aboutsummaryrefslogtreecommitdiff
path: root/frozen_deps/Crypto/Random/Fortuna
diff options
context:
space:
mode:
Diffstat (limited to 'frozen_deps/Crypto/Random/Fortuna')
-rw-r--r--frozen_deps/Crypto/Random/Fortuna/FortunaAccumulator.py171
-rw-r--r--frozen_deps/Crypto/Random/Fortuna/FortunaGenerator.py132
-rw-r--r--frozen_deps/Crypto/Random/Fortuna/SHAd256.py98
-rw-r--r--frozen_deps/Crypto/Random/Fortuna/__init__.py0
4 files changed, 401 insertions, 0 deletions
diff --git a/frozen_deps/Crypto/Random/Fortuna/FortunaAccumulator.py b/frozen_deps/Crypto/Random/Fortuna/FortunaAccumulator.py
new file mode 100644
index 0000000..5c6beb0
--- /dev/null
+++ b/frozen_deps/Crypto/Random/Fortuna/FortunaAccumulator.py
@@ -0,0 +1,171 @@
+# -*- coding: ascii -*-
+#
+# FortunaAccumulator.py : Fortuna's internal accumulator
+#
+# Written in 2008 by Dwayne C. Litzenberger <[email protected]>
+#
+# ===================================================================
+# The contents of this file are dedicated to the public domain. To
+# the extent that dedication to the public domain is not available,
+# everyone is granted a worldwide, perpetual, royalty-free,
+# non-exclusive license to exercise all rights associated with the
+# contents of this file for any purpose whatsoever.
+# No rights are reserved.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+# ===================================================================
+
+__revision__ = "$Id$"
+
+import sys
+if sys.version_info[0] == 2 and sys.version_info[1] == 1:
+ from Crypto.Util.py21compat import *
+from Crypto.Util.py3compat import *
+
+from binascii import b2a_hex
+import time
+import warnings
+
+from Crypto.pct_warnings import ClockRewindWarning
+from . import SHAd256
+
+from . import FortunaGenerator
+
+class FortunaPool(object):
+ """Fortuna pool type
+
+ This object acts like a hash object, with the following differences:
+
+ - It keeps a count (the .length attribute) of the number of bytes that
+ have been added to the pool
+ - It supports a .reset() method for in-place reinitialization
+ - The method to add bytes to the pool is .append(), not .update().
+ """
+
+ digest_size = SHAd256.digest_size
+
+ def __init__(self):
+ self.reset()
+
+ def append(self, data):
+ self._h.update(data)
+ self.length += len(data)
+
+ def digest(self):
+ return self._h.digest()
+
+ def hexdigest(self):
+ if sys.version_info[0] == 2:
+ return b2a_hex(self.digest())
+ else:
+ return b2a_hex(self.digest()).decode()
+
+ def reset(self):
+ self._h = SHAd256.new()
+ self.length = 0
+
+def which_pools(r):
+ """Return a list of pools indexes (in range(32)) that are to be included during reseed number r.
+
+ According to _Practical Cryptography_, chapter 10.5.2 "Pools":
+
+ "Pool P_i is included if 2**i is a divisor of r. Thus P_0 is used
+ every reseed, P_1 every other reseed, P_2 every fourth reseed, etc."
+ """
+ # This is a separate function so that it can be unit-tested.
+ assert r >= 1
+ retval = []
+ mask = 0
+ for i in range(32):
+ # "Pool P_i is included if 2**i is a divisor of [reseed_count]"
+ if (r & mask) == 0:
+ retval.append(i)
+ else:
+ break # optimization. once this fails, it always fails
+ mask = (mask << 1) | 1
+ return retval
+
+class FortunaAccumulator(object):
+
+ # An estimate of how many bytes we must append to pool 0 before it will
+ # contain 128 bits of entropy (with respect to an attack). We reseed the
+ # generator only after pool 0 contains `min_pool_size` bytes. Note that
+ # unlike with some other PRNGs, Fortuna's security does not rely on the
+ # accuracy of this estimate---we can accord to be optimistic here.
