From 9a964795757bf0da4dd7fcab15ad304f4ea3fdf1 Mon Sep 17 00:00:00 2001 From: vnugent Date: Wed, 15 May 2024 21:57:39 -0400 Subject: refactor: Harden some argon2 password hashing --- .../src/Argon2/Argon2PasswordEntry.cs | 45 ++-- lib/Hashing.Portable/src/Argon2/VnArgon2.cs | 250 ++++++++++++--------- 2 files changed, 162 insertions(+), 133 deletions(-) (limited to 'lib/Hashing.Portable/src') diff --git a/lib/Hashing.Portable/src/Argon2/Argon2PasswordEntry.cs b/lib/Hashing.Portable/src/Argon2/Argon2PasswordEntry.cs index f99d0dc..e195526 100644 --- a/lib/Hashing.Portable/src/Argon2/Argon2PasswordEntry.cs +++ b/lib/Hashing.Portable/src/Argon2/Argon2PasswordEntry.cs @@ -30,57 +30,64 @@ using VNLib.Utils.Extensions; namespace VNLib.Hashing { - internal readonly ref struct Argon2PasswordEntry + internal readonly ref struct Argon2PasswordEntry(ReadOnlySpan str) { - private readonly ReadOnlySpan _window; + private readonly ReadOnlySpan _window = str; - public readonly Argon2Version Version; - public readonly ReadOnlySpan Salt; - public readonly ReadOnlySpan Hash; + public readonly Argon2Version Version = ParseVersion(str); + public readonly ReadOnlySpan Salt = ParseSalt(str); + public readonly ReadOnlySpan Hash = ParseHash(str); private static Argon2Version ParseVersion(ReadOnlySpan window) { //Version comes after the v= prefix ReadOnlySpan v = window.SliceAfterParam("v="); - v = v.SliceBeforeParam(','); //Parse the version as an enum value - return Enum.Parse(v); + return Enum.Parse(v.SliceBeforeParam(',')); } private static uint ParseTimeCost(ReadOnlySpan window) { //TimeCost comes after the t= prefix ReadOnlySpan t = window.SliceAfterParam("t="); - t = t.SliceBeforeParam(','); //Parse the time cost as an unsigned integer - return uint.Parse(t, NumberStyles.Integer, CultureInfo.InvariantCulture); + return uint.Parse( + t.SliceBeforeParam(','), + NumberStyles.Integer, + CultureInfo.InvariantCulture + ); } private static uint ParseMemoryCost(ReadOnlySpan window) { //MemoryCost comes after the m= prefix ReadOnlySpan m = window.SliceAfterParam("m="); - m = m.SliceBeforeParam(','); //Parse the memory cost as an unsigned integer - return uint.Parse(m, NumberStyles.Integer, CultureInfo.InvariantCulture); + return uint.Parse( + m.SliceBeforeParam(','), + NumberStyles.Integer, + CultureInfo.InvariantCulture + ); } private static uint ParseParallelism(ReadOnlySpan window) { //Parallelism comes after the p= prefix ReadOnlySpan p = window.SliceAfterParam("p="); - p = p.SliceBeforeParam(','); //Parse the parallelism as an unsigned integer - return uint.Parse(p, NumberStyles.Integer, CultureInfo.InvariantCulture); + return uint.Parse( + p.SliceBeforeParam(','), + NumberStyles.Integer, + CultureInfo.InvariantCulture + ); } private static ReadOnlySpan ParseSalt(ReadOnlySpan window) { //Salt comes after the s= prefix ReadOnlySpan s = window.SliceAfterParam("s="); - s = s.SliceBeforeParam('$'); //Parse the salt as a string - return s; + return s.SliceBeforeParam('$'); } private static ReadOnlySpan ParseHash(ReadOnlySpan window) @@ -90,14 +97,6 @@ namespace VNLib.Hashing return window[(start + 1)..]; } - public Argon2PasswordEntry(ReadOnlySpan str) - { - _window = str; - Version = ParseVersion(str); - Salt = ParseSalt(str); - Hash = ParseHash(str); - } - public readonly Argon2CostParams GetCostParams() { return new() diff --git a/lib/Hashing.Portable/src/Argon2/VnArgon2.cs