From df42e9140d7f9b376f0dc13bb674d5392a121275 Mon Sep 17 00:00:00 2001
From: Alexander Schwartz <aschwart@redhat.com>
Date: Tue, 20 Jan 2026 11:16:30 +0100
Subject: [PATCH] Fix nesting of argon2 semaphore acquisition and release

Closes #45564

Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
---
 .../hash/Argon2PasswordHashProvider.java      | 47 +++++++++----------
 1 file changed, 23 insertions(+), 24 deletions(-)

diff --git a/crypto/default/src/main/java/org/keycloak/crypto/hash/Argon2PasswordHashProvider.java b/crypto/default/src/main/java/org/keycloak/crypto/hash/Argon2PasswordHashProvider.java
index 192d9e0f64a..3fcb3c53044 100644
--- a/crypto/default/src/main/java/org/keycloak/crypto/hash/Argon2PasswordHashProvider.java
+++ b/crypto/default/src/main/java/org/keycloak/crypto/hash/Argon2PasswordHashProvider.java
@@ -110,32 +110,31 @@ public class Argon2PasswordHashProvider implements PasswordHashProvider {
 
     private String encode(String rawPassword, byte[] salt, String version, String type, int hashLength, int parallelism, int memory, int iterations) {
         var tracing = TracingProviderUtil.getTracingProvider();
-        try {
-            return tracing.trace(Argon2PasswordHashProvider.class, "encode", span -> {
+        return tracing.trace(Argon2PasswordHashProvider.class, "encode", span -> {
+            try {
+                cpuCoreSemaphore.acquire();
                 try {
-                    cpuCoreSemaphore.acquire();
-                } catch (InterruptedException e) {
-                    Thread.currentThread().interrupt();
-                    throw new RuntimeException(e);
+                    org.bouncycastle.crypto.params.Argon2Parameters parameters = new org.bouncycastle.crypto.params.Argon2Parameters.Builder(Argon2Parameters.getTypeValue(type))
+                            .withVersion(Argon2Parameters.getVersionValue(version))
+                            .withSalt(salt)
+                            .withParallelism(parallelism)
+                            .withMemoryAsKB(memory)
+                            .withIterations(iterations).build();
+
+                    Argon2BytesGenerator generator = new Argon2BytesGenerator();
+                    generator.init(parameters);
+
+                    byte[] result = new byte[hashLength];
+                    generator.generateBytes(rawPassword.toCharArray(), result);
+                    return Base64.getEncoder().encodeToString(result);
+                } finally {
+                    cpuCoreSemaphore.release();
                 }
-
-                org.bouncycastle.crypto.params.Argon2Parameters parameters = new org.bouncycastle.crypto.params.Argon2Parameters.Builder(Argon2Parameters.getTypeValue(type))
-                        .withVersion(Argon2Parameters.getVersionValue(version))
-                        .withSalt(salt)
-                        .withParallelism(parallelism)
-                        .withMemoryAsKB(memory)
-                        .withIterations(iterations).build();
-
-                Argon2BytesGenerator generator = new Argon2BytesGenerator();
-                generator.init(parameters);
-
-                byte[] result = new byte[hashLength];
-                generator.generateBytes(rawPassword.toCharArray(), result);
-                return Base64.getEncoder().encodeToString(result);
-            });
-        } finally {
-            cpuCoreSemaphore.release();
-        }
+            } catch (InterruptedException e) {
+                Thread.currentThread().interrupt();
+                throw new RuntimeException(e);
+            }
+        });
     }
 
     private boolean checkCredData(String key, int expectedValue, PasswordCredentialData data) {