Fix nesting of argon2 semaphore acquisition and release

Closes #45564 Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
2026-02-03 20:39:33 -05:00 · 2026-01-20 11:16:30 +01:00 · 2026-01-20 11:16:30 +01:00 · df42e9140d
commit df42e9140d
parent dd0214bc78
1 changed files with 23 additions and 24 deletions
--- a/crypto/default/src/main/java/org/keycloak/crypto/hash/Argon2PasswordHashProvider.java
+++ b/crypto/default/src/main/java/org/keycloak/crypto/hash/Argon2PasswordHashProvider.java
@ -110,32 +110,31 @@ public class Argon2PasswordHashProvider implements PasswordHashProvider {

    private String encode(String rawPassword, byte[] salt, String version, String type, int hashLength, int parallelism, int memory, int iterations) {
        var tracing = TracingProviderUtil.getTracingProvider();
-        try {
-            return tracing.trace(Argon2PasswordHashProvider.class, "encode", span -> {
+        return tracing.trace(Argon2PasswordHashProvider.class, "encode", span -> {
+            try {
+                cpuCoreSemaphore.acquire();
                try {
-                    cpuCoreSemaphore.acquire();
-                } catch (InterruptedException e) {
-                    Thread.currentThread().interrupt();
-                    throw new RuntimeException(e);
+                    org.bouncycastle.crypto.params.Argon2Parameters parameters = new org.bouncycastle.crypto.params.Argon2Parameters.Builder(Argon2Parameters.getTypeValue(type))
+                            .withVersion(Argon2Parameters.getVersionValue(version))
+                            .withSalt(salt)
+                            .withParallelism(parallelism)
+                            .withMemoryAsKB(memory)
+                            .withIterations(iterations).build();
+
+                    Argon2BytesGenerator generator = new Argon2BytesGenerator();
+                    generator.init(parameters);
+
+                    byte[] result = new byte[hashLength];
+                    generator.generateBytes(rawPassword.toCharArray(), result);
+                    return Base64.getEncoder().encodeToString(result);
+                } finally {
+                    cpuCoreSemaphore.release();
                }
-
-                org.bouncycastle.crypto.params.Argon2Parameters parameters = new org.bouncycastle.crypto.params.Argon2Parameters.Builder(Argon2Parameters.getTypeValue(type))
-                        .withVersion(Argon2Parameters.getVersionValue(version))
-                        .withSalt(salt)
-                        .withParallelism(parallelism)
-                        .withMemoryAsKB(memory)
-                        .withIterations(iterations).build();
-
-                Argon2BytesGenerator generator = new Argon2BytesGenerator();
-                generator.init(parameters);
-
-                byte[] result = new byte[hashLength];
-                generator.generateBytes(rawPassword.toCharArray(), result);
-                return Base64.getEncoder().encodeToString(result);
-            });
-        } finally {
-            cpuCoreSemaphore.release();
-        }
+            } catch (InterruptedException e) {
+                Thread.currentThread().interrupt();
+                throw new RuntimeException(e);
+            }
+        });
    }

    private boolean checkCredData(String key, int expectedValue, PasswordCredentialData data) {