01e1152003-03-12Niels Möller /* nettle.cmod -*- c -*- */ #include "global.h" #include "interpret.h" #include "svalue.h" /* For this_object() */ #include "object.h"
7d54f42004-01-23Martin Nilsson #include "operators.h"
01e1152003-03-12Niels Möller #include "module_support.h"
d7f88a2004-02-14Martin Nilsson #include "threads.h"
0a146b2013-03-12Arne Goedeke #include "pike_memory.h"
01e1152003-03-12Niels Möller 
4e1f622003-03-13Niels Möller #include "nettle_config.h"
770fee2003-03-12Henrik Grubbström (Grubba) #ifdef HAVE_LIBNETTLE
efb89c2003-08-06Henrik Grubbström (Grubba) #include "nettle.h"
01e1152003-03-12Niels Möller 
3184172003-08-06Henrik Grubbström (Grubba) #include <nettle/yarrow.h>
329a6f2004-02-21Martin Nilsson #include <nettle/knuth-lfib.h>
3184172003-08-06Henrik Grubbström (Grubba) 
01e1152003-03-12Niels Möller #include <stdio.h> #include <stdarg.h> DECLARATIONS /*! @module Nettle
d745992003-08-05Martin Nilsson  *! Low level crypto functions used by the @[Crypto] module. Unless *! you are doing something very special, you would want to use the *! Crypto module instead. */ /*! @class Yarrow *! *! Yarrow is a family of pseudo-randomness generators, designed for *! cryptographic use, by John Kelsey, Bruce Schneier and Niels Ferguson. *! Yarrow-160 is described in a paper at
1e4bd32013-10-05Henrik Grubbström (Grubba)  *! @url{http://www.schneier.com/paper-yarrow.html@}, and it uses SHA1 and
d745992003-08-05Martin Nilsson  *! triple-DES, and has a 160-bit internal state. Nettle implements *! Yarrow-256, which is similar, but uses SHA256 and AES to get an *! internal state of 256 bits. */ PIKECLASS Yarrow {
49acab2003-11-09Niels Möller  CVAR struct yarrow256_ctx ctx;
25f5432003-08-06Martin Nilsson  CVAR struct yarrow_source *sources;
d311272009-07-05Henrik Grubbström (Grubba) 
d1cb852009-07-05Henrik Grubbström (Grubba) #ifndef HAVE_STRUCT_YARROW256_CTX_SEED_FILE
d311272009-07-05Henrik Grubbström (Grubba)  /* NOTE: Nettle 2.0 does not have the automatic seed_file maintenance * that Nettle 1.x had. This stuff is needed since it affected * the state emitted by random_string(). When Nettle 2.0 is the * default, consider implementing this via overloading of the * various seeding functions instead, since it does have a bit * of overhead. * * /grubba 2009-07-05 */
d1cb852009-07-05Henrik Grubbström (Grubba)  PIKEVAR string seed_file flags ID_PRIVATE|ID_STATIC;
0ec1412009-07-05Henrik Grubbström (Grubba) #endif DECLARE_STORAGE;
d311272009-07-05Henrik Grubbström (Grubba) 
0ec1412009-07-05Henrik Grubbström (Grubba) #ifndef HAVE_STRUCT_YARROW256_CTX_SEED_FILE
d311272009-07-05Henrik Grubbström (Grubba)  static void pike_generate_seed_file(void) { struct pike_string *seed_file = begin_shared_string(YARROW256_SEED_FILE_SIZE); yarrow256_random(&THIS->ctx, YARROW256_SEED_FILE_SIZE, STR0(seed_file)); if (THIS->seed_file) { free_string(THIS->seed_file); } THIS->seed_file = end_shared_string(seed_file); } #else #define pike_generate_seed_file()
d1cb852009-07-05Henrik Grubbström (Grubba) #endif
25f5432003-08-06Martin Nilsson 
9109472003-08-07Martin Nilsson  /*! @decl void create(void|int sources) *! The number of entropy sources that will feed entropy to the *! random number generator is given as an argument to Yarrow *! during instantiation. *! @seealso *! @[update] */
d7f88a2004-02-14Martin Nilsson  PIKEFUN void create(void|int arg)
ecc9382008-06-29Martin Nilsson  flags ID_PROTECTED;
d7f88a2004-02-14Martin Nilsson  {
25f5432003-08-06Martin Nilsson  INT32 num = 0; if(arg) {
017b572011-10-28Henrik Grubbström (Grubba)  if (TYPEOF(*arg) != PIKE_T_INT)
25f5432003-08-06Martin Nilsson  Pike_error("Bad argument type.\n"); num = arg->u.integer; if(num < 0) Pike_error("Invalid number of sources.\n");
49acab2003-11-09Niels Möller  free (THIS->sources);
25f5432003-08-06Martin Nilsson  THIS->sources = xalloc(sizeof(struct yarrow_source)*num); }
49acab2003-11-09Niels Möller  else { free (THIS->sources); THIS->sources = NULL; } yarrow256_init(&THIS->ctx, num, THIS->sources);
d745992003-08-05Martin Nilsson  }
f6a6ad2013-12-08Henrik Grubbström (Grubba)  /*! @decl Yarrow seed(string(0..255) data)
6580032013-08-15Martin Nilsson  *! *! The random generator needs to be seeded before it can be used. *! The seed must be at least 32 characters long. The seed could be *! stored from a previous run by inserting the value returned from *! @[get_seed]. *!
