doc/man7/EVP_KDF-ARGON2.pod

   1 =pod
   2
   3 =head1 NAME
   4
   5 EVP_KDF-ARGON2 - The Argon2 EVP KDF implementation
   6
   7 =head1 DESCRIPTION
   8
   9 Support for computing the B<argon2> password-based KDF through the B<EVP_KDF>
  10 API.
  11
  12 The EVP_KDF-ARGON2 algorithm implements the Argon2 password-based key
  13 derivation function, as described in IETF RFC 9106.  It is memory-hard in
  14 the sense that it deliberately requires a significant amount of RAM for efficient
  15 computation. The intention of this is to render brute forcing of passwords on
  16 systems that lack large amounts of main memory (such as GPUs or ASICs)
  17 computationally infeasible.
  18
  19 Argon2d (Argon2i) uses data-dependent (data-independent) memory access and
  20 primary seek to address trade-off (side-channel) attacks.
  21
  22 Argon2id is a hybrid construction which, in the first two slices of the first
  23 pass, generates reference addresses data-independently as in Argon2i, whereas
  24 in later slices and next passess it generates them data-dependently as in
  25 Argon2d.
  26
  27 Sbox-hardened version Argon2ds is not supported.
  28
  29 For more information, please refer to RFC 9106.
  30
  31 =head2 Supported parameters
  32
  33 The supported parameters are:
  34
  35 =over 4
  36
  37 =item "pass" (B<OSSL_KDF_PARAM_PASSWORD>) <octet string>
  38
  39 =item "salt" (B<OSSL_KDF_PARAM_SALT>) <octet string>
  40
  41 =item "secret" (B<OSSL_KDF_PARAM_SECRET>) <octet string>
  42
  43 =item "iter" (B<OSSL_KDF_PARAM_ITER>) <unsigned integer>
  44
  45 =item "size" (B<OSSL_KDF_PARAM_SIZE>) <unsigned integer>
  46
  47 These parameters work as described in L<EVP_KDF(3)/PARAMETERS>.
  48
  49 Note that RFC 9106 recommends 128 bits salt for most applications, or 64 bits
  50 salt in the case of space constraints. At least 128 bits output length is
  51 recommended.
  52
  53 Note that secret (or pepper) is an optional secret data used along the
  54 password.
  55
  56 =item "threads" (B<OSSL_KDF_PARAM_THREADS>) <unsigned integer>
  57
  58 The number of threads, bounded above by the number of lanes.
  59
  60 This can only be used with built-in thread support. Threading must be
  61 explicitly enabled. See EXAMPLES section for more information.
  62
  63 =item "ad" (B<OSSL_KDF_PARAM_ARGON2_AD>) <octet string>
  64
  65 Optional associated data, may be used to "tag" a group of keys, or tie them
  66 to a particular public key, without having to modify salt.
  67
  68 =item "lanes" (B<OSSL_KDF_PARAM_ARGON2_LANES>) <unsigned integer>
  69
  70 Argon2 splits the requested memory size into lanes, each of which is designed
  71 to be processed in parallel. For example, on a system with p cores, it's
  72 recommended to use p lanes.
  73
  74 The number of lanes is used to derive the key. It is possible to specify
  75 more lanes than the number of available computational threads. This is
  76 especially encouraged if multi-threading is disabled.
  77
  78 =item "memcost" (B<OSSL_KDF_PARAM_ARGON2_MEMCOST>) <unsigned integer>
  79
  80 Memory cost parameter (the number of 1k memory blocks used).
  81
  82 =item "version" (B<OSSL_KDF_PARAM_ARGON2_VERSION>) <unsigned integer>
  83
  84 Argon2 version. Supported values: 0x10, 0x13 (default).
  85
  86 =item "early_clean" (B<OSSL_KDF_PARAM_EARLY_CLEAN>) <unsigned integer>
  87
  88 If set (nonzero), password and secret stored in Argon2 context are zeroed
  89 early during initial hash computation, as soon as they are not needed.
  90 Otherwise, they are zeroed along the rest of Argon2 context data on clear,
  91 free, reset.
