Home Esplora Aiuto
Registrati Accedi
dayuan
/
manyi
6
0
Forka 0
File Problemi 0 Pull Requests 0 Wiki
Albero (Tree): 34216f9fac
Rami (Branch) Tag
manyi
/
venv
/
Lib
/
site-packages
/
Crypto
/
Random
/
Fortuna
/
FortunaAccumulator.py

FortunaAccumulator.py 6.6 KB
Cronologia Originale

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171 
  1. # -*- coding: ascii -*-
    2. 

  2. #
    3. 

  3. #  FortunaAccumulator.py : Fortuna's internal accumulator
    4. 

  4. #
    5. 

  5. # Written in 2008 by Dwayne C. Litzenberger <dlitz@dlitz.net>
    6. 

  6. #
    7. 

  7. # ===================================================================
    8. 

  8. # The contents of this file are dedicated to the public domain.  To
    9. 

  9. # the extent that dedication to the public domain is not available,
    10. 

  10. # everyone is granted a worldwide, perpetual, royalty-free,
    11. 

  11. # non-exclusive license to exercise all rights associated with the
    12. 

  12. # contents of this file for any purpose whatsoever.
    13. 

  13. # No rights are reserved.
    14. 

  14. #
    15. 

  15. # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
    16. 

  16. # EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
    17. 

  17. # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
    18. 

  18. # NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
    19. 

  19. # BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
    20. 

  20. # ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
    21. 

  21. # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
    22. 

  22. # SOFTWARE.
    23. 

  23. # ===================================================================
    24. 

  24. 

  25. __revision__ = "$Id$"
    26. 

  26. 

  27. import sys
    28. 

  28. if sys.version_info[0] == 2 and sys.version_info[1] == 1:
    29. 

  29.     from Crypto.Util.py21compat import *
    30. 

  30. from Crypto.Util.py3compat import *
    31. 

  31.     
    32. 

  32. from binascii import b2a_hex
    33. 

  33. import time
    34. 

  34. import warnings
    35. 

  35. 

  36. from Crypto.pct_warnings import ClockRewindWarning
    37. 

  37. import SHAd256
    38. 

  38. 

  39. import FortunaGenerator
    40. 

  40. 

  41. class FortunaPool(object):
    42. 

  42.     """Fortuna pool type
    43. 

  43. 

  44.     This object acts like a hash object, with the following differences:
    45. 

  45. 

  46.         - It keeps a count (the .length attribute) of the number of bytes that
    47. 

  47.           have been added to the pool
    48. 

  48.         - It supports a .reset() method for in-place reinitialization
    49. 

  49.         - The method to add bytes to the pool is .append(), not .update().
    50. 

  50.     """
    51. 

  51. 

  52.     digest_size = SHAd256.digest_size
    53. 

  53. 

  54.     def __init__(self):
    55. 

  55.         self.reset()
    56. 

  56. 

  57.     def append(self, data):
    58. 

  58.         self._h.update(data)
    59. 

  59.         self.length += len(data)
    60. 

  60. 

  61.     def digest(self):
    62. 

  62.         return self._h.digest()
    63. 

  63. 

  64.     def hexdigest(self):
    65. 

  65.         if sys.version_info[0] == 2:
    66. 

  66.             return b2a_hex(self.digest())
    67. 

  67.         else:
    68. 

  68.             return b2a_hex(self.digest()).decode()
    69. 

  69. 

  70.     def reset(self):
    71. 

  71.         self._h = SHAd256.new()
    72. 

  72.         self.length = 0
    73. 

  73. 

  74. def which_pools(r):
    75. 

  75.     """Return a list of pools indexes (in range(32)) that are to be included during reseed number r.
    76. 

  76. 

  77.     According to _Practical Cryptography_, chapter 10.5.2 "Pools":
    78. 

  78. 

  79.         "Pool P_i is included if 2**i is a divisor of r.  Thus P_0 is used
    80. 

  80.         every reseed, P_1 every other reseed, P_2 every fourth reseed, etc."
    81. 

  81.     """
    82. 

  82.     # This is a separate function so that it can be unit-tested.
    83. 

  83.     assert r >= 1
    84. 

  84.     retval = []
    85. 

  85.     mask = 0
    86. 

  86.     for i in range(32):
    87. 

  87.         # "Pool P_i is included if 2**i is a divisor of [reseed_count]"
    88. 

  88.         if (r & mask) == 0:
    89. 

  89.             retval.append(i)
    90. 

  90.         else:
    91. 

  91.             break   # optimization.  once this fails, it always fails
    92. 

  92.         mask = (mask << 1) | 1L
    93. 

  93.     return retval
    94. 

  94. 

  95. class FortunaAccumulator(object):
    96. 

  96. 

