[tor-commits] [tor/master] crypto: Refactor (P)RNG functionality into new crypto_rand module.
nickm at torproject.org
nickm at torproject.org
Thu May 3 17:58:40 UTC 2018
commit fe3aca149191f2eac410caa7113fb6f7e0804d8c
Author: Isis Lovecruft <isis at torproject.org>
Date: Fri Apr 6 21:23:29 2018 +0000
crypto: Refactor (P)RNG functionality into new crypto_rand module.
* ADD new /src/common/crypto_rand.[ch] module.
* ADD new /src/common/crypto_util.[ch] module (contains the memwipe()
function, since all crypto_* modules need this).
* FIXES part of #24658: https://bugs.torproject.org/24658
---
src/common/address_set.c | 2 +-
src/common/compat_libevent.c | 2 +-
src/common/crypto.c | 602 +-------------------
src/common/crypto.h | 36 --
src/common/crypto_curve25519.c | 2 +
src/common/crypto_digest.c | 9 +-
src/common/crypto_ed25519.c | 2 +
src/common/crypto_format.c | 1 +
src/common/crypto_pwbox.c | 2 +
src/common/crypto_rand.c | 609 +++++++++++++++++++++
src/common/crypto_rand.h | 53 ++
src/common/crypto_rsa.c | 2 +
src/common/crypto_s2k.c | 2 +
src/common/crypto_util.c | 105 ++++
src/common/crypto_util.h | 27 +
src/common/include.am | 4 +
src/common/tortls.c | 2 +
src/common/workqueue.c | 2 +-
src/ext/ed25519/donna/ed25519-randombytes-custom.h | 2 +-
src/ext/ed25519/donna/ed25519_tor.c | 2 +
src/ext/ed25519/ref10/blinding.c | 2 +-
src/ext/ed25519/ref10/keypair.c | 3 +
src/ext/keccak-tiny/keccak-tiny-unrolled.c | 2 +-
src/or/addressmap.c | 1 +
src/or/channelpadding.c | 1 +
src/or/circpathbias.c | 1 +
src/or/circuitbuild.c | 2 +-
src/or/circuitlist.c | 2 +
src/or/circuitstats.c | 1 +
src/or/command.c | 1 +
src/or/config.c | 2 +
src/or/connection.c | 1 +
src/or/connection_edge.c | 1 +
src/or/connection_or.c | 2 +
src/or/conscache.c | 1 +
src/or/control.c | 2 +
src/or/cpuworker.c | 2 +
src/or/directory.c | 2 +
src/or/dns.c | 1 +
src/or/dos.c | 1 +
src/or/entrynodes.c | 1 +
src/or/ext_orport.c | 2 +
src/or/hibernate.c | 1 +
src/or/hs_cache.c | 1 +
src/or/hs_cell.c | 1 +
src/or/hs_circuit.c | 2 +
src/or/hs_client.c | 2 +
src/or/hs_common.c | 2 +
src/or/hs_control.c | 1 +
src/or/hs_descriptor.c | 2 +
src/or/hs_descriptor.h | 1 +
src/or/hs_ident.c | 1 +
src/or/hs_ntor.c | 1 +
src/or/hs_service.c | 2 +
src/or/main.c | 1 +
src/or/networkstatus.c | 2 +
src/or/onion.c | 1 +
src/or/onion_fast.c | 2 +
src/or/onion_ntor.c | 1 +
src/or/onion_tap.c | 2 +
src/or/proto_socks.c | 1 +
src/or/relay.c | 2 +
src/or/rendclient.c | 2 +
src/or/rendcommon.c | 2 +
src/or/rendservice.c | 2 +
src/or/rephist.c | 1 +
src/or/router.c | 2 +
src/or/routerkeys.c | 1 +
src/or/routerlist.c | 1 +
src/or/routerparse.c | 1 +
src/or/shared_random.c | 2 +
src/or/shared_random_state.c | 1 +
src/or/torcert.c | 2 +-
src/test/bench.c | 1 +
src/test/rend_test_helpers.c | 1 +
src/test/test-memwipe.c | 2 +-
src/test/test-timers.c | 2 +-
src/test/test.c | 1 +
src/test/test_address_set.c | 1 +
src/test/test_buffers.c | 1 +
src/test/test_cell_formats.c | 1 +
src/test/test_channel.c | 1 +
src/test/test_consdiffmgr.c | 1 +
src/test/test_containers.c | 1 +
src/test/test_crypto.c | 3 +-
src/test/test_crypto_openssl.c | 4 +-
src/test/test_crypto_slow.c | 1 +
src/test/test_dir.c | 1 +
src/test/test_dos.c | 1 +
src/test/test_entrynodes.c | 1 +
src/test/test_extorport.c | 1 +
src/test/test_helpers.c | 1 +
src/test/test_hs_cell.c | 1 +
src/test/test_hs_common.c | 1 +
src/test/test_hs_descriptor.c | 1 +
src/test/test_hs_intropoint.c | 2 +-
src/test/test_hs_service.c | 2 +-
src/test/test_nodelist.c | 1 +
src/test/test_oom.c | 1 +
src/test/test_routerlist.c | 1 +
src/test/test_shared_random.c | 1 +
src/test/test_storagedir.c | 1 +
src/test/test_util.c | 1 +
src/test/test_util_format.c | 1 +
src/test/test_workqueue.c | 2 +-
src/test/testing_common.c | 1 +
src/test/testing_rsakeys.c | 1 +
src/tools/tor-gencert.c | 2 +
src/trunnel/trunnel-local.h | 2 +-
109 files changed, 939 insertions(+), 657 deletions(-)
diff --git a/src/common/address_set.c b/src/common/address_set.c
index f61fa294e..b2f4bb4c9 100644
--- a/src/common/address_set.c
+++ b/src/common/address_set.c
@@ -15,7 +15,7 @@
#include "address.h"
#include "compat.h"
#include "container.h"
-#include "crypto.h"
+#include "crypto_rand.h"
#include "util.h"
#include "siphash.h"
diff --git a/src/common/compat_libevent.c b/src/common/compat_libevent.c
index 735385557..6d8cac70e 100644
--- a/src/common/compat_libevent.c
+++ b/src/common/compat_libevent.c
@@ -11,7 +11,7 @@
#define COMPAT_LIBEVENT_PRIVATE
#include "compat_libevent.h"
-#include "crypto.h"
+#include "crypto_rand.h"
#include "util.h"
#include "torlog.h"
diff --git a/src/common/crypto.c b/src/common/crypto.c
index 9fcd17742..8d5897e49 100644
--- a/src/common/crypto.c
+++ b/src/common/crypto.c
@@ -28,8 +28,10 @@
#include "crypto_curve25519.h"
#include "crypto_ed25519.h"
#include "crypto_format.h"
+#include "crypto_rand.h"
#include "crypto_rsa.h"
#include "crypto_digest.h"
+#include "crypto_util.h"
