ CHECK("", "$argon2d$v=16$m=8,t=1,p=1$ICAgICAgICA$X54KZYxUSfMUihzebb70sKbheabHilo8gsUldrVU4IU"); - CHECK("password", "$argon2id$v=19$t=4,p=1,m=65536$c29tZXNhbHQ$kCXUjmjvc5XMqQedpMTsOv+zyJEf5PhtGiUghW9jFyw"); + CHECK("password", "$argon2id$v=19$m=65536,t=4,p=1$c29tZXNhbHQ$kCXUjmjvc5XMqQedpMTsOv+zyJEf5PhtGiUghW9jFyw"); #undef CHECK @@ -1112,8 +1113,8 @@ check_failures(void) CHECK("$argon2id$v=19$t=128$AAAABBBBCCCC$"); CHECK("$argon2id$v=19$p=128$AAAABBBBCCCC$"); CHECKE("$argon2id$v=19$m=999999999999999999999999999999999999999999999999999999999999,t=128,p=128$AAAABBBBCCCC$", ERANGE); - CHECKE("$argon2id$v=19$t=999999999999999999999999999999999999999999999999999999999999,p=128,m=128$AAAABBBBCCCC$", ERANGE); - CHECKE("$argon2id$v=19$p=999999999999999999999999999999999999999999999999999999999999,m=128,t=128$AAAABBBBCCCC$", ERANGE); + CHECKE("$argon2id$v=19$m=128,t=999999999999999999999999999999999999999999999999999999999999,p=128$AAAABBBBCCCC$", ERANGE); + CHECKE("$argon2id$v=19$m=128,t=128,p=999999999999999999999999999999999999999999999999999999999999$AAAABBBBCCCC$", ERANGE); CHECK("$argon2id$m=128;t=128;p=128$AAAABBBBCCCC$"); CHECK("$argon2id$m=128t=128,p=128$AAAABBBBCCCC$"); CHECK("$argon2id$v=19,m=128,t=128,p=128$AAAABBBBCCCC$"); @@ -1127,6 +1128,12 @@ check_failures(void) CHECK("$argon2id$m=128,t=128,p=128$AAAABBBBCCCC"); CHECK("$argon2id$m=128,t=128,p=128$AAAAB-BBCCCC$"); CHECK("$argon2id$m=128,t=128,p=128$AAAABBBBC$"); + CHECK("$argon2id$,m=128,t=128,p=128$AAAABBBBCCCC$"); + CHECK("$argon2id$m=128,p=128,t=128$AAAABBBBCCCC$"); + CHECK("$argon2id$t=128,m=128,p=128$AAAABBBBCCCC$"); + CHECK("$argon2id$t=128,p=128,m=128$AAAABBBBCCCC$"); + CHECK("$argon2id$p=128,m=128,t=128$AAAABBBBCCCC$"); + CHECK("$argon2id$p=128,t=128,m=128$AAAABBBBCCCC$"); CHECK("$argon2id$m=0128,t=128,p=128$AAAABBBBCCCC$"); CHECK("$argon2id$m=128,t=0128,p=128$AAAABBBBCCCC$"); CHECK("$argon2id$m=128,t=128,p=0128$AAAABBBBCCCC$"); -- cgit v1.2.3-70-g09d2