1
mirror of https://github.com/jedisct1/libsodium.git synced 2024-12-24 12:36:01 -07:00

pwhash: fill output buffer with junk prior to running the actual KDF

These functions are a little bit special, because unlike everything
else, they do dynamic memory allocations, and are more likely to fail.

Applications are expected to check the return code, and these functions
are tagged with ((warn_unused_result)) but applications may still
ignore these.

This is also an issue with JavaScript, when total memory hasn't been
properly configured.

To be safe, fill the buffer with non-deterministic bytes, that are
unlikely to ever verify later.
This commit is contained in:
Frank Denis 2023-02-15 19:47:35 +01:00
parent b166dbfb2b
commit ebcc2a6636
2 changed files with 10 additions and 0 deletions

View File

@ -17,6 +17,7 @@
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include "randombytes.h"
#include "utils.h" #include "utils.h"
#include "argon2-core.h" #include "argon2-core.h"
@ -93,6 +94,10 @@ argon2_hash(const uint32_t t_cost, const uint32_t m_cost,
int result; int result;
uint8_t *out; uint8_t *out;
if (hash != NULL) {
randombytes_buf(hash, hashlen);
}
if (pwdlen > ARGON2_MAX_PWD_LENGTH) { if (pwdlen > ARGON2_MAX_PWD_LENGTH) {
return ARGON2_PWD_TOO_LONG; return ARGON2_PWD_TOO_LONG;
} }

View File

@ -24,6 +24,7 @@
#include "crypto_pwhash_scryptsalsa208sha256.h" #include "crypto_pwhash_scryptsalsa208sha256.h"
#include "crypto_scrypt.h" #include "crypto_scrypt.h"
#include "private/common.h" #include "private/common.h"
#include "randombytes.h"
#include "runtime.h" #include "runtime.h"
#include "utils.h" #include "utils.h"
@ -150,6 +151,10 @@ escrypt_r(escrypt_local_t *local, const uint8_t *passwd, size_t passwdlen,
uint32_t r; uint32_t r;
uint32_t p; uint32_t p;
if (buf != NULL) {
randombytes_buf(buf, buflen);
}
src = escrypt_parse_setting(setting, &N_log2, &r, &p); src = escrypt_parse_setting(setting, &N_log2, &r, &p);
if (!src) { if (!src) {
return NULL; return NULL;