DISABLE_GCC_WARNING(redundant-decls)
@@ -38,7 +40,6 @@ DISABLE_GCC_WARNING(redundant-decls)
#include <openssl/pem.h>
#include <openssl/evp.h>
#include <openssl/engine.h>
-#include <openssl/rand.h>
#include <openssl/bn.h>
#include <openssl/dh.h>
#include <openssl/conf.h>
@@ -60,12 +61,6 @@ ENABLE_GCC_WARNING(redundant-decls)
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
-#ifdef HAVE_FCNTL_H
-#include <fcntl.h>
-#endif
-#ifdef HAVE_SYS_FCNTL_H
-#include <sys/fcntl.h>
-#endif
#ifdef HAVE_SYS_SYSCALL_H
#include <sys/syscall.h>
#endif
@@ -84,12 +79,6 @@ ENABLE_GCC_WARNING(redundant-decls)
#include "keccak-tiny/keccak-tiny.h"
-/** Longest recognized */
-#define MAX_DNS_LABEL_SIZE 63
-
-/** Largest strong entropy request */
-#define MAX_STRONGEST_RAND_SIZE 256
-
/** A structure to hold the first half (x, g^x) of a Diffie-Hellman handshake
* while we're waiting for the second.*/
struct crypto_dh_t {
@@ -162,23 +151,6 @@ try_load_engine(const char *path, const char *engine)
}
#endif /* !defined(DISABLE_ENGINES) */
-/** Make sure that openssl is using its default PRNG. Return 1 if we had to
- * adjust it; 0 otherwise. */
-STATIC int
-crypto_force_rand_ssleay(void)
-{
- RAND_METHOD *default_method;
- default_method = RAND_OpenSSL();
- if (RAND_get_rand_method() != default_method) {
- log_notice(LD_CRYPTO, "It appears that one of our engines has provided "
- "a replacement the OpenSSL RNG. Resetting it to the default "
- "implementation.");
- RAND_set_rand_method(default_method);
- return 1;
- }
- return 0;
-}
-
static int have_seeded_siphash = 0;
/** Set up the siphash key if we haven't already done so. */
@@ -1083,576 +1055,6 @@ crypto_dh_free_(crypto_dh_t *dh)
tor_free(dh);
}
-/* random numbers */
-
-/** How many bytes of entropy we add at once.
- *
- * This is how much entropy OpenSSL likes to add right now, so maybe it will
- * work for us too. */
-#define ADD_ENTROPY 32
-
-/** Set the seed of the weak RNG to a random value. */
-void
-crypto_seed_weak_rng(tor_weak_rng_t *rng)
-{
- unsigned seed;
- crypto_rand((void*)&seed, sizeof(seed));
- tor_init_weak_random(rng, seed);
-}
-
-#ifdef TOR_UNIT_TESTS
-int break_strongest_rng_syscall = 0;
-int break_strongest_rng_fallback = 0;
-#endif
-
-/** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
- * via system calls, storing it into <b>out</b>. Return 0 on success, -1 on
- * failure. A maximum request size of 256 bytes is imposed.
- */
-static int
-crypto_strongest_rand_syscall(uint8_t *out, size_t out_len)
-{
- tor_assert(out_len <= MAX_STRONGEST_RAND_SIZE);
-
- /* We only log at notice-level here because in the case that this function
- * fails the crypto_strongest_rand_raw() caller will log with a warning-level
- * message and let crypto_strongest_rand() error out and finally terminating
- * Tor with an assertion error.
- */
-
-#ifdef TOR_UNIT_TESTS
- if (break_strongest_rng_syscall)
- return -1;
-#endif
-
-#if defined(_WIN32)
- static int provider_set = 0;
- static HCRYPTPROV provider;
-
- if (!provider_set) {
- if (!CryptAcquireContext(&provider, NULL, NULL, PROV_RSA_FULL,
- CRYPT_VERIFYCONTEXT)) {
- log_notice(LD_CRYPTO, "Unable to set Windows CryptoAPI provider [1].");
- return -1;
- }
- provider_set = 1;
- }
- if (!CryptGenRandom(provider, out_len, out)) {
- log_notice(LD_CRYPTO, "Unable get entropy from the Windows CryptoAPI.");
- return -1;
- }
-
- return 0;
-#elif defined(__linux__) && defined(SYS_getrandom)
- static int getrandom_works = 1; /* Be optimistic about our chances... */
-
- /* getrandom() isn't as straightforward as getentropy(), and has
- * no glibc wrapper.
- *
- * As far as I can tell from getrandom(2) and the source code, the
- * requests we issue will always succeed (though it will block on the
- * call if /dev/urandom isn't seeded yet), since we are NOT specifying
- * GRND_NONBLOCK and the request is <= 256 bytes.
- *
- * The manpage is unclear on what happens if a signal interrupts the call
- * while the request is blocked due to lack of entropy....
- *
- * We optimistically assume that getrandom() is available and functional
- * because it is the way of the future, and 2 branch mispredicts pale in
- * comparison to the overheads involved with failing to open
- * /dev/srandom followed by opening and reading from /dev/urandom.
- */
- if (PREDICT_LIKELY(getrandom_works)) {
- long ret;
- /* A flag of '0' here means to read from '/dev/urandom', and to
- * block if insufficient entropy is available to service the
- * request.
- */
- const unsigned int flags = 0;
- do {
- ret = syscall(SYS_getrandom, out, out_len, flags);
- } while (ret == -1 && ((errno == EINTR) ||(errno == EAGAIN)));
-
- if (PREDICT_UNLIKELY(ret == -1)) {
- /* LCOV_EXCL_START we can't actually make the syscall fail in testing. */
- tor_assert(errno != EAGAIN);
- tor_assert(errno != EINTR);
-
- /* Useful log message for errno. */
- if (errno == ENOSYS) {
- log_notice(LD_CRYPTO, "Can't get entropy from getrandom()."
