added property for limiting Argon2 memory usage - relates to github #2283

Author: dghgit

core/src/main/java/org/bouncycastle/crypto/params/Argon2Parameters.java

@@ -3,9 +3,12 @@
 import org.bouncycastle.crypto.CharToByteConverter;
 import org.bouncycastle.crypto.PasswordConverter;
 import org.bouncycastle.util.Arrays;
+import org.bouncycastle.util.Properties;
 
 public class Argon2Parameters
 {
+    public static final String MAX_MEMORY_EXP = "org.bouncycastle.argon2.max_memory_exp";
+
     public static final int ARGON2_d = 0x00;
     public static final int ARGON2_i = 0x01;
     public static final int ARGON2_id = 0x02;
@@ -31,6 +34,7 @@ public static class Builder
 
         private int version;
         private final int type;
+        private final int maxMemory;
 
         private CharToByteConverter converter = PasswordConverter.UTF8;
 
@@ -46,10 +50,19 @@ public Builder(int type)
             this.memory = 1 << DEFAULT_MEMORY_COST;
             this.iterations = DEFAULT_ITERATIONS;
             this.version = DEFAULT_VERSION;
+            this.maxMemory = Properties.asInteger(MAX_MEMORY_EXP, 30);
+            if (maxMemory < 3  || maxMemory > 30)
+            {
+                throw new IllegalStateException(MAX_MEMORY_EXP + " out of range");
+            }
         }
 
         public Builder withParallelism(int parallelism)
         {
+            if (lanes < 1)
+            {
+                throw new IllegalArgumentException("lanes out of range");
+            }
             this.lanes = parallelism;
             return this;
         }
@@ -78,16 +91,23 @@ public Builder withIterations(int iterations)
             return this;
         }
 
-
         public Builder withMemoryAsKB(int memory)
         {
+            if (memory < 0 || memory > (1 << maxMemory))
+            {
+                throw new IllegalArgumentException("memory out of range");
+            }
             this.memory = memory;
             return this;
         }
 
-
         public Builder withMemoryPowOfTwo(int memory)
         {
+            // Actual range is supposed to be 31 - int's are signed here so cutoff is at 2**30
+            if (memory < 0 || memory > maxMemory)
+            {
+                throw new IllegalArgumentException("memory exponent out of range");
+            }
             this.memory = 1 << memory;
             return this;
         }

core/src/test/java/org/bouncycastle/crypto/test/Argon2Test.java

@@ -1,6 +1,7 @@
 package org.bouncycastle.crypto.test;
 
 
+import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -34,13 +35,14 @@ public void performTest()
 
         testPermutations();
         testVectorsFromInternetDraft();
-
+        checkArgon2MaxMemoryExpValue();
+        
         int version = Argon2Parameters.ARGON2_VERSION_10;
 
         /* Multiple test cases for various input values */
         hashTest(version, 2, 16, 1, "password", "somesalt",
             "f6c4db4a54e2a370627aff3db6176b94a2a209a62c8e36152711802f7b30c694", DEFAULT_OUTPUTLEN);
-        
+
         hashTest(version, 2, 20, 1, "password", "somesalt",
             "9690ec55d28d3ed32562f2e73ea62b02b018757643a2ae6e79528459de8106e9",
             DEFAULT_OUTPUTLEN);
@@ -160,6 +162,49 @@ public void testPermutations()
         }
     }
 
+    private void checkArgon2MaxMemoryExpValue()
+        throws Exception
+    {
+        System.setProperty("org.bouncycastle.argon2.max_memory_exp", "10");
+
+        byte[] salt = new byte[16];
+        new SecureRandom().nextBytes(salt);
+
+        try
+        {
+            Argon2Parameters parameters = new Argon2Parameters.Builder(Argon2Parameters.ARGON2_id)
+                .withSalt(salt)
+                .withIterations(1)
+                .withParallelism(4)
+                .withMemoryPowOfTwo(30)  // 1 << 22 = 4 GiB, no guard
+                .withVersion(Argon2Parameters.ARGON2_VERSION_13)
+                .build();
+            fail("no exception");
+        }
+        catch (IllegalArgumentException e)
+        {
+            isEquals("memory exponent out of range", e.getMessage());
+        }
+
+        try
+        {
+            Argon2Parameters parameters = new Argon2Parameters.Builder(Argon2Parameters.ARGON2_id)
+                .withSalt(salt)
+                .withIterations(1)
+                .withParallelism(4)
+                .withMemoryAsKB(1 << 25)
+                .withVersion(Argon2Parameters.ARGON2_VERSION_13)
+                .build();
+            fail("no exception");
+        }
+        catch (IllegalArgumentException e)
+        {
+            isEquals("memory out of range", e.getMessage());
+        }
+
+        System.setProperty("org.bouncycastle.argon2.max_memory_exp", "30");
+    }
+
     private void swap(byte[] buf, int i, int j)
     {
         byte b = buf[i];

pg/src/main/java/org/bouncycastle/bcpg/S2K.java

@@ -6,7 +6,9 @@
 import java.security.SecureRandom;
 
 import org.bouncycastle.crypto.CryptoServicesRegistrar;
+import org.bouncycastle.crypto.params.Argon2Parameters;
 import org.bouncycastle.util.Integers;
+import org.bouncycastle.util.Properties;
 