d745992003-08-05Martin Nilsson  *! @returns *! Returns the called object.
9109472003-08-07Martin Nilsson  *! @seealso *! @[min_seed_size], @[get_seed], @[is_seeded]
d745992003-08-05Martin Nilsson  */
f6a6ad2013-12-08Henrik Grubbström (Grubba)  PIKEFUN object seed(string(0..255) data)
d7f88a2004-02-14Martin Nilsson  optflags OPT_SIDE_EFFECT;
d745992003-08-05Martin Nilsson  { if(data->len < YARROW256_SEED_FILE_SIZE)
c9edeb2009-07-01Henrik Grubbström (Grubba)  Pike_error("Seed must be at least %d characters.\n", YARROW256_SEED_FILE_SIZE);
d745992003-08-05Martin Nilsson  NO_WIDE_STRING(data);
c9edeb2009-07-01Henrik Grubbström (Grubba)  yarrow256_seed(&THIS->ctx, data->len, STR0(data));
d311272009-07-05Henrik Grubbström (Grubba)  pike_generate_seed_file();
d745992003-08-05Martin Nilsson  RETURN this_object(); }
9109472003-08-07Martin Nilsson  /*! @decl int(0..) min_seed_size() *! Returns the minimal number of characters that the @[seed] *! needs to properly seed the random number generator. *! @seealso *! @[seed] */ PIKEFUN int(0..) min_seed_size()
d7f88a2004-02-14Martin Nilsson  optflags OPT_TRY_OPTIMIZE;
9109472003-08-07Martin Nilsson  { RETURN YARROW256_SEED_FILE_SIZE; }
d311272009-07-05Henrik Grubbström (Grubba)  /*! @decl string(0..255) get_seed()
776b502009-07-02Henrik Grubbström (Grubba)  *! Returns part of the internal state so that it can *! be saved for later seeding.
de03372009-07-01Henrik Grubbström (Grubba)  *!
9109472003-08-07Martin Nilsson  *! @seealso
776b502009-07-02Henrik Grubbström (Grubba)  *! @[seed()], @[random_string()]
d745992003-08-05Martin Nilsson  */
5345c92013-05-19Martin Nilsson  PIKEFUN string(0..255) get_seed()
d7f88a2004-02-14Martin Nilsson  optflags OPT_EXTERNAL_DEPEND;
47ce5e2009-07-05Henrik Grubbström (Grubba)  rawtype tDeprecated(tFunc(tNone, tStr8));
d745992003-08-05Martin Nilsson  {
324ca82003-11-10Niels Möller  if( !yarrow256_is_seeded(&THIS->ctx) ) Pike_error("Random generator not seeded.\n");
ad67532009-07-01Henrik Grubbström (Grubba) 
d1cb852009-07-05Henrik Grubbström (Grubba) #ifdef HAVE_STRUCT_YARROW256_CTX_SEED_FILE
6580032013-08-15Martin Nilsson  RETURN make_shared_binary_string(THIS->ctx.seed_file,
776b502009-07-02Henrik Grubbström (Grubba)  YARROW256_SEED_FILE_SIZE);
d1cb852009-07-05Henrik Grubbström (Grubba) #else
d311272009-07-05Henrik Grubbström (Grubba)  if (THIS->seed_file) { REF_RETURN THIS->seed_file; } else {
bb64932013-08-09Arne Goedeke  /* * It seems somewhat unreasonable to use uninitialized memory here. * Instead, I think the user should be warned. It really isnt a very * good source of entropy and may lead to undefined behavior in C. * Why not simply return 0 in that case? * /arne */
d311272009-07-05Henrik Grubbström (Grubba)  struct pike_string *s = begin_shared_string(YARROW256_SEED_FILE_SIZE);
bb64932013-08-09Arne Goedeke  PIKE_MEM_RW_RANGE(s->str, YARROW256_SEED_FILE_SIZE); s = end_shared_string(s); RETURN s;
d311272009-07-05Henrik Grubbström (Grubba)  }
776b502009-07-02Henrik Grubbström (Grubba) #endif /* HAVE_STRUCT_YARROW256_CTX_SEED_FILE */
d1cb852009-07-05Henrik Grubbström (Grubba)  }
d745992003-08-05Martin Nilsson  /*! @decl int(0..1) is_seeded() *! Returns 1 if the random generator is seeded and ready *! to generator output. 0 otherwise.