- " You are running a version of Tor built to support"
- " getrandom(), but the kernel doesn't implement this"
- " function--probably because it is too old?"
- " Trying fallback method instead.");
- } else {
- log_notice(LD_CRYPTO, "Can't get entropy from getrandom(): %s."
- " Trying fallback method instead.",
- strerror(errno));
- }
-
- getrandom_works = 0; /* Don't bother trying again. */
- return -1;
- /* LCOV_EXCL_STOP */
- }
-
- tor_assert(ret == (long)out_len);
- return 0;
- }
-
- return -1; /* getrandom() previously failed unexpectedly. */
-#elif defined(HAVE_GETENTROPY)
- /* getentropy() is what Linux's getrandom() wants to be when it grows up.
- * the only gotcha is that requests are limited to 256 bytes.
- */
- return getentropy(out, out_len);
-#else
- (void) out;
-#endif /* defined(_WIN32) || ... */
-
- /* This platform doesn't have a supported syscall based random. */
- return -1;
-}
-
-/** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
- * via the per-platform fallback mechanism, storing it into <b>out</b>.
- * Return 0 on success, -1 on failure. A maximum request size of 256 bytes
- * is imposed.
- */
-static int
-crypto_strongest_rand_fallback(uint8_t *out, size_t out_len)
-{
-#ifdef TOR_UNIT_TESTS
- if (break_strongest_rng_fallback)
- return -1;
-#endif
-
-#ifdef _WIN32
- /* Windows exclusively uses crypto_strongest_rand_syscall(). */
- (void)out;
- (void)out_len;
- return -1;
-#else /* !(defined(_WIN32)) */
- static const char *filenames[] = {
- "/dev/srandom", "/dev/urandom", "/dev/random", NULL
- };
- int fd, i;
- size_t n;
-
- for (i = 0; filenames[i]; ++i) {
- log_debug(LD_FS, "Considering %s as entropy source", filenames[i]);
- fd = open(sandbox_intern_string(filenames[i]), O_RDONLY, 0);
- if (fd<0) continue;
- log_info(LD_CRYPTO, "Reading entropy from \"%s\"", filenames[i]);
- n = read_all(fd, (char*)out, out_len, 0);
- close(fd);
- if (n != out_len) {
- /* LCOV_EXCL_START
- * We can't make /dev/foorandom actually fail. */
- log_notice(LD_CRYPTO,
- "Error reading from entropy source %s (read only %lu bytes).",
- filenames[i],
- (unsigned long)n);
- return -1;
- /* LCOV_EXCL_STOP */
- }
-
- return 0;
- }
-
- return -1;
-#endif /* defined(_WIN32) */
-}
-
-/** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
- * storing it into <b>out</b>. Return 0 on success, -1 on failure. A maximum
- * request size of 256 bytes is imposed.
- */
-STATIC int
-crypto_strongest_rand_raw(uint8_t *out, size_t out_len)
-{
- static const size_t sanity_min_size = 16;
- static const int max_attempts = 3;
- tor_assert(out_len <= MAX_STRONGEST_RAND_SIZE);
-
- /* For buffers >= 16 bytes (128 bits), we sanity check the output by
- * zero filling the buffer and ensuring that it actually was at least
- * partially modified.
- *
- * Checking that any individual byte is non-zero seems like it would
- * fail too often (p = out_len * 1/256) for comfort, but this is an
- * "adjust according to taste" sort of check.
- */
- memwipe(out, 0, out_len);
- for (int i = 0; i < max_attempts; i++) {
- /* Try to use the syscall/OS favored mechanism to get strong entropy. */
- if (crypto_strongest_rand_syscall(out, out_len) != 0) {
- /* Try to use the less-favored mechanism to get strong entropy. */
- if (crypto_strongest_rand_fallback(out, out_len) != 0) {
- /* Welp, we tried. Hopefully the calling code terminates the process
- * since we're basically boned without good entropy.
- */
- log_warn(LD_CRYPTO,
- "Cannot get strong entropy: no entropy source found.");
- return -1;
- }
- }
-
- if ((out_len < sanity_min_size) || !tor_mem_is_zero((char*)out, out_len))
- return 0;
- }
-
- /* LCOV_EXCL_START
- *
- * We tried max_attempts times to fill a buffer >= 128 bits long,
- * and each time it returned all '0's. Either the system entropy
- * source is busted, or the user should go out and buy a ticket to
- * every lottery on the planet.
- */
- log_warn(LD_CRYPTO, "Strong OS entropy returned all zero buffer.");
-
- return -1;
- /* LCOV_EXCL_STOP */
-}
-
-/** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
- * storing it into <b>out</b>.
- */
-void
-crypto_strongest_rand(uint8_t *out, size_t out_len)
-{
-#define DLEN SHA512_DIGEST_LENGTH
- /* We're going to hash DLEN bytes from the system RNG together with some
- * bytes from the openssl PRNG, in order to yield DLEN bytes.
- */
- uint8_t inp[DLEN*2];
- uint8_t tmp[DLEN];
- tor_assert(out);
- while (out_len) {
- crypto_rand((char*) inp, DLEN);
- if (crypto_strongest_rand_raw(inp+DLEN, DLEN) < 0) {
- // LCOV_EXCL_START
- log_err(LD_CRYPTO, "Failed to load strong entropy when generating an "
- "important key. Exiting.");
- /* Die with an assertion so we get a stack trace. */
- tor_assert(0);
- // LCOV_EXCL_STOP
- }
- if (out_len >= DLEN) {
- SHA512(inp, sizeof(inp), out);
- out += DLEN;
- out_len -= DLEN;
- } else {
- SHA512(inp, sizeof(inp), tmp);
- memcpy(out, tmp, out_len);
- break;
- }
- }
- memwipe(tmp, 0, sizeof(tmp));
- memwipe(inp, 0, sizeof(inp));
-#undef DLEN
-}
-
-/** Seed OpenSSL's random number generator with bytes from the operating
- * system. Return 0 on success, -1 on failure.