+ min_pool_size = 64 # size in bytes
+
+ # If an attacker can predict some (but not all) of our entropy sources, the
+ # `min_pool_size` check may not be sufficient to prevent a successful state
+ # compromise extension attack. To resist this attack, Fortuna spreads the
+ # input across 32 pools, which are then consumed (to reseed the output
+ # generator) with exponentially decreasing frequency.
+ #
+ # In order to prevent an attacker from gaining knowledge of all 32 pools
+ # before we have a chance to fill them with enough information that the
+ # attacker cannot predict, we impose a rate limit of 10 reseeds/second (one
+ # per 100 ms). This ensures that a hypothetical 33rd pool would only be
+ # needed after a minimum of 13 years of sustained attack.
+ reseed_interval = 0.100 # time in seconds
+
+ def __init__(self):
+ self.reseed_count = 0
+ self.generator = FortunaGenerator.AESGenerator()
+ self.last_reseed = None
+
+ # Initialize 32 FortunaPool instances.
+ # NB: This is _not_ equivalent to [FortunaPool()]*32, which would give
+ # us 32 references to the _same_ FortunaPool instance (and cause the
+ # assertion below to fail).
+ self.pools = [FortunaPool() for i in range(32)] # 32 pools
+ assert(self.pools[0] is not self.pools[1])
+
+ def _forget_last_reseed(self):
+ # This is not part of the standard Fortuna definition, and using this
+ # function frequently can weaken Fortuna's ability to resist a state
+ # compromise extension attack, but we need this in order to properly
+ # implement Crypto.Random.atfork(). Otherwise, forked child processes
+ # might continue to use their parent's PRNG state for up to 100ms in
+ # some cases. (e.g. CVE-2013-1445)
+ self.last_reseed = None
+
+ def random_data(self, bytes):
+ current_time = time.time()
+ if (self.last_reseed is not None and self.last_reseed > current_time): # Avoid float comparison to None to make Py3k happy
+ warnings.warn("Clock rewind detected. Resetting last_reseed.", ClockRewindWarning)
+ self.last_reseed = None
+ if (self.pools[0].length >= self.min_pool_size and
+ (self.last_reseed is None or
+ current_time > self.last_reseed + self.reseed_interval)):
+ self._reseed(current_time)
+ # The following should fail if we haven't seeded the pool yet.
+ return self.generator.pseudo_random_data(bytes)
+
+ def _reseed(self, current_time=None):
+ if current_time is None:
+ current_time = time.time()
+ seed = []
+ self.reseed_count += 1
+ self.last_reseed = current_time
+ for i in which_pools(self.reseed_count):
+ seed.append(self.pools[i].digest())
+ self.pools[i].reset()
+
+ seed = b("").join(seed)
+ self.generator.reseed(seed)
+
+ def add_random_event(self, source_number, pool_number, data):
+ assert 1 <= len(data) <= 32
+ assert 0 <= source_number <= 255
+ assert 0 <= pool_number <= 31
+ self.pools[pool_number].append(bchr(source_number))
+ self.pools[pool_number].append(bchr(len(data)))
+ self.pools[pool_number].append(data)
+
+# vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/frozen_deps/Crypto/Random/Fortuna/FortunaGenerator.py b/frozen_deps/Crypto/Random/Fortuna/FortunaGenerator.py
new file mode 100644
index 0000000..489c81e
--- /dev/null
+++ b/frozen_deps/Crypto/Random/Fortuna/FortunaGenerator.py
@@ -0,0 +1,132 @@
+# -*- coding: ascii -*-
+#
+# FortunaGenerator.py : Fortuna's internal PRNG
+#
+# Written in 2008 by Dwayne C. Litzenberger <[email protected]>
+#
+# ===================================================================
+# The contents of this file are dedicated to the public domain. To
+# the extent that dedication to the public domain is not available,
+# everyone is granted a worldwide, perpetual, royalty-free,
+# non-exclusive license to exercise all rights associated with the
+# contents of this file for any purpose whatsoever.