  92
  93 This can be useful if, for example, multiple keys with different ad value
  94 are to be generated from a single password and secret.
  95
  96 =back
  97
  98 =head1 EXAMPLES
  99
 100 This example uses Argon2d with password "1234567890", salt "saltsalt",
 101 using 2 lanes, 2 threads, and memory cost of 65536:
 102
 103  #include <string.h>                 /* strlen               */
 104  #include <openssl/core_names.h>     /* OSSL_KDF_*           */
 105  #include <openssl/params.h>         /* OSSL_PARAM_*         */
 106  #include <openssl/thread.h>         /* OSSL_set_max_threads */
 107  #include <openssl/kdf.h>            /* EVP_KDF_*            */
 108
 109  int main(void)
 110  {
 111      int retval = 1;
 112
 113      EVP_KDF *kdf = NULL;
 114      EVP_KDF_CTX *kctx = NULL;
 115      OSSL_PARAM params[6], *p = params;
 116
 117      /* argon2 params, please refer to RFC9106 for recommended defaults */
 118      uint32_t lanes = 2, threads = 2, memcost = 65536;
 119      char pwd[] = "1234567890", salt[] = "saltsalt";
 120
 121      /* derive result */
 122      size_t outlen = 128;
 123      unsigned char result[outlen];
 124
 125      /* required if threads > 1 */
 126      if (OSSL_set_max_threads(NULL, threads) != 1)
 127          goto fail;
 128
 129      p = params;
 130      *p++ = OSSL_PARAM_construct_uint32(OSSL_KDF_PARAM_THREADS, &threads);
 131      *p++ = OSSL_PARAM_construct_uint32(OSSL_KDF_PARAM_ARGON2_LANES,
 132                                         &lanes);
 133      *p++ = OSSL_PARAM_construct_uint32(OSSL_KDF_PARAM_ARGON2_MEMCOST,
 134                                         &memcost);
 135      *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
 136                                               salt,
 137                                               strlen((const char *)salt));
 138      *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
 139                                               pwd,
 140                                               strlen((const char *)pwd));
 141      *p++ = OSSL_PARAM_construct_end();
 142
 143      if ((kdf = EVP_KDF_fetch(NULL, "ARGON2D", NULL)) == NULL)
 144          goto fail;
 145      if ((kctx = EVP_KDF_CTX_new(kdf)) == NULL)
 146          goto fail;
 147      if (EVP_KDF_derive(kctx, &result[0], outlen, params) != 1)
 148          goto fail;
 149
 150      printf("Output = %s\n", OPENSSL_buf2hexstr(result, outlen));
 151      retval = 0;
 152
 153  fail:
 154      EVP_KDF_free(kdf);
 155      EVP_KDF_CTX_free(kctx);
 156      OSSL_set_max_threads(NULL, 0);
 157
 158      return retval;
 159  }
 160
 161 =head1 NOTES
 162
 163 "ARGON2I", "ARGON2D", and "ARGON2ID" are the names for this implementation; it
 164 can be used with the EVP_KDF_fetch() function.
 165
 166 =head1 CONFORMING TO
 167
 168 RFC 9106 Argon2, see L<https://www.rfc-editor.org/rfc/rfc9106.txt>.
 169
 170 =head1 SEE ALSO
 171
 172 L<EVP_KDF(3)>,
 173 L<EVP_KDF_CTX_new(3)>,
 174 L<EVP_KDF_CTX_free(3)>,
 175 L<EVP_KDF_CTX_set_params(3)>,
 176 L<EVP_KDF_derive(3)>,
 177 L<EVP_KDF(3)/PARAMETERS>
 178
 179 =head1 HISTORY
 180
 181 This functionality was added to OpenSSL 3.2.
 182
 183 =head1 COPYRIGHT
 184
 185 Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
 186
 187 Licensed under the Apache License 2.0 (the "License").  You may not use
 188 this file except in compliance with the License.  You can obtain a copy
 189 in the file LICENSE in the source distribution or at
 190 L<https://www.openssl.org/source/license.html>.
 191
 192 =cut