- */
-int
-crypto_seed_rng(void)
-{
- int rand_poll_ok = 0, load_entropy_ok = 0;
- uint8_t buf[ADD_ENTROPY];
-
- /* OpenSSL has a RAND_poll function that knows about more kinds of
- * entropy than we do. We'll try calling that, *and* calling our own entropy
- * functions. If one succeeds, we'll accept the RNG as seeded. */
- rand_poll_ok = RAND_poll();
- if (rand_poll_ok == 0)
- log_warn(LD_CRYPTO, "RAND_poll() failed."); // LCOV_EXCL_LINE
-
- load_entropy_ok = !crypto_strongest_rand_raw(buf, sizeof(buf));
- if (load_entropy_ok) {
- RAND_seed(buf, sizeof(buf));
- }
-
- memwipe(buf, 0, sizeof(buf));
-
- if ((rand_poll_ok || load_entropy_ok) && RAND_status() == 1)
- return 0;
- else
- return -1;
-}
-
-/** Write <b>n</b> bytes of strong random data to <b>to</b>. Supports mocking
- * for unit tests.
- *
- * This function is not allowed to fail; if it would fail to generate strong
- * entropy, it must terminate the process instead.
- */
-MOCK_IMPL(void,
-crypto_rand, (char *to, size_t n))
-{
- crypto_rand_unmocked(to, n);
-}
-
-/** Write <b>n</b> bytes of strong random data to <b>to</b>. Most callers
- * will want crypto_rand instead.
- *
- * This function is not allowed to fail; if it would fail to generate strong
- * entropy, it must terminate the process instead.
- */
-void
-crypto_rand_unmocked(char *to, size_t n)
-{
- int r;
- if (n == 0)
- return;
-
- tor_assert(n < INT_MAX);
- tor_assert(to);
- r = RAND_bytes((unsigned char*)to, (int)n);
- /* We consider a PRNG failure non-survivable. Let's assert so that we get a
- * stack trace about where it happened.
- */
- tor_assert(r >= 0);
-}
-
-/** Return a pseudorandom integer, chosen uniformly from the values
- * between 0 and <b>max</b>-1 inclusive. <b>max</b> must be between 1 and
- * INT_MAX+1, inclusive. */
-int
-crypto_rand_int(unsigned int max)
-{
- unsigned int val;
- unsigned int cutoff;
- tor_assert(max <= ((unsigned int)INT_MAX)+1);
- tor_assert(max > 0); /* don't div by 0 */
-
- /* We ignore any values that are >= 'cutoff,' to avoid biasing the
- * distribution with clipping at the upper end of unsigned int's
- * range.
- */
- cutoff = UINT_MAX - (UINT_MAX%max);
- while (1) {
- crypto_rand((char*)&val, sizeof(val));
- if (val < cutoff)
- return val % max;
- }
-}
-
-/** Return a pseudorandom integer, chosen uniformly from the values i such
- * that min <= i < max.
- *
- * <b>min</b> MUST be in range [0, <b>max</b>).
- * <b>max</b> MUST be in range (min, INT_MAX].
- */
-int
-crypto_rand_int_range(unsigned int min, unsigned int max)
-{
- tor_assert(min < max);
- tor_assert(max <= INT_MAX);
-
- /* The overflow is avoided here because crypto_rand_int() returns a value
- * between 0 and (max - min) inclusive. */
- return min + crypto_rand_int(max - min);
-}
-
-/** As crypto_rand_int_range, but supports uint64_t. */
-uint64_t
-crypto_rand_uint64_range(uint64_t min, uint64_t max)
-{
- tor_assert(min < max);
- return min + crypto_rand_uint64(max - min);
-}
-
-/** As crypto_rand_int_range, but supports time_t. */
-time_t
-crypto_rand_time_range(time_t min, time_t max)
-{
- tor_assert(min < max);
- return min + (time_t)crypto_rand_uint64(max - min);
-}
-
-/** Return a pseudorandom 64-bit integer, chosen uniformly from the values
- * between 0 and <b>max</b>-1 inclusive. */
-uint64_t
-crypto_rand_uint64(uint64_t max)
-{
- uint64_t val;
- uint64_t cutoff;
- tor_assert(max < UINT64_MAX);
- tor_assert(max > 0); /* don't div by 0 */
-
- /* We ignore any values that are >= 'cutoff,' to avoid biasing the
- * distribution with clipping at the upper end of unsigned int's
- * range.
- */
- cutoff = UINT64_MAX - (UINT64_MAX%max);
- while (1) {
- crypto_rand((char*)&val, sizeof(val));
- if (val < cutoff)
- return val % max;
- }
-}
-
-/** Return a pseudorandom double d, chosen uniformly from the range
- * 0.0 <= d < 1.0.
- */
-double
-crypto_rand_double(void)
-{
- /* We just use an unsigned int here; we don't really care about getting
- * more than 32 bits of resolution */
- unsigned int u;
- crypto_rand((char*)&u, sizeof(u));
-#if SIZEOF_INT == 4
-#define UINT_MAX_AS_DOUBLE 4294967296.0
-#elif SIZEOF_INT == 8
-#define UINT_MAX_AS_DOUBLE 1.8446744073709552e+19
-#else
-#error SIZEOF_INT is neither 4 nor 8
-#endif /* SIZEOF_INT == 4 || ... */
- return ((double)u) / UINT_MAX_AS_DOUBLE;
-}
-
-/** Generate and return a new random hostname starting with <b>prefix</b>,
- * ending with <b>suffix</b>, and containing no fewer than
- * <b>min_rand_len</b> and no more than <b>max_rand_len</b> random base32
- * characters. Does not check for failure.
- *
- * Clip <b>max_rand_len</b> to MAX_DNS_LABEL_SIZE.