9109472003-08-07Martin Nilsson  *! @seealso *! @[seed]
d745992003-08-05Martin Nilsson  */ PIKEFUN int(0..1) is_seeded()
d7f88a2004-02-14Martin Nilsson  optflags OPT_EXTERNAL_DEPEND;
d745992003-08-05Martin Nilsson  {
49acab2003-11-09Niels Möller  RETURN yarrow256_is_seeded(&THIS->ctx);
d745992003-08-05Martin Nilsson  }
9109472003-08-07Martin Nilsson  /*! @decl void force_reseed() *! By calling this function entropy is moved from the slow *! pool to the fast pool. Read more about Yarrow before using *! this. */
d745992003-08-05Martin Nilsson  PIKEFUN void force_reseed()
d7f88a2004-02-14Martin Nilsson  optflags OPT_SIDE_EFFECT;
d745992003-08-05Martin Nilsson  {
c9edeb2009-07-01Henrik Grubbström (Grubba) #ifdef HAVE_NETTLE_YARROW256_SLOW_RESEED /* From change notes for Nettle 2.0: * * * Changes to the yarrow256 interface. The function * yarrow256_force_reseed has been replaced by the two * functions yarrow256_fast_reseed and yarrow256_slow_reseed, * which were previously static. */ yarrow256_slow_reseed(&THIS->ctx); #else
49acab2003-11-09Niels Möller  yarrow256_force_reseed(&THIS->ctx);
c9edeb2009-07-01Henrik Grubbström (Grubba) #endif
d311272009-07-05Henrik Grubbström (Grubba)  pike_generate_seed_file();
d745992003-08-05Martin Nilsson  }
f6a6ad2013-12-08Henrik Grubbström (Grubba)  /*! @decl int(0..1) update(string(0..255) data, int source, int entropy)
9109472003-08-07Martin Nilsson  *! Inject additional entropy into the random number generator. *! *! @seealso *! @[create] */
f6a6ad2013-12-08Henrik Grubbström (Grubba)  PIKEFUN int(0..1) update(string(0..255) data, int source, int entropy)
d7f88a2004-02-14Martin Nilsson  optflags OPT_SIDE_EFFECT;
f1d8912003-08-06Martin Nilsson  {
d311272009-07-05Henrik Grubbström (Grubba)  int ret;
49acab2003-11-09Niels Möller  /* FIXME: Wide strings could actually be supported here */
f1d8912003-08-06Martin Nilsson  NO_WIDE_STRING(data);
49acab2003-11-09Niels Möller  if( !THIS->sources )
f1d8912003-08-06Martin Nilsson  Pike_error("This random generator has no sources.\n");
61e14b2004-01-23Martin Nilsson  if( source<0 || (unsigned)source>=THIS->ctx.nsources )
f1d8912003-08-06Martin Nilsson  Pike_error("Invalid random source.\n"); if( entropy<0 ) Pike_error("Entropy must be positive.\n");
9109472003-08-07Martin Nilsson  if( entropy>(data->len*8) ) Pike_error("Impossibly large entropy value.\n");
d311272009-07-05Henrik Grubbström (Grubba)  ret = yarrow256_update(&THIS->ctx, source, entropy, data->len, (const uint8_t *)data->str);
dce9da2010-05-26Jonas Wallden  if (ret) {
d311272009-07-05Henrik Grubbström (Grubba)  pike_generate_seed_file();
dce9da2010-05-26Jonas Wallden  }
d311272009-07-05Henrik Grubbström (Grubba)  RETURN ret;
f1d8912003-08-06Martin Nilsson  }
01a1ba2003-12-14Martin Nilsson  /*! @decl int(0..) needed_sources() *! The number of sources that must reach the threshold before a *! slow reseed will happen. */
d745992003-08-05Martin Nilsson  PIKEFUN int(0..) needed_sources()
d7f88a2004-02-14Martin Nilsson  optflags OPT_EXTERNAL_DEPEND;
d745992003-08-05Martin Nilsson  {
49acab2003-11-09Niels Möller  RETURN yarrow256_needed_sources(&THIS->ctx);
d745992003-08-05Martin Nilsson  }
5345c92013-05-19Martin Nilsson  /*! @decl string(0..255) random_string(int length)
d745992003-08-05Martin Nilsson  *! Returns a pseudo-random string of the requested @[length]. */
5345c92013-05-19Martin Nilsson  PIKEFUN string(0..255) random_string(int length)
d7f88a2004-02-14Martin Nilsson  optflags OPT_EXTERNAL_DEPEND|OPT_SIDE_EFFECT;
d745992003-08-05Martin Nilsson  { struct pike_string *rnd; if(length < 0) Pike_error("Invalid length, must be positive.\n");
49acab2003-11-09Niels Möller  if( !yarrow256_is_seeded(&THIS->ctx) )