  97.     # An estimate of how many bytes we must append to pool 0 before it will
    98. 

  98.     # contain 128 bits of entropy (with respect to an attack).  We reseed the
    99. 

  99.     # generator only after pool 0 contains `min_pool_size` bytes.  Note that
    100. 

  100.     # unlike with some other PRNGs, Fortuna's security does not rely on the
    101. 

  101.     # accuracy of this estimate---we can accord to be optimistic here.
    102. 

  102.     min_pool_size = 64  # size in bytes
    103. 

  103. 

  104.     # If an attacker can predict some (but not all) of our entropy sources, the
    105. 

  105.     # `min_pool_size` check may not be sufficient to prevent a successful state
    106. 

  106.     # compromise extension attack.  To resist this attack, Fortuna spreads the
    107. 

  107.     # input across 32 pools, which are then consumed (to reseed the output
    108. 

  108.     # generator) with exponentially decreasing frequency.
    109. 

  109.     #
    110. 

  110.     # In order to prevent an attacker from gaining knowledge of all 32 pools
    111. 

  111.     # before we have a chance to fill them with enough information that the
    112. 

  112.     # attacker cannot predict, we impose a rate limit of 10 reseeds/second (one
    113. 

  113.     # per 100 ms).  This ensures that a hypothetical 33rd pool would only be
    114. 

  114.     # needed after a minimum of 13 years of sustained attack.
    115. 

  115.     reseed_interval = 0.100     # time in seconds
    116. 

  116. 

  117.     def __init__(self):
    118. 

  118.         self.reseed_count = 0
    119. 

  119.         self.generator = FortunaGenerator.AESGenerator()
    120. 

  120.         self.last_reseed = None
    121. 

  121. 

  122.         # Initialize 32 FortunaPool instances.
    123. 

  123.         # NB: This is _not_ equivalent to [FortunaPool()]*32, which would give
    124. 

  124.         # us 32 references to the _same_ FortunaPool instance (and cause the
    125. 

  125.         # assertion below to fail).
    126. 

  126.         self.pools = [FortunaPool() for i in range(32)]     # 32 pools
    127. 

  127.         assert(self.pools[0] is not self.pools[1])
    128. 

  128. 

  129.     def _forget_last_reseed(self):
    130. 

  130.         # This is not part of the standard Fortuna definition, and using this
    131. 

  131.         # function frequently can weaken Fortuna's ability to resist a state
    132. 

  132.         # compromise extension attack, but we need this in order to properly
    133. 

  133.         # implement Crypto.Random.atfork().  Otherwise, forked child processes
    134. 

  134.         # might continue to use their parent's PRNG state for up to 100ms in
    135. 

  135.         # some cases. (e.g. CVE-2013-1445)
    136. 

  136.         self.last_reseed = None
    137. 

  137. 

  138.     def random_data(self, bytes):
    139. 

  139.         current_time = time.time()
    140. 

  140.         if (self.last_reseed is not None and self.last_reseed > current_time): # Avoid float comparison to None to make Py3k happy
    141. 

  141.             warnings.warn("Clock rewind detected. Resetting last_reseed.", ClockRewindWarning)
    142. 

  142.             self.last_reseed = None
    143. 

  143.         if (self.pools[0].length >= self.min_pool_size and
    144. 

  144.             (self.last_reseed is None or
    145. 

  145.              current_time > self.last_reseed + self.reseed_interval)):
    146. 

  146.             self._reseed(current_time)
    147. 

  147.         # The following should fail if we haven't seeded the pool yet.
    148. 

  148.         return self.generator.pseudo_random_data(bytes)
    149. 

  149. 

  150.     def _reseed(self, current_time=None):
    151. 

  151.         if current_time is None:
    152. 

  152.             current_time = time.time()
    153. 

  153.         seed = []
    154. 

  154.         self.reseed_count += 1
    155. 

  155.         self.last_reseed = current_time
    156. 

  156.         for i in which_pools(self.reseed_count):
    157. 

  157.             seed.append(self.pools[i].digest())
    158. 

  158.             self.pools[i].reset()
    159. 

  159. 

  160.         seed = b("").join(seed)
    161. 

  161.         self.generator.reseed(seed)
    162. 

  162. 

  163.     def add_random_event(self, source_number, pool_number, data):
    164. 

  164.         assert 1 <= len(data) <= 32
    165. 

  165.         assert 0 <= source_number <= 255
    166. 

  166.         assert 0 <= pool_number <= 31
    167. 

  167.         self.pools[pool_number].append(bchr(source_number))
    168. 

  168.         self.pools[pool_number].append(bchr(len(data)))
    169. 

  169.         self.pools[pool_number].append(data)
    170. 

  170. 

  171. # vim:set ts=4 sw=4 sts=4 expandtab:
    172.