- **/
-char *
-crypto_random_hostname(int min_rand_len, int max_rand_len, const char *prefix,
- const char *suffix)
-{
- char *result, *rand_bytes;
- int randlen, rand_bytes_len;
- size_t resultlen, prefixlen;
-
- if (max_rand_len > MAX_DNS_LABEL_SIZE)
- max_rand_len = MAX_DNS_LABEL_SIZE;
- if (min_rand_len > max_rand_len)
- min_rand_len = max_rand_len;
-
- randlen = crypto_rand_int_range(min_rand_len, max_rand_len+1);
-
- prefixlen = strlen(prefix);
- resultlen = prefixlen + strlen(suffix) + randlen + 16;
-
- rand_bytes_len = ((randlen*5)+7)/8;
- if (rand_bytes_len % 5)
- rand_bytes_len += 5 - (rand_bytes_len%5);
- rand_bytes = tor_malloc(rand_bytes_len);
- crypto_rand(rand_bytes, rand_bytes_len);
-
- result = tor_malloc(resultlen);
- memcpy(result, prefix, prefixlen);
- base32_encode(result+prefixlen, resultlen-prefixlen,
- rand_bytes, rand_bytes_len);
- tor_free(rand_bytes);
- strlcpy(result+prefixlen+randlen, suffix, resultlen-(prefixlen+randlen));
-
- return result;
-}
-
-/** Return a randomly chosen element of <b>sl</b>; or NULL if <b>sl</b>
- * is empty. */
-void *
-smartlist_choose(const smartlist_t *sl)
-{
- int len = smartlist_len(sl);
- if (len)
- return smartlist_get(sl,crypto_rand_int(len));
- return NULL; /* no elements to choose from */
-}
-
-/** Scramble the elements of <b>sl</b> into a random order. */
-void
-smartlist_shuffle(smartlist_t *sl)
-{
- int i;
- /* From the end of the list to the front, choose at random from the
- positions we haven't looked at yet, and swap that position into the
- current position. Remember to give "no swap" the same probability as
- any other swap. */
- for (i = smartlist_len(sl)-1; i > 0; --i) {
- int j = crypto_rand_int(i+1);
- smartlist_swap(sl, i, j);
- }
-}
-
-/**
- * Destroy the <b>sz</b> bytes of data stored at <b>mem</b>, setting them to
- * the value <b>byte</b>.
- * If <b>mem</b> is NULL or <b>sz</b> is zero, nothing happens.
- *
- * This function is preferable to memset, since many compilers will happily
- * optimize out memset() when they can convince themselves that the data being
- * cleared will never be read.
- *
- * Right now, our convention is to use this function when we are wiping data
- * that's about to become inaccessible, such as stack buffers that are about
- * to go out of scope or structures that are about to get freed. (In
- * practice, it appears that the compilers we're currently using will optimize
- * out the memset()s for stack-allocated buffers, but not those for
- * about-to-be-freed structures. That could change, though, so we're being
- * wary.) If there are live reads for the data, then you can just use
- * memset().
- */
-void
-memwipe(void *mem, uint8_t byte, size_t sz)
-{
- if (sz == 0) {
- return;
- }
- /* If sz is nonzero, then mem must not be NULL. */
- tor_assert(mem != NULL);
-
- /* Data this large is likely to be an underflow. */
- tor_assert(sz < SIZE_T_CEILING);
-
- /* Because whole-program-optimization exists, we may not be able to just
- * have this function call "memset". A smart compiler could inline it, then
- * eliminate dead memsets, and declare itself to be clever. */
-
-#if defined(SecureZeroMemory) || defined(HAVE_SECUREZEROMEMORY)
- /* Here's what you do on windows. */
- SecureZeroMemory(mem,sz);
-#elif defined(HAVE_RTLSECUREZEROMEMORY)
- RtlSecureZeroMemory(mem,sz);
-#elif defined(HAVE_EXPLICIT_BZERO)
- /* The BSDs provide this. */
- explicit_bzero(mem, sz);
-#elif defined(HAVE_MEMSET_S)
- /* This is in the C99 standard. */
- memset_s(mem, sz, 0, sz);
-#else
- /* This is a slow and ugly function from OpenSSL that fills 'mem' with junk
- * based on the pointer value, then uses that junk to update a global
- * variable. It's an elaborate ruse to trick the compiler into not
- * optimizing out the "wipe this memory" code. Read it if you like zany
- * programming tricks! In later versions of Tor, we should look for better
- * not-optimized-out memory wiping stuff...
- *
- * ...or maybe not. In practice, there are pure-asm implementations of
- * OPENSSL_cleanse() on most platforms, which ought to do the job.
- **/
-
- OPENSSL_cleanse(mem, sz);
-#endif /* defined(SecureZeroMemory) || defined(HAVE_SECUREZEROMEMORY) || ... */
-
- /* Just in case some caller of memwipe() is relying on getting a buffer
- * filled with a particular value, fill the buffer.
- *
- * If this function gets inlined, this memset might get eliminated, but
- * that's okay: We only care about this particular memset in the case where
- * the caller should have been using memset(), and the memset() wouldn't get
- * eliminated. In other words, this is here so that we won't break anything
- * if somebody accidentally calls memwipe() instead of memset().
- **/
- memset(mem, byte, sz);
-}
-
/** @{ */
/** Uninitialize the crypto library. Return 0 on success. Does not detect
* failure.
