argon2 implementation

- memory and time params customisable as well as "difficulty", default 1 iteration, 6000KB, 3 difficulty.
- updated the noscript bash method to work with argon2
- works in webworkers or main thread, capped at 8 threads (doesn't seem to crash firefox anymore -- we could go higher)

README.MD

@@ -37,6 +37,9 @@ Add some env vars to docker-compose file:
 - CHALLENGE_INCLUDES_IP - any value, whether to lock solved challenges to IP or tor circuit
 - BACKEND_NAME - Optional, name of backend to build from hosts.map
 - SERVER_PREFIX - Optional, prefix of server names used in server-template
+- POW_TIME - argon2 iterations
+- POW_KB - argon2 memory usage in KB
+- POW_DIFFICULTY - pow "difficulty" (you should change all 3 POW_ parameters to tune the difficulty)
 
 Add a domain name + backend IP to `haproxy/hosts.map` like:
 ```plain

docker-compose.yml

@@ -38,6 +38,9 @@ services:
       - BACKEND_NAME=servers
       - SERVER_PREFIX=websrv
       #- CHALLENGE_INCLUDES_IP=1
+      - POW_TIME=1
+      - POW_KB=6000
+      - POW_DIFFICULTY=3
   nginx:
     ports:
       - 81:80

haproxy/Dockerfile

@@ -88,10 +88,9 @@ STOPSIGNAL SIGUSR1
 
 ADD haproxy/docker-entrypoint.sh /usr/local/bin/
 RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat
-
-# This is terrible mess but we need it for simple testing purposes of our POC
-RUN apt-get update && apt-get install socat dnsutils -y
-
+RUN apt update && apt install -y git lua5.3 liblua5.3-dev argon2 libargon2-dev luarocks
+RUN git config --global url."https://".insteadOf git://
+RUN luarocks install argon2
 ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
 
 # no USER for backwards compatibility (to try to avoid breaking existing users)

haproxy/haproxy.cfg

@@ -6,6 +6,8 @@ global
 	stats socket /var/run/haproxy.sock mode 666 level admin
 	stats socket 127.0.0.1:1999 level admin
 	httpclient.ssl.verify none
+	# Allow larger buffer size for return-file of argon scripts
+	tune.bufsize 51200
 
 defaults
 	mode http
@@ -49,10 +51,9 @@ frontend http-in
 	acl ddos_mode_enabled base,map(/etc/haproxy/ddos.map) -m bool
 
 	# serve challenge page scripts directly from haproxy
-	acl is_challenge_js path /js/challenge.js
-	acl is_worker_js path /js/worker.js
-	http-request return file /var/www/js/challenge.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if is_challenge_js
-	http-request return file /var/www/js/worker.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if is_worker_js
+	http-request return file /var/www/js/argon2.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if { path /js/argon2.js }
+	http-request return file /var/www/js/challenge.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if { path /js/challenge.js }
+	http-request return file /var/www/js/worker.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if { path /js/worker.js }
 
 	# acl for domains in maintenance mode to return maintenance page (after challenge page htp-request return rules, for the footerlogo)
 	acl maintenance_mode hdr(host),lower,map_str(/etc/haproxy/maintenance.map) -m found

haproxy/js/challenge.js

@@ -23,12 +23,22 @@ function postResponse(powResponse, captchaResponse) {
 }
 
 const powFinished = new Promise((resolve, reject) => {
-	window.addEventListener('DOMContentLoaded', (event) => {
-		const combined = document.querySelector('[data-pow]').dataset.pow;
+	window.addEventListener('DOMContentLoaded', async () => {