 
 /**
@@ -157,6 +159,11 @@ public class S2K
             passes = dIn.read();
             parallelism = dIn.read();
             memorySizeExponent = dIn.read();
+            // TODO: should really be 3 + log2(parallelism)
+            if (memorySizeExponent < 3 || memorySizeExponent > Properties.asInteger(Argon2Parameters.MAX_MEMORY_EXP, 30))
+            {
+                throw new IOException("memory size exponent out of range");
+            }
             break;
 
         case GNU_DUMMY_S2K:

pg/src/test/java/org/bouncycastle/openpgp/test/Argon2S2KTest.java

@@ -10,9 +10,11 @@
 
 import org.bouncycastle.bcpg.ArmoredInputStream;
 import org.bouncycastle.bcpg.ArmoredOutputStream;
+import org.bouncycastle.bcpg.BCPGInputStream;
 import org.bouncycastle.bcpg.BCPGOutputStream;
 import org.bouncycastle.bcpg.S2K;
 import org.bouncycastle.bcpg.SymmetricKeyAlgorithmTags;
+import org.bouncycastle.bcpg.SymmetricKeyEncSessionPacket;
 import org.bouncycastle.openpgp.PGPEncryptedDataGenerator;
 import org.bouncycastle.openpgp.PGPEncryptedDataList;
 import org.bouncycastle.openpgp.PGPException;
@@ -61,14 +63,14 @@ public class Argon2S2KTest
 
     // https://www.rfc-editor.org/rfc/rfc9580.html#name-v4-skesk-using-argon2-with-ae
     private static final String TEST_MSG_AES256 = "-----BEGIN PGP MESSAGE-----\n" +
-            "Comment: Encrypted using AES with 256-bit key\n" +
-            "Comment: Session key: BBEDA55B9AAE63DAC45D4F49D89DACF4AF37FEF...\n" +
-            "Comment: Session key: ...C13BAB2F1F8E18FB74580D8B0\n" +
-            "\n" +
-            "wzcECQS4eJUgIG/3mcaILEJFpmJ8AQQVnZ9l7KtagdClm9UaQ/Z6M/5roklSGpGu\n" +
-            "623YmaXezGj80j4B+Ku1sgTdJo87X1Wrup7l0wJypZls21Uwd67m9koF60eefH/K\n" +
-            "95D1usliXOEm8ayQJQmZrjf6K6v9PWwqMQ==\n" +
-            "-----END PGP MESSAGE-----";
+        "Comment: Encrypted using AES with 256-bit key\n" +
+        "Comment: Session key: BBEDA55B9AAE63DAC45D4F49D89DACF4AF37FEF...\n" +
+        "Comment: Session key: ...C13BAB2F1F8E18FB74580D8B0\n" +
+        "\n" +
+        "wzcECQS4eJUgIG/3mcaILEJFpmJ8AQQVnZ9l7KtagdClm9UaQ/Z6M/5roklSGpGu\n" +
+        "623YmaXezGj80j4B+Ku1sgTdJo87X1Wrup7l0wJypZls21Uwd67m9koF60eefH/K\n" +
+        "95D1usliXOEm8ayQJQmZrjf6K6v9PWwqMQ==\n" +
+        "-----END PGP MESSAGE-----";
 
     static final String TEST_MSG_PLAIN = "Hello, world!";
 
@@ -96,6 +98,7 @@ public void performTest()
         testDecryptAES256Message();
         // dynamic round-trip
         testEncryptAndDecryptMessageWithArgon2();
+        checkArgon2MaxMemoryExpValue();
     }
 
     public void encodingTest()
@@ -155,6 +158,27 @@ public void testEncryptAndDecryptMessageWithArgon2()
         isEquals(TEST_MSG_PLAIN, plaintext);
     }
 
+    private void checkArgon2MaxMemoryExpValue()
+        throws Exception
+    {
+        System.setProperty("org.bouncycastle.argon2.max_memory_exp", "10");
+
+        BCPGInputStream pgpIn = new BCPGInputStream(
+            getClass().getResourceAsStream("poc_argon2_s2k.pgp"));
+        try
+        {
+            SymmetricKeyEncSessionPacket skesk =
+                (SymmetricKeyEncSessionPacket)pgpIn.readPacket();
+            fail("no exception");
+        }
+        catch (IOException e)
+        {
+            isEquals("memory size exponent out of range", e.getMessage());
+        }
+
+        System.setProperty("org.bouncycastle.argon2.max_memory_exp", "30");
+    }
+
     private String decryptSymmetricallyEncryptedMessage(String message, String password)
         throws IOException, PGPException
     {