diff --git a/src/common/crypto.h b/src/common/crypto.h
index b58679032..61a2952d2 100644
--- a/src/common/crypto.h
+++ b/src/common/crypto.h
@@ -105,31 +105,6 @@ int crypto_expand_key_material_rfc5869_sha256(
const uint8_t *info_in, size_t info_in_len,
uint8_t *key_out, size_t key_out_len);
-/* random numbers */
-int crypto_seed_rng(void) ATTR_WUR;
-MOCK_DECL(void,crypto_rand,(char *to, size_t n));
-void crypto_rand_unmocked(char *to, size_t n);
-void crypto_strongest_rand(uint8_t *out, size_t out_len);
-int crypto_rand_int(unsigned int max);
-int crypto_rand_int_range(unsigned int min, unsigned int max);
-uint64_t crypto_rand_uint64_range(uint64_t min, uint64_t max);
-time_t crypto_rand_time_range(time_t min, time_t max);
-uint64_t crypto_rand_uint64(uint64_t max);
-double crypto_rand_double(void);
-struct tor_weak_rng_t;
-void crypto_seed_weak_rng(struct tor_weak_rng_t *rng);
-int crypto_init_siphash_key(void);
-
-char *crypto_random_hostname(int min_rand_len, int max_rand_len,
- const char *prefix, const char *suffix);
-
-struct smartlist_t;
-void *smartlist_choose(const struct smartlist_t *sl);
-void smartlist_shuffle(struct smartlist_t *sl);
-
-/** OpenSSL-based utility functions. */
-void memwipe(void *mem, uint8_t byte, size_t sz);
-
/* Prototypes for private functions only used by tortls.c, crypto.c, and the
* unit tests. */
struct dh_st;
@@ -137,16 +112,5 @@ struct dh_st *crypto_dh_get_dh_(crypto_dh_t *dh);
void crypto_add_spaces_to_fp(char *out, size_t outlen, const char *in);
-#ifdef CRYPTO_PRIVATE
-
-STATIC int crypto_force_rand_ssleay(void);
-STATIC int crypto_strongest_rand_raw(uint8_t *out, size_t out_len);
-
-#ifdef TOR_UNIT_TESTS
-extern int break_strongest_rng_syscall;
-extern int break_strongest_rng_fallback;
-#endif
-#endif /* defined(CRYPTO_PRIVATE) */
-
#endif /* !defined(TOR_CRYPTO_H) */
diff --git a/src/common/crypto_curve25519.c b/src/common/crypto_curve25519.c
index ccf12d00f..0719c2f85 100644
--- a/src/common/crypto_curve25519.c
+++ b/src/common/crypto_curve25519.c
@@ -25,6 +25,8 @@
#include "crypto_curve25519.h"
#include "crypto_format.h"
#include "crypto_digest.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
#include "util.h"
#include "torlog.h"
diff --git a/src/common/crypto_digest.c b/src/common/crypto_digest.c
index cdcc1828c..f7163de13 100644
--- a/src/common/crypto_digest.c
+++ b/src/common/crypto_digest.c
@@ -10,10 +10,13 @@
* operations.
**/
+#include "container.h"
#include "crypto_digest.h"
-
-#include "crypto.h" /* common functions */
#include "crypto_openssl_mgt.h"
+#include "crypto_util.h"
+#include "torlog.h"
+
+#include "keccak-tiny/keccak-tiny.h"
DISABLE_GCC_WARNING(redundant-decls)
@@ -22,8 +25,6 @@ DISABLE_GCC_WARNING(redundant-decls)
ENABLE_GCC_WARNING(redundant-decls)
-#include "container.h"
-
/* Crypto digest functions */
/** Compute the SHA1 digest of the <b>len</b> bytes on data stored in
diff --git a/src/common/crypto_ed25519.c b/src/common/crypto_ed25519.c
index f1cc0cb18..baddb77dd 100644
--- a/src/common/crypto_ed25519.c
+++ b/src/common/crypto_ed25519.c
@@ -27,6 +27,8 @@
#include "crypto_curve25519.h"
#include "crypto_ed25519.h"
#include "crypto_format.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
#include "torlog.h"
#include "util.h"
#include "util_format.h"
diff --git a/src/common/crypto_format.c b/src/common/crypto_format.c
index 3f6fb9f54..c0cade2f5 100644
--- a/src/common/crypto_format.c
+++ b/src/common/crypto_format.c
@@ -20,6 +20,7 @@
#include "crypto_ed25519.h"
#include "crypto_format.h"
#include "crypto_digest.h"
+#include "crypto_util.h"
#include "util.h"
#include "util_format.h"
#include "torlog.h"
diff --git a/src/common/crypto_pwbox.c b/src/common/crypto_pwbox.c
index 604fc68e9..e49ca226e 100644
--- a/src/common/crypto_pwbox.c
+++ b/src/common/crypto_pwbox.c
@@ -12,6 +12,8 @@
#include "crypto_s2k.h"
#include "crypto_pwbox.h"
#include "crypto_digest.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
#include "di_ops.h"
#include "util.h"
#include "pwbox.h"
diff --git a/src/common/crypto_rand.c b/src/common/crypto_rand.c
new file mode 100644
index 000000000..66506235a
--- /dev/null
+++ b/src/common/crypto_rand.c
@@ -0,0 +1,609 @@
+/* Copyright (c) 2001, Matej Pfajfar.
+ * Copyright (c) 2001-2004, Roger Dingledine.
+ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
+ * Copyright (c) 2007-2018, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file crypto_rand.c
+ *
+ * \brief Functions for initialising and seeding (pseudo-)random
+ * number generators, and working with randomness.
+ **/
+
+#ifndef CRYPTO_RAND_PRIVATE
+#define CRYPTO_RAND_PRIVATE
+
+#ifdef _WIN32
+#include <windows.h>
+#include <wincrypt.h>
+#endif /* defined(_WIN32) */
+
+#include "crypto_rand.h"
+
+#include "container.h"
+#include "compat.h"
+#include "compat_openssl.h"
+#include "crypto_util.h"
+#include "sandbox.h"
+#include "testsupport.h"
+#include "torlog.h"
+#include "util.h"
+#include "util_format.h"
+
+DISABLE_GCC_WARNING(redundant-decls)
+#include <openssl/rand.h>
+ENABLE_GCC_WARNING(redundant-decls)
+
+#if __GNUC__ && GCC_VERSION >= 402
+#if GCC_VERSION >= 406
+#pragma GCC diagnostic pop
+#else
+#pragma GCC diagnostic warning "-Wredundant-decls"
+#endif
+#endif /* __GNUC__ && GCC_VERSION >= 402 */
+
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_SYS_FCNTL_H
+#include <sys/fcntl.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+/**
+ * How many bytes of entropy we add at once.
+ *
+ * This is how much entropy OpenSSL likes to add right now, so maybe it will
+ * work for us too.
+ **/
+#define ADD_ENTROPY 32
+
+/**
+ * Longest recognized DNS query.
+ **/
+#define MAX_DNS_LABEL_SIZE 63
+
+/**
+ * Largest strong entropy request permitted.
+ **/
+#define MAX_STRONGEST_RAND_SIZE 256
+
+/**
+ * Set the seed of the weak RNG to a random value.
+ **/
+void
+crypto_seed_weak_rng(tor_weak_rng_t *rng)
+{
+ unsigned seed;
+ crypto_rand((void*)&seed, sizeof(seed));
+ tor_init_weak_random(rng, seed);
+}
+
+#ifdef TOR_UNIT_TESTS
+int break_strongest_rng_syscall = 0;
+int break_strongest_rng_fallback = 0;
+#endif
+
+/**
+ * Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
+ * via system calls, storing it into <b>out</b>. Return 0 on success, -1 on
+ * failure. A maximum request size of 256 bytes is imposed.