+		const { time, kb, pow, diff } = document.querySelector('[data-pow]').dataset;
+		const argonOpts = {
+			time: time,
+			mem: kb,
+			hashLen: 32,
+			parallelism: 1,
+			type: argon2.ArgonType.Argon2id,
+		};
+		console.log('Got pow', pow, 'with difficulty', diff);
+		const diffString = '0'.repeat(diff);
+		const combined = pow;
 		const [userkey, challenge, signature] = combined.split("#");
 		const start = Date.now();
-		if (window.Worker && crypto.subtle) {
-			const threads = Math.min(2,Math.ceil(window.navigator.hardwareConcurrency/2));
+		if (window.Worker) {
+			const threads = Math.min(8,Math.ceil(window.navigator.hardwareConcurrency/2));
 			let finished = false;
 			const messageHandler = (e) => {
 				if (finished) { return; }
@@ -43,25 +53,32 @@ const powFinished = new Promise((resolve, reject) => {
 			}
 			const workers = [];
 			for (let i = 0; i < threads; i++) {
-				const shaWorker = new Worker('/js/worker.js');
-				shaWorker.onmessage = messageHandler;
-				workers.push(shaWorker);
+				const argonWorker = new Worker('/js/worker.js');
+				argonWorker.onmessage = messageHandler;
+				workers.push(argonWorker);
 			}
-			workers.forEach((w, i) => w.postMessage([challenge, i, threads]));
+			workers.forEach(async (w, i) => {
+				await new Promise(res => setTimeout(res, 100));
+				w.postMessage([userkey, challenge, diffString, argonOpts, i, threads]);
+			});
 		} else {
-			console.warn('No webworker or crypto.subtle support, using legacy method in main/UI thread!');
-			function sha256(ascii){function rightRotate(value,amount){return(value>>>amount)|(value<<(32-amount))};var mathPow=Math.pow;var maxWord=mathPow(2,32);var lengthProperty='length';var i,j;var result='';var words=[];var asciiBitLength=ascii[lengthProperty]*8;var hash=sha256.h=sha256.h||[];var k=sha256.k=sha256.k||[];var primeCounter=k[lengthProperty];var isComposite={};for(var candidate=2;primeCounter<64;candidate+=1){if(!isComposite[candidate]){for(i=0;i<313;i+=candidate){isComposite[i]=candidate}hash[primeCounter]=(mathPow(candidate,.5)*maxWord)|0;k[primeCounter++]=(mathPow(candidate,1/3)*maxWord)|0}}ascii+='\x80';while(ascii[lengthProperty]%64-56){ascii+='\x00';}for(i=0;i<ascii[lengthProperty];i+=1){j=ascii.charCodeAt(i);if(j>>8){return;}words[i>>2]|=j<<((3-i)%4)*8}words[words[lengthProperty]]=((asciiBitLength/maxWord)|0);words[words[lengthProperty]]=(asciiBitLength);for(j=0;j<words[lengthProperty];){var w=words.slice(j,j+=16);var oldHash=hash;hash=hash.slice(0,8);for(i=0;i<64;i+=1){var i2=i+j;var w15=w[i-15],w2=w[i-2];var a=hash[0],e=hash[4];var temp1=hash[7]+(rightRotate(e,6)^rightRotate(e,11)^rightRotate(e,25))+((e&hash[5])^((~e)&hash[6]))+k[i]+(w[i]=(i<16)?w[i]:(w[i-16]+(rightRotate(w15,7)^rightRotate(w15,18)^(w15>>>3))+w[i-7]+(rightRotate(w2,17)^rightRotate(w2,19)^(w2>>>10)))|0);var temp2=(rightRotate(a,2)^rightRotate(a,13)^rightRotate(a,22))+((a&hash[1])^(a&hash[2])^(hash[1]&hash[2]));hash=[(temp1+temp2)|0].concat(hash);hash[4]=(hash[4]+temp1)|0}for(i=0;i<8;i+=1){hash[i]=(hash[i]+oldHash[i])|0}}for(i=0;i<8;i+=1){for(j=3;j+1;j-=1){var b=(hash[i]>>(j*8))&255;result+=((b<16)?0:'')+b.toString(16)}}return result}
-			const challengeIndex = parseInt(challenge[0], 16)*2;
-			let i = 0
-				, result;
+			console.warn('No webworker support, running in main/UI thread!');
+			const times = [];
+			let i = 0;
+			let start = Date.now();
 			while(true) {
-				result = sha256(challenge+i);