+# No rights are reserved.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+# ===================================================================
+
+__revision__ = "$Id$"
+
+import sys
+if sys.version_info[0] is 2 and sys.version_info[1] is 1:
+ from Crypto.Util.py21compat import *
+from Crypto.Util.py3compat import *
+
+import struct
+
+from Crypto.Util.number import ceil_shift, exact_log2, exact_div
+from Crypto.Util import Counter
+from Crypto.Cipher import AES
+
+from . import SHAd256
+
+class AESGenerator(object):
+ """The Fortuna "generator"
+
+ This is used internally by the Fortuna PRNG to generate arbitrary amounts
+ of pseudorandom data from a smaller amount of seed data.
+
+ The output is generated by running AES-256 in counter mode and re-keying
+ after every mebibyte (2**16 blocks) of output.
+ """
+
+ block_size = AES.block_size # output block size in octets (128 bits)
+ key_size = 32 # key size in octets (256 bits)
+
+ # Because of the birthday paradox, we expect to find approximately one
+ # collision for every 2**64 blocks of output from a real random source.
+ # However, this code generates pseudorandom data by running AES in
+ # counter mode, so there will be no collisions until the counter
+ # (theoretically) wraps around at 2**128 blocks. Thus, in order to prevent
+ # Fortuna's pseudorandom output from deviating perceptibly from a true
+ # random source, Ferguson and Schneier specify a limit of 2**16 blocks
+ # without rekeying.
+ max_blocks_per_request = 2**16 # Allow no more than this number of blocks per _pseudo_random_data request
+
+ _four_kiblocks_of_zeros = b("\0") * block_size * 4096
+
+ def __init__(self):
+ self.counter = Counter.new(nbits=self.block_size*8, initial_value=0, little_endian=True)
+ self.key = None
+
+ # Set some helper constants
+ self.block_size_shift = exact_log2(self.block_size)
+ assert (1 << self.block_size_shift) == self.block_size
+
+ self.blocks_per_key = exact_div(self.key_size, self.block_size)
+ assert self.key_size == self.blocks_per_key * self.block_size
+
+ self.max_bytes_per_request = self.max_blocks_per_request * self.block_size
+
+ def reseed(self, seed):
+ if self.key is None:
+ self.key = b("\0") * self.key_size
+
+ self._set_key(SHAd256.new(self.key + seed).digest())
+ self.counter() # increment counter
+ assert len(self.key) == self.key_size
+
+ def pseudo_random_data(self, bytes):
+ assert bytes >= 0
+
+ num_full_blocks = bytes >> 20
+ remainder = bytes & ((1<<20)-1)
+
+ retval = []
+ for i in range(num_full_blocks):
+ retval.append(self._pseudo_random_data(1<<20))
+ retval.append(self._pseudo_random_data(remainder))
+
+ return b("").join(retval)
+
+ def _set_key(self, key):
+ self.key = key
+ self._cipher = AES.new(key, AES.MODE_CTR, counter=self.counter)
+
+ def _pseudo_random_data(self, bytes):
+ if not (0 <= bytes <= self.max_bytes_per_request):
+ raise AssertionError("You cannot ask for more than 1 MiB of data per request")
+
+ num_blocks = ceil_shift(bytes, self.block_size_shift) # num_blocks = ceil(bytes / self.block_size)
+
+ # Compute the output
+ retval = self._generate_blocks(num_blocks)[:bytes]
+
+ # Switch to a new key to avoid later compromises of this output (i.e.