+ **/
+static int
+crypto_strongest_rand_syscall(uint8_t *out, size_t out_len)
+{
+ tor_assert(out_len <= MAX_STRONGEST_RAND_SIZE);
+
+ /* We only log at notice-level here because in the case that this function
+ * fails the crypto_strongest_rand_raw() caller will log with a warning-level
+ * message and let crypto_strongest_rand() error out and finally terminating
+ * Tor with an assertion error.
+ */
+
+#ifdef TOR_UNIT_TESTS
+ if (break_strongest_rng_syscall)
+ return -1;
+#endif
+
+#if defined(_WIN32)
+ static int provider_set = 0;
+ static HCRYPTPROV provider;
+
+ if (!provider_set) {
+ if (!CryptAcquireContext(&provider, NULL, NULL, PROV_RSA_FULL,
+ CRYPT_VERIFYCONTEXT)) {
+ log_notice(LD_CRYPTO, "Unable to set Windows CryptoAPI provider [1].");
+ return -1;
+ }
+ provider_set = 1;
+ }
+ if (!CryptGenRandom(provider, out_len, out)) {
+ log_notice(LD_CRYPTO, "Unable get entropy from the Windows CryptoAPI.");
+ return -1;
+ }
+
+ return 0;
+#elif defined(__linux__) && defined(SYS_getrandom)
+ static int getrandom_works = 1; /* Be optimistic about our chances... */
+
+ /* getrandom() isn't as straightforward as getentropy(), and has
+ * no glibc wrapper.
+ *
+ * As far as I can tell from getrandom(2) and the source code, the
+ * requests we issue will always succeed (though it will block on the
+ * call if /dev/urandom isn't seeded yet), since we are NOT specifying
+ * GRND_NONBLOCK and the request is <= 256 bytes.
+ *
+ * The manpage is unclear on what happens if a signal interrupts the call
+ * while the request is blocked due to lack of entropy....
+ *
+ * We optimistically assume that getrandom() is available and functional
+ * because it is the way of the future, and 2 branch mispredicts pale in
+ * comparison to the overheads involved with failing to open
+ * /dev/srandom followed by opening and reading from /dev/urandom.
+ */
+ if (PREDICT_LIKELY(getrandom_works)) {
+ long ret;
+ /* A flag of '0' here means to read from '/dev/urandom', and to
+ * block if insufficient entropy is available to service the
+ * request.
+ */
+ const unsigned int flags = 0;
+ do {
+ ret = syscall(SYS_getrandom, out, out_len, flags);
+ } while (ret == -1 && ((errno == EINTR) ||(errno == EAGAIN)));
+
+ if (PREDICT_UNLIKELY(ret == -1)) {
+ /* LCOV_EXCL_START we can't actually make the syscall fail in testing. */
+ tor_assert(errno != EAGAIN);
+ tor_assert(errno != EINTR);
+
+ /* Useful log message for errno. */
+ if (errno == ENOSYS) {
+ log_notice(LD_CRYPTO, "Can't get entropy from getrandom()."
+ " You are running a version of Tor built to support"
+ " getrandom(), but the kernel doesn't implement this"
+ " function--probably because it is too old?"
+ " Trying fallback method instead.");
+ } else {
+ log_notice(LD_CRYPTO, "Can't get entropy from getrandom(): %s."
+ " Trying fallback method instead.",
+ strerror(errno));
+ }
+
+ getrandom_works = 0; /* Don't bother trying again. */
+ return -1;
+ /* LCOV_EXCL_STOP */
+ }
+
+ tor_assert(ret == (long)out_len);
+ return 0;
+ }
+
+ return -1; /* getrandom() previously failed unexpectedly. */
+#elif defined(HAVE_GETENTROPY)
+ /* getentropy() is what Linux's getrandom() wants to be when it grows up.
+ * the only gotcha is that requests are limited to 256 bytes.
+ */
+ return getentropy(out, out_len);
+#else
+ (void) out;
+#endif /* defined(_WIN32) || ... */
+
+ /* This platform doesn't have a supported syscall based random. */
+ return -1;
+}
+
+/**
+ * Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
+ * via the per-platform fallback mechanism, storing it into <b>out</b>.
+ * Return 0 on success, -1 on failure. A maximum request size of 256 bytes
+ * is imposed.
+ **/
+static int
+crypto_strongest_rand_fallback(uint8_t *out, size_t out_len)
+{
+#ifdef TOR_UNIT_TESTS
+ if (break_strongest_rng_fallback)
+ return -1;
+#endif
+
+#ifdef _WIN32
+ /* Windows exclusively uses crypto_strongest_rand_syscall(). */
+ (void)out;
+ (void)out_len;
+ return -1;
+#else /* !(defined(_WIN32)) */
+ static const char *filenames[] = {
+ "/dev/srandom", "/dev/urandom", "/dev/random", NULL
+ };
+ int fd, i;
+ size_t n;
+
+ for (i = 0; filenames[i]; ++i) {
+ log_debug(LD_FS, "Considering %s as entropy source", filenames[i]);
+ fd = open(sandbox_intern_string(filenames[i]), O_RDONLY, 0);
+ if (fd<0) continue;
+ log_info(LD_CRYPTO, "Reading entropy from \"%s\"", filenames[i]);
+ n = read_all(fd, (char*)out, out_len, 0);
+ close(fd);
+ if (n != out_len) {
+ /* LCOV_EXCL_START
+ * We can't make /dev/foorandom actually fail. */
+ log_notice(LD_CRYPTO,
+ "Error reading from entropy source %s (read only %lu bytes).",
+ filenames[i],
+ (unsigned long)n);
+ return -1;
+ /* LCOV_EXCL_STOP */
+ }
+
+ return 0;
+ }
+
+ return -1;
+#endif /* defined(_WIN32) */
+}
+
+/**
+ * Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
+ * storing it into <b>out</b>. Return 0 on success, -1 on failure. A maximum
+ * request size of 256 bytes is imposed.
+ **/
+STATIC int
+crypto_strongest_rand_raw(uint8_t *out, size_t out_len)
+{
+ static const size_t sanity_min_size = 16;
+ static const int max_attempts = 3;
+ tor_assert(out_len <= MAX_STRONGEST_RAND_SIZE);
+
+ /* For buffers >= 16 bytes (128 bits), we sanity check the output by
+ * zero filling the buffer and ensuring that it actually was at least
+ * partially modified.
