Add initial bindings to hashing algorithms, and add code style

[Kleidukos]

This PR brings:

• Code guidelines for C FFI
• Proper license for IOG / Cardano code
• Bindings to hashing algorithms
  • Blake2b
  • SHA-256
  • SHA-512

Dependencies

• Get an answer regarding SHA256, SHA512 & Ed25519ph's usability
• c2hs fails to produce the correct alignment  haskell/c2hs#272
• Data.Ix.Ix instances for the Foreign.C.Type newtypes haskell/core-libraries-committee#30

[Kleidukos]

Put that in its own module

[Kleidukos]

Everything goes

[Kleidukos]

Irrelevant

[Kleidukos]

That can go away

[Kleidukos]

That goes away

[Kleidukos]

Use the real C types instead of SizedPtr

[Kleidukos]

Document each parameter and their relation.

[Kleidukos]

1. Out parameter, this is where the result of the hash will go
2. Length of the result
3. In parameter ,what you want to hash
4. Length of what you want to hash
5. Key
6. Length of the key

[Kleidukos]

So, I'm a little worried here because:

• The only signing algorithm here is Ed25519ph
• The RFC says about *ph variants:

The Ed25519ph and Ed448ph variants are prehashed. […] These variants SHOULD NOT be used.

• The crypto state is based on crypto_hash_sha512_state

typedef struct crypto_sign_ed25519ph_state {
    crypto_hash_sha512_state hs;
} crypto_sign_ed25519ph_state;

• But the sha512 file starts with this warning:

/*
 * WARNING: Unless you absolutely need to use SHA512 for interoperability,
 * purposes, you might want to consider crypto_generichash() instead.
 * Unlike SHA512, crypto_generichash() is not vulnerable to length
 * extension attacks.
 */

@jmcardon Am I missing anything? Does that mean we should provide signing from another backend?

[ghost]

Should these correspond to each other?

[ghost]

How do we ensure that users of the library call this? it would be nice to make sure it's run when the program starts without having to remember to do anything.

[Kleidukos]

@jmcardon and @kozross suggested a secureMain function just like other defaultMain functions that exist, where the sodium_init function is called. Something like

main :: IO ()
main = secureMain $ do
  rest of the function

[kozross]

Yeah, I think that's the easiest way. You can (and indeed, should) also document that c_sodium_init must be called before any other functionality is used for those who don't want to use secureMain.

[Kleidukos]

Yes

[ghost]

It's hard to tell if these should be safe or unsafe, it feels like for small inputs unsafe would be fine, but if someone mmaps a 4TB file and hashes it, this is going to be problematic. I'd thought about exposing both and then on the Haskell side choosing based on the data size. Whether the runtime of hashing algorithms has security concerns I have no idea...

[Kleidukos]

Good thinking

[kozross]

I'd say this is a case of 'offer both options, explain why they're different' for sure. Automagical deciding could be done at a higher level, but even then, I'm not sure if it's a good idea.

[ghost]

Any chance this could be a memcpy? https://hackage.haskell.org/package/base-4.16.0.0/docs/Foreign-Marshal-Utils.html#v:copyBytes

[Kleidukos]

Actually I'd rather generate those with c2hs, these are not here to stay. :)

[ghost]

Might be a useful thing to get added to base

[Kleidukos]

You don't say: https://gitlab.haskell.org/ghc/ghc/-/issues/20934

[kozross]

I'm honestly surprised these don't exist already.