+ # state compromise extension attacks)
+ self._set_key(self._generate_blocks(self.blocks_per_key))
+
+ assert len(retval) == bytes
+ assert len(self.key) == self.key_size
+
+ return retval
+
+ def _generate_blocks(self, num_blocks):
+ if self.key is None:
+ raise AssertionError("generator must be seeded before use")
+ assert 0 <= num_blocks <= self.max_blocks_per_request
+ retval = []
+ for i in range(num_blocks >> 12): # xrange(num_blocks / 4096)
+ retval.append(self._cipher.encrypt(self._four_kiblocks_of_zeros))
+ remaining_bytes = (num_blocks & 4095) << self.block_size_shift # (num_blocks % 4095) * self.block_size
+ retval.append(self._cipher.encrypt(self._four_kiblocks_of_zeros[:remaining_bytes]))
+ return b("").join(retval)
+
+# vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/frozen_deps/Crypto/Random/Fortuna/SHAd256.py b/frozen_deps/Crypto/Random/Fortuna/SHAd256.py
new file mode 100644
index 0000000..2e135c9
--- /dev/null
+++ b/frozen_deps/Crypto/Random/Fortuna/SHAd256.py
@@ -0,0 +1,98 @@
+# -*- coding: ascii -*-
+#
+# Random/Fortuna/SHAd256.py : SHA_d-256 hash function implementation
+#
+# Written in 2008 by Dwayne C. Litzenberger <[email protected]>
+#
+# ===================================================================
+# The contents of this file are dedicated to the public domain. To
+# the extent that dedication to the public domain is not available,
+# everyone is granted a worldwide, perpetual, royalty-free,
+# non-exclusive license to exercise all rights associated with the
+# contents of this file for any purpose whatsoever.
+# No rights are reserved.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+# ===================================================================
+
+"""\
+SHA_d-256 hash function implementation.
+
+This module should comply with PEP 247.
+"""
+
+__revision__ = "$Id$"
+__all__ = ['new', 'digest_size']
+
+import sys
+if sys.version_info[0] == 2 and sys.version_info[1] == 1:
+ from Crypto.Util.py21compat import *
+from Crypto.Util.py3compat import *
+
+from binascii import b2a_hex
+
+from Crypto.Hash import SHA256
+
+assert SHA256.digest_size == 32
+
+class _SHAd256(object):
+ """SHA-256, doubled.
+
+ Returns SHA-256(SHA-256(data)).
+ """
+
+ digest_size = SHA256.digest_size
+
+ _internal = object()
+
+ def __init__(self, internal_api_check, sha256_hash_obj):
+ if internal_api_check is not self._internal:
+ raise AssertionError("Do not instantiate this class directly. Use %s.new()" % (__name__,))
+ self._h = sha256_hash_obj
+
+ # PEP 247 "copy" method
+ def copy(self):
+ """Return a copy of this hashing object"""
+ return _SHAd256(SHAd256._internal, self._h.copy())
+
+ # PEP 247 "digest" method
+ def digest(self):
+ """Return the hash value of this object as a binary string"""
+ retval = SHA256.new(self._h.digest()).digest()
+ assert len(retval) == 32
+ return retval
+
+ # PEP 247 "hexdigest" method
+ def hexdigest(self):
+ """Return the hash value of this object as a (lowercase) hexadecimal string"""
+ retval = b2a_hex(self.digest())
+ assert len(retval) == 64
+ if sys.version_info[0] == 2:
+ return retval
+ else:
+ return retval.decode()
+
+ # PEP 247 "update" method
+ def update(self, data):
+ self._h.update(data)
+
+# PEP 247 module-level "digest_size" variable
+digest_size = _SHAd256.digest_size
+
+# PEP 247 module-level "new" function
+def new(data=None):
+ """Return a new SHAd256 hashing object"""
+ if not data:
+ data=b("")
+ sha = _SHAd256(_SHAd256._internal, SHA256.new(data))
+ sha.new = globals()['new']
+ return sha
+
+# vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/frozen_deps/Crypto/Random/Fortuna/__init__.py b/frozen_deps/Crypto/Random/Fortuna/__init__.py
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/frozen_deps/Crypto/Random/Fortuna/__init__.py