-				if (result.substring(challengeIndex, challengeIndex+4) === '0041'){
-					console.log('Main thread found solution:', i, result);
+				const hash = await argon2.hash({
+					pass: challenge + i.toString(),
+					salt: userkey,
+					...argonOpts,
+				});
+				if (hash.hashHex.startsWith(diffString)) {
+					console.log('Main thread found solution:', hash.hashHex, 'in', (Date.now()-start)+'ms');
 					break;
 				}
 				++i;
 			}
+			console.log(times)
 			const dummyTime = 5000 - (Date.now()-start);
 			window.setTimeout(() => {
 				resolve(`${combined}#${i}`);

haproxy/js/worker.js

@@ -1,19 +1,19 @@
-async function hash(data, method) {
-	const buffer = new TextEncoder('utf-8').encode(data);
-	const hashBuffer = await crypto.subtle.digest(method, buffer)
-	return Array.from(new Uint8Array(hashBuffer));
-}
+importScripts('/js/argon2.js');
 
 onmessage = async function(e) {
-	const [challenge, id, threads] = e.data;
-	console.log('Worker thread', id,'got challenge', challenge);
+	const [userkey, challenge, diffString, argonOpts, id, threads] = e.data;
+	console.log('Worker thread', id, 'started');
 	let i = id;
-	let challengeIndex = parseInt(challenge[0], 16);
 	while(true) {
-		let result = await hash(challenge+i, 'sha-256');
-		if(result[challengeIndex] === 0x00
-			&& result[challengeIndex+1] === 0x41){
-			console.log('Worker thread found solution:', i);
+		const hash = await argon2.hash({
+			pass: challenge + i.toString(),
+			salt: userkey,
+			...argonOpts,
+		});
+		// This throttle seems to really help some browsers not stop the workers abruptly
+		i % 10 === 0 && await new Promise(res => setTimeout(res, 10));
+		if (hash.hashHex.startsWith(diffString)) {
+			console.log('Worker', id, 'found solution');
 			postMessage([id, i]);
 			break;
 		}

src/scripts/hcaptcha.lua

@@ -6,6 +6,18 @@ local cookie = require("cookie")
 local json = require("json")
 local sha = require("sha")
 local randbytes = require("randbytes")
+local argon2 = require("argon2")
+local pow_difficulty = tonumber(os.getenv("POW_DIFFICULTY") or 3)
+local pow_kb = tonumber(os.getenv("POW_KB") or 6000)
+local pow_time = tonumber(os.getenv("POW_TIME") or 1)
+argon2.t_cost(pow_time)
+argon2.m_cost(pow_kb)
+argon2.parallelism(1)
+argon2.hash_len(32)
+argon2.variant(argon2.variants.argon2_id)
+
+-- Testing only
+-- require("socket")
 -- require("print_r")
 
 local captcha_secret = os.getenv("HCAPTCHA_SECRET") or os.getenv("RECAPTCHA_SECRET")
@@ -88,9 +100,10 @@ local body_template = [[
 		<noscript>
 			<style>.jsonly{display:none}</style>
 		</noscript>
+		<script src="/js/argon2.js"></script>
 		<script src="/js/challenge.js"></script>
 	</head>
-	<body data-pow="%s">
+	<body data-pow="%s" data-diff="%s" data-time="%s" data-kb="%s">
 		%s
 		%s
 		%s
@@ -112,9 +125,9 @@ local noscript_extra_template = [[
 				<summary>No JavaScript?</summary>
 				<ol>
 					<li>
-						<p>Run this in a linux terminal:</p>
+						<p>Run this in a linux terminal (requires <code>argon2</code> package installed):</p>
 						<code style="word-break: break-all;">
-							echo "Q0g9IiQyIjtCPSIwMDQxIjtJPTA7RElGRj0kKCgxNiMke0NIOjA6MX0gKiAyKSk7d2hpbGUgdHJ1ZTsgZG8gSD0kKGVjaG8gLW4gJENIJEkgfCBzaGEyNTZzdW0pO0U9JHtIOiRESUZGOjR9O1tbICRFID09ICRCIF1dICYmIGVjaG8gJDEjJDIjJDMjJEkgJiYgZXhpdCAwOygoSSsrKSk7ZG9uZTs=" | base64 -d | bash -s %s %s %s