d745992003-08-05Martin Nilsson  Pike_error("Random generator not seeded.\n"); rnd = begin_shared_string(length);
baac7d2006-01-07Martin Nilsson  yarrow256_random(&THIS->ctx, length, (uint8_t *)rnd->str);
6580032013-08-15Martin Nilsson  RETURN end_shared_string(rnd);
d745992003-08-05Martin Nilsson  } INIT {
49acab2003-11-09Niels Möller  THIS->sources = NULL; yarrow256_init(&THIS->ctx, 0, NULL);
d745992003-08-05Martin Nilsson  }
22038d2008-05-30Martin Nilsson 
d745992003-08-05Martin Nilsson  EXIT
d3df7c2008-05-30Martin Nilsson  gc_trivial;
d745992003-08-05Martin Nilsson  {
22038d2008-05-30Martin Nilsson  if( THIS->sources ) { free(THIS->sources); }
d745992003-08-05Martin Nilsson  } }
453a2b2014-04-05Martin Nilsson /*! @endclass */ #define INCREMENT(size, ctr) \ do { \ unsigned increment_i = (size) - 1; \ if (++(ctr)[increment_i] == 0) \ while (increment_i > 0 \ && ++(ctr)[--increment_i] == 0 ) \ ; \ } while (0) /*! @class Fortuna *! *! Implements the Fortuna PRNG generator, designed by Niels Ferguson and *! Bruce Schneier and described in Practical Cryptography. Web *! published exerpt at https://www.schneier.com:443/fortuna.pdf *! *! This implementation uses AES256 to generate output and SHA256 to *! generate keys. *! *! To use this class an entropy accumulator needs to be implemented *! and supply the @[reseed()] method with new entopy. */ PIKECLASS Fortuna { CVAR struct aes_ctx aes_ctx; CVAR struct sha256_ctx sha_ctx; CVAR uint8_t *key; CVAR uint8_t *ctr; CVAR uint8_t *data; DECLARE_STORAGE; void fortuna_generate() { aes_encrypt(&THIS->aes_ctx, 16, THIS->data, THIS->ctr); INCREMENT(16, THIS->ctr); } void fortuna_rekey() { fortuna_generate(); MEMCPY(THIS->key, THIS->data, 16); fortuna_generate(); MEMCPY(THIS->key+16, THIS->data, 16); aes_set_encrypt_key(&THIS->aes_ctx, AES256_KEY_SIZE, THIS->key); } /*! @decl void reseed(string(8bit) data) *! Generates new a new key based on the provided additional *! entropy. */ PIKEFUN void reseed(string(8bit) data) { sha256_update(&THIS->sha_ctx, 32, THIS->key); sha256_update(&THIS->sha_ctx, data->len, (const uint8_t *)data->str); sha256_digest(&THIS->sha_ctx, 32, THIS->key); aes_set_encrypt_key(&THIS->aes_ctx, AES256_KEY_SIZE, THIS->key); INCREMENT(16, THIS->ctr); } /*! @decl string(8bit) random_string(int(0..) len) *! *! Generates @[len] amount of pseudo random data. In contrast with *! the Fortuna PseudoRandomData function, which only allows 2^20 *! bytes of random data per call, the necessary rekey operations *! are here performed internally, so no such restrictions apply. */ PIKEFUN string(8bit) random_string(int(0..) len) { unsigned stored = 0; struct string_builder s; init_string_builder_alloc(&s, len+16, 0); while( stored < len ) { fortuna_generate(); string_builder_binary_strcat(&s, (const char *)THIS->data, MIN(16, (len-stored))); stored += 16; if( !(stored % (1<<20)) ) fortuna_rekey(); } fortuna_rekey(); RETURN finish_string_builder(&s); } INIT { THIS->ctr = xalloc(16); memset(THIS->ctr,0,16); THIS->key = xalloc(32); memset(THIS->key,0,32); aes_set_encrypt_key(&THIS->aes_ctx, AES256_KEY_SIZE, THIS->key); sha256_init(&THIS->sha_ctx); THIS->data = xalloc(16); } EXIT gc_trivial; { free(THIS->ctr); free(THIS->key); free(THIS->data); } }
d745992003-08-05Martin Nilsson /*! @endclass
01e1152003-03-12Niels Möller  */
f6a6ad2013-12-08Henrik Grubbström (Grubba) /*! @decl string(0..127) crypt_md5(string(0..255) password, @ *! string(0..255) salt,@ *! void|string(0..255) magic)
6580032013-08-15Martin Nilsson  *! Does the crypt_md5 abrakadabra (MD5 + snakeoil). It is assumed *! that @[salt] does not contain "$". *! *! The @[password] memory will be cleared before released.