b/lib/Hashing.Portable/src/Argon2/VnArgon2.cs index b88c232..d557822 100644 --- a/lib/Hashing.Portable/src/Argon2/VnArgon2.cs +++ b/lib/Hashing.Portable/src/Argon2/VnArgon2.cs @@ -35,6 +35,14 @@ using VNLib.Utils.Extensions; using VNLib.Utils.Resources; using VNLib.Hashing.Native.MonoCypher; +/* + * Some stuff to note + * + * Functions have explicit parameters to avoid accidental buffer mixup + * when calling nested/overload functions. Please keep it that way for now + * I really want to avoid a whoopsie in password hasing. + */ + namespace VNLib.Hashing { @@ -78,9 +86,8 @@ namespace VNLib.Hashing argon2EnvPath ??= ARGON2_DEFUALT_LIB_NAME; Trace.WriteLine("Attempting to load global native Argon2 library from: " + argon2EnvPath, "VnArgon2"); - - SafeLibraryHandle lib = SafeLibraryHandle.LoadLibrary(argon2EnvPath, DllImportSearchPath.SafeDirectories); - return new SafeArgon2Library(lib); + + return LoadCustomLibrary(argon2EnvPath, DllImportSearchPath.SafeDirectories); } } @@ -131,27 +138,31 @@ namespace VNLib.Hashing { //Get bytes count int saltbytes = LocEncoding.GetByteCount(salt); - - //Get bytes count for password int passBytes = LocEncoding.GetByteCount(password); //Alloc memory for salt - using MemoryHandle buffer = PwHeap.Alloc(saltbytes + passBytes); + using MemoryHandle buffer = PwHeap.Alloc(MemoryUtil.NearestPage(saltbytes + passBytes)); Span saltBuffer = buffer.AsSpan(0, saltbytes); Span passBuffer = buffer.AsSpan(saltbytes, passBytes); - //Encode salt with span the same size of the salt + //Decode from character buffers to binary buffers using default string encoding _ = LocEncoding.GetBytes(salt, saltBuffer); - - //Encode password, create a new span to make sure its proper size _ = LocEncoding.GetBytes(password, passBuffer); - - //Hash - string result = Hash2id(lib, passBuffer, saltBuffer, secret, in costParams, hashLen); - - //Zero buffer - MemoryUtil.InitializeBlock(ref buffer.GetReference(), buffer.GetIntLength()); + + string result = Hash2id( + lib: lib, + password: passBuffer, + salt: saltBuffer, + secret: secret, + costParams: in costParams, + hashLen: hashLen + ); + + MemoryUtil.InitializeBlock( + ref buffer.GetReference(), + buffer.GetIntLength() + ); return result; } @@ -180,17 +191,26 @@ namespace VNLib.Hashing //Get bytes count int passBytes = LocEncoding.GetByteCount(password); - //Alloc memory for password - using MemoryHandle pwdHandle = PwHeap.Alloc(passBytes); + //Alloc memory for password, round to page size again + using MemoryHandle pwdHandle = PwHeap.Alloc(MemoryUtil.NearestPage(passBytes)); //Encode password, create a new span to make sure its proper size _ = LocEncoding.GetBytes(password, pwdHandle.Span); - - //Hash - string result = Hash2id(lib, pwdHandle.Span, salt, secret, in costParams, hashLen); + + string result = Hash2id( + lib: lib, + password: pwdHandle.AsSpan(0, passBytes), //Only actuall size for decoding + salt: salt, + secret: secret, + costParams: in costParams, + hashLen: hashLen + ); //Zero buffer - MemoryUtil.InitializeBlock(ref pwdHandle.GetReference(), pwdHandle.GetIntLength()); + MemoryUtil.InitializeBlock( + ref pwdHandle.GetReference(), + pwdHandle.GetIntLength() + ); return result; } @@ -217,16 +237,26 @@ namespace VNLib.Hashing ) { string hash, salts; - //Alloc data for hash output - using IMemoryHandle hashHandle = PwHeap.Alloc(hashLen, true); - - //hash the password - Hash2id(lib, password, salt, secret, hashHandle.Span, in costParams); - //Encode hash - hash = Convert.ToBase64String(hashHandle.Span); - - //encode salt + /* + * Alloc a buffer of the nearest page to help disguise password related + * allocations. Global zero is always set on PwHeap. + */ + using MemoryHandle outputHandle = PwHeap.Alloc(MemoryUtil.NearestPage(hashLen)); + + //Trim buffer to exact hash size as it will likely be larger due to page alignment + Span outBuffer = outputHandle.AsSpan(0, checked((int)hashLen)); + + Hash2id( + lib: lib, + password: password, + salt: salt, + secret: secret, + rawHashOutput: outBuffer, + costParams: in costParams + ); + + hash = Convert.ToBase64String(outBuffer); salts = Convert.ToBase64String(salt); //Encode salt in base64 @@ -253,37 +283,36 @@ namespace VNLib.Hashing in Argon2CostParams costParams ) { - fixed (byte* pwd = password, slptr = salt, secretptr = secret, outPtr = rawHashOutput) + //Setup context + Argon2Context ctx = new() { - //Setup context - Argon2Context ctx; - //Pointer - Argon2Context* context = &ctx; - context->version = Argon2Version.Argon2DefaultVersion; - context->t_cost = costParams.TimeCost; - context->m_cost = costParams.MemoryCost; - context->threads = costParams.Parallelism; - context->lanes = costParams.Parallelism; - //Default flags - context->flags = ARGON2_DEFAULT_FLAGS; - context->allocate_cbk = null; - context->free_cbk = null; - //Password - context->pwd = pwd; - context->pwdlen = (uint)password.Length; - //Salt - context->salt = slptr; - context->saltlen = (uint)salt.Length; - //Secret - context->secret = secretptr; - context->secretlen = (uint)secret.Length; - //Output - context->outptr = outPtr; - context->outlen = (uint)rawHashOutput.Length; - //Hash - Argon2_ErrorCodes result = (Argon2_ErrorCodes)lib.Argon2Hash((IntPtr)context); - //Throw exceptions if error - ThrowOnArgonErr(result); + version = Argon2Version.Argon2DefaultVersion, + t_cost = costParams.TimeCost, + m_cost = costParams.MemoryCost, + threads = costParams.Parallelism, + lanes = costParams.Parallelism, + flags = ARGON2_DEFAULT_FLAGS, + allocate_cbk = null, + free_cbk = null, + }; + + fixed (byte* pSecret = secret, pPass = password, pSalt = salt, pRawHash = rawHashOutput) + { + ctx.pwd = pPass; + ctx.pwdlen = (uint)password.Length; + + ctx.salt = pSalt; + ctx.saltlen = (uint)salt.Length; + + ctx.secret = pSecret; + ctx.secretlen = (uint)secret.Length; + + ctx.outptr = pRawHash; + ctx.outlen = (uint)rawHashOutput.Length; //Clamp to actual desired hash size + + Argon2_ErrorCodes argResult = (Argon2_ErrorCodes)lib.Argon2Hash(new IntPtr(&ctx)); + //Throw an excpetion if an error ocurred + ThrowOnArgonErr(argResult); } } @@ -332,16 +361,20 @@ namespace VNLib.Hashing int saltBase64BufSize = Base64.GetMaxDecodedFromUtf8Length(entry.Salt.Length); int rawPassLen = LocEncoding.GetByteCount(rawPass); - //Alloc buffer for decoded data - using MemoryHandle rawBufferHandle = PwHeap.Alloc(passBase64BufSize + saltBase64BufSize + rawPassLen); + /* + * Alloc binary buffer for decoding. Align it to the nearest page again + * to help disguise the allocation purpose. + */ + nint nearestPage = MemoryUtil.NearestPage(passBase64BufSize + saltBase64BufSize + rawPassLen); + using MemoryHandle rawBufferHandle = PwHeap.Alloc(nearestPage); //Split buffers - Span saltBuf = rawBufferHandle.Span[..saltBase64BufSize]; + Span saltBuf = rawBufferHandle.AsSpan(0, saltBase64BufSize); Span passBuf = rawBufferHandle.AsSpan(saltBase64BufSize, passBase64BufSize); Span rawPassBuf = rawBufferHandle.AsSpan(saltBase64BufSize + passBase64BufSize, rawPassLen); + //Decode hash { - //Decode salt if (!Convert.TryFromBase64Chars(entry.Hash, passBuf, out int actualHashLen)) { throw new VnArgon2PasswordFormatException("Failed to recover hash bytes"); @@ -362,11 +395,21 @@ namespace VNLib.Hashing //encode password bytes rawPassLen = LocEncoding.GetBytes(rawPass, rawPassBuf); - //Verify password - bool result = Verify2id(lib, rawPassBuf[..rawPassLen], saltBuf, secret, passBuf, in costParams); - //Zero buffer - MemoryUtil.InitializeBlock(ref rawBufferHandle.GetReference(), rawBufferHandle.GetIntLength()); + bool result = Verify2id( + lib: lib, + rawPass: rawPassBuf[..rawPassLen], + salt: saltBuf, + secret: secret, + hashBytes: passBuf, + costParams: in costParams + ); + + //Zero entire buffer + MemoryUtil.InitializeBlock( + ref rawBufferHandle.GetReference(), + rawBufferHandle.GetIntLength() + ); return result; } @@ -395,48 +438,35 @@ namespace VNLib.Hashing in Argon2CostParams costParams ) { - //Alloc data for hash output - using MemoryHandle outputHandle = PwHeap.Alloc(hashBytes.Length); - - //Get pointers - fixed (byte* secretptr = secret, pwd = rawPass, slptr = salt) - { - //Setup context - Argon2Context ctx; - //Pointer - Argon2Context* context = &ctx; - context->version = Argon2Version.Argon2DefaultVersion; - context->t_cost = costParams.TimeCost; - context->m_cost = costParams.MemoryCost; - context->threads = costParams.Parallelism; - context->lanes = costParams.Parallelism; - //Default flags - context->flags = ARGON2_DEFAULT_FLAGS; - //Use default memory allocator - context->allocate_cbk = null; - context->free_cbk = null; - //Password - context->pwd = pwd; - context->pwdlen = (uint)rawPass.Length; - //Salt - context->salt = slptr; - context->saltlen = (uint)salt.Length; - //Secret - context->secret = secretptr; - context->secretlen = (uint)secret.Length; - //Output - context->outptr = outputHandle.Base; - context->outlen = (uint)outputHandle.Length; - //Hash - Argon2_ErrorCodes argResult = (Argon2_ErrorCodes)lib.Argon2Hash((IntPtr)context); - //Throw an excpetion if an error ocurred - ThrowOnArgonErr(argResult); - } - //Return the comparison - bool result = CryptographicOperations.FixedTimeEquals(outputHandle.Span, hashBytes); - - //Zero buffer - MemoryUtil.InitializeBlock(ref outputHandle.GetReference(), outputHandle.GetIntLength()); + /* + * Alloc a buffer of the nearest page to help disguise password related + * allocations. Global zero is always set on PwHeap. + */ + using MemoryHandle outputHandle = PwHeap.Alloc(MemoryUtil.NearestPage(hashBytes.Length)); + + //Trim buffer to exact hash size as it will likely be larger due to page alignment + Span outBuffer = outputHandle.AsSpan(0, hashBytes.Length); + + /* + * Verification works by computing the hash of the input and comparing it + * to the existing one. Hash functions are one-way by design, so now you know :) + */ + + Hash2id( + lib: lib, + password: rawPass, + salt: salt, + secret: secret, + rawHashOutput: outBuffer, + costParams: in costParams + ); + + bool result = CryptographicOperations.FixedTimeEquals(outBuffer, hashBytes); + + MemoryUtil.InitializeBlock( + ref outputHandle.GetReference(), + outputHandle.GetIntLength() + ); return result; } -- cgit