+							echo "Q0g9IiQyIjtCPSQocHJpbnRmICcwJS4wcycgJChzZXEgMSAkNCkpO2VjaG8gIldvcmtpbmcuLi4iO0k9MDt3aGlsZSB0cnVlOyBkbyBIPSQoZWNobyAtbiAkQ0gkSSB8IGFyZ29uMiAkMSAtaWQgLXQgJDUgLWsgJDYgLXAgMSAtbCAzMiAtcik7RT0ke0g6MDokNH07W1sgJEUgPT0gJEIgXV0gJiYgZWNobyAiT3V0cHV0OiIgJiYgZWNobyAkMSMkMiMkMyMkSSAmJiBleGl0IDA7KChJKyspKTtkb25lOwo=" | base64 -d | bash -s %s %s %s %s %s %s
 						</code>
 					<li>Paste the output from the script into the box and submit:
 					<form method="POST">
@@ -189,14 +202,18 @@ function _M.view(applet)
 		-- pow at least is always enabled when reaching bot-check page
 		site_name_body = string.format(site_name_section_template, host)
 		if captcha_enabled then
-			captcha_body = string.format(captcha_section_template, captcha_classname, captcha_sitekey, captcha_script_src)
+			captcha_body = string.format(captcha_section_template, captcha_classname,
+				captcha_sitekey, captcha_script_src)
 		else
 			pow_body = pow_section_template
-			noscript_extra_body = string.format(noscript_extra_template, user_key, challenge_hash, signature)
+			noscript_extra_body = string.format(noscript_extra_template, user_key, challenge_hash, signature,
+				pow_difficulty, pow_time, pow_kb)
 		end
 
 		-- sub in the body sections
-		response_body = string.format(body_template, combined_challenge, site_name_body, pow_body, captcha_body, noscript_extra_body, ray_id)
+		response_body = string.format(body_template, combined_challenge,
+			pow_difficulty, pow_time, pow_kb,
+			site_name_body, pow_body, captcha_body, noscript_extra_body, ray_id)
 		response_status_code = 403
 
 	-- if request is POST, check the answer to the pow/cookie
@@ -262,6 +279,7 @@ function _M.view(applet)
 		-- handle setting the POW cookie
 		local user_pow_response = parsed_body["pow_response"]
 		if user_pow_response then
+
 			-- split the response up (makes the nojs submission easier because it can be a single field)
 			local split_response = utils.split(user_pow_response, "#")
 			if #split_response == 4 then
@@ -269,6 +287,7 @@ function _M.view(applet)
 				local given_challenge_hash = split_response[2]
 				local given_signature = split_response[3]
 				local given_answer = split_response[4]
+
 				-- regenerate the challenge and compare it
 				local generated_challenge_hash = utils.generate_secret(applet, pow_cookie_secret, given_user_key, true)
 				if given_challenge_hash == generated_challenge_hash then
@@ -278,11 +297,14 @@ function _M.view(applet)
 					if given_signature == generated_signature then
 
 						-- do the work with their given answer
-						local completed_work = sha.sha256(generated_challenge_hash .. given_answer) -- (TODO: replace this bit with argon2)
+						local full_hash = argon2.hash_encoded(given_challenge_hash .. given_answer, given_user_key)
 
 						-- check the output is correct
-						local challenge_offset = tonumber(generated_challenge_hash:sub(1,1),16) * 2
-						if completed_work:sub(challenge_offset+1, challenge_offset+4) == '0041' then
+						local hash_output = utils.split(full_hash, '$')[5]:sub(0, 43) -- https://github.com/thibaultcha/lua-argon2/issues/37
+						local hex_hash_output = sha.bin_to_hex(sha.base64_to_bin(hash_output));
+						local hex_hash_sub = hex_hash_output:sub(0, pow_difficulty)
+
+						if hex_hash_sub == string.rep('0', pow_difficulty) then
 
 							-- the answer was good, give them a cookie
 							local signature = sha.hmac(sha.sha256, hmac_cookie_secret, given_user_key .. given_challenge_hash .. given_answer)