3955a92003-08-24Martin Nilsson  */
f6a6ad2013-12-08Henrik Grubbström (Grubba) PIKEFUN string(0..127) crypt_md5(string(0..255) pw, string(0..255) salt, void|string(0..255) magic)
d7f88a2004-02-14Martin Nilsson  optflags OPT_TRY_OPTIMIZE;
3955a92003-08-24Martin Nilsson {
329a6f2004-02-21Martin Nilsson  char *hash;
3955a92003-08-24Martin Nilsson  NO_WIDE_STRING(pw); NO_WIDE_STRING(salt);
bb64932013-08-09Arne Goedeke  pw->flags |= STRING_CLEAR_ON_EXIT;
395c4a2012-07-25Martin Nilsson  if(!magic) { hash = pike_crypt_md5(pw->len, pw->str, salt->len, salt->str, 3, "$1$"); } else {
f6a6ad2013-12-08Henrik Grubbström (Grubba)  NO_WIDE_STRING(magic);
395c4a2012-07-25Martin Nilsson  hash = pike_crypt_md5(pw->len, pw->str, salt->len, salt->str, magic->len, magic->str); }
329a6f2004-02-21Martin Nilsson  push_text(hash);
3955a92003-08-24Martin Nilsson }
1ab4b12003-03-18Niels Möller /*! @endmodule */
770fee2003-03-12Henrik Grubbström (Grubba) 
654f152003-03-14Marcus Comstedt #endif /* HAVE_LIBNETTLE */
4e1f622003-03-13Niels Möller PIKE_MODULE_INIT {
099d682004-01-30Martin Nilsson #ifdef __NT__ struct program *nt_program = NULL; struct object *nt_object = NULL; #endif /* __NT__ */
4e1f622003-03-13Niels Möller  INIT;
654f152003-03-14Marcus Comstedt #ifdef HAVE_LIBNETTLE
4e1f622003-03-13Niels Möller  hash_init();
636c422003-03-18Niels Möller  cipher_init();
654f152003-03-14Marcus Comstedt #endif /* HAVE_LIBNETTLE */
099d682004-01-30Martin Nilsson #ifdef __NT__ start_new_program(); nt_init(); nt_program = end_program(); add_object_constant("NT", nt_object=clone_object(nt_program,0), 0); free_object(nt_object); free_program(nt_program); #endif /* __NT__ */
d5f6892013-11-24Martin Nilsson #ifdef HAVE_LIBHOGWEED hogweed_init(); #endif
4e1f622003-03-13Niels Möller } PIKE_MODULE_EXIT {
654f152003-03-14Marcus Comstedt #ifdef HAVE_LIBNETTLE
636c422003-03-18Niels Möller  cipher_exit();
4e1f622003-03-13Niels Möller  hash_exit();
654f152003-03-14Marcus Comstedt #endif /* HAVE_LIBNETTLE */
099d682004-01-30Martin Nilsson #ifdef __NT__ nt_exit(); #endif /* __NT__ */
d5f6892013-11-24Martin Nilsson #ifdef HAVE_LIBHOGWEED hogweed_exit(); #endif
4e1f622003-03-13Niels Möller  EXIT; }