+ *
+ * Checking that any individual byte is non-zero seems like it would
+ * fail too often (p = out_len * 1/256) for comfort, but this is an
+ * "adjust according to taste" sort of check.
+ */
+ memwipe(out, 0, out_len);
+ for (int i = 0; i < max_attempts; i++) {
+ /* Try to use the syscall/OS favored mechanism to get strong entropy. */
+ if (crypto_strongest_rand_syscall(out, out_len) != 0) {
+ /* Try to use the less-favored mechanism to get strong entropy. */
+ if (crypto_strongest_rand_fallback(out, out_len) != 0) {
+ /* Welp, we tried. Hopefully the calling code terminates the process
+ * since we're basically boned without good entropy.
+ */
+ log_warn(LD_CRYPTO,
+ "Cannot get strong entropy: no entropy source found.");
+ return -1;
+ }
+ }
+
+ if ((out_len < sanity_min_size) || !tor_mem_is_zero((char*)out, out_len))
+ return 0;
+ }
+
+ /* LCOV_EXCL_START
+ *
+ * We tried max_attempts times to fill a buffer >= 128 bits long,
+ * and each time it returned all '0's. Either the system entropy
+ * source is busted, or the user should go out and buy a ticket to
+ * every lottery on the planet.
+ */
+ log_warn(LD_CRYPTO, "Strong OS entropy returned all zero buffer.");
+
+ return -1;
+ /* LCOV_EXCL_STOP */
+}
+
+/**
+ * Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
+ * storing it into <b>out</b>.
+ **/
+void
+crypto_strongest_rand(uint8_t *out, size_t out_len)
+{
+#define DLEN SHA512_DIGEST_LENGTH
+ /* We're going to hash DLEN bytes from the system RNG together with some
+ * bytes from the openssl PRNG, in order to yield DLEN bytes.
+ */
+ uint8_t inp[DLEN*2];
+ uint8_t tmp[DLEN];
+ tor_assert(out);
+ while (out_len) {
+ crypto_rand((char*) inp, DLEN);
+ if (crypto_strongest_rand_raw(inp+DLEN, DLEN) < 0) {
+ // LCOV_EXCL_START
+ log_err(LD_CRYPTO, "Failed to load strong entropy when generating an "
+ "important key. Exiting.");
+ /* Die with an assertion so we get a stack trace. */
+ tor_assert(0);
+ // LCOV_EXCL_STOP
+ }
+ if (out_len >= DLEN) {
+ SHA512(inp, sizeof(inp), out);
+ out += DLEN;
+ out_len -= DLEN;
+ } else {
+ SHA512(inp, sizeof(inp), tmp);
+ memcpy(out, tmp, out_len);
+ break;
+ }
+ }
+ memwipe(tmp, 0, sizeof(tmp));
+ memwipe(inp, 0, sizeof(inp));
+#undef DLEN
+}
+
+/**
+ * Seed OpenSSL's random number generator with bytes from the operating
+ * system. Return 0 on success, -1 on failure.
+ **/
+int
+crypto_seed_rng(void)
+{
+ int rand_poll_ok = 0, load_entropy_ok = 0;
+ uint8_t buf[ADD_ENTROPY];
+
+ /* OpenSSL has a RAND_poll function that knows about more kinds of
+ * entropy than we do. We'll try calling that, *and* calling our own entropy
+ * functions. If one succeeds, we'll accept the RNG as seeded. */
+ rand_poll_ok = RAND_poll();
+ if (rand_poll_ok == 0)
+ log_warn(LD_CRYPTO, "RAND_poll() failed."); // LCOV_EXCL_LINE
+
+ load_entropy_ok = !crypto_strongest_rand_raw(buf, sizeof(buf));
+ if (load_entropy_ok) {
+ RAND_seed(buf, sizeof(buf));
+ }
+
+ memwipe(buf, 0, sizeof(buf));
+
+ if ((rand_poll_ok || load_entropy_ok) && RAND_status() == 1)
+ return 0;
+ else
+ return -1;
+}
+
+/**
+ * Write <b>n</b> bytes of strong random data to <b>to</b>. Supports mocking
+ * for unit tests.
+ *
+ * This function is not allowed to fail; if it would fail to generate strong
+ * entropy, it must terminate the process instead.
+ **/
+MOCK_IMPL(void,
+crypto_rand, (char *to, size_t n))
+{
+ crypto_rand_unmocked(to, n);
+}
+
+/**
+ * Write <b>n</b> bytes of strong random data to <b>to</b>. Most callers
+ * will want crypto_rand instead.
+ *
+ * This function is not allowed to fail; if it would fail to generate strong
+ * entropy, it must terminate the process instead.
+ **/
+void
+crypto_rand_unmocked(char *to, size_t n)
+{
+ int r;
+ if (n == 0)
+ return;
+
+ tor_assert(n < INT_MAX);
+ tor_assert(to);
+ r = RAND_bytes((unsigned char*)to, (int)n);
+ /* We consider a PRNG failure non-survivable. Let's assert so that we get a
+ * stack trace about where it happened.
+ */
+ tor_assert(r >= 0);
+}
+
+/**
+ * Return a pseudorandom integer, chosen uniformly from the values
+ * between 0 and <b>max</b>-1 inclusive. <b>max</b> must be between 1 and
+ * INT_MAX+1, inclusive.
+ */
+int
+crypto_rand_int(unsigned int max)
+{
+ unsigned int val;
+ unsigned int cutoff;
+ tor_assert(max <= ((unsigned int)INT_MAX)+1);
+ tor_assert(max > 0); /* don't div by 0 */
+
+ /* We ignore any values that are >= 'cutoff,' to avoid biasing the
+ * distribution with clipping at the upper end of unsigned int's
+ * range.
+ */
+ cutoff = UINT_MAX - (UINT_MAX%max);
+ while (1) {
+ crypto_rand((char*)&val, sizeof(val));
+ if (val < cutoff)
+ return val % max;
+ }
+}
+
+/**
+ * Return a pseudorandom integer, chosen uniformly from the values i such
+ * that min <= i < max.
+ *
+ * <b>min</b> MUST be in range [0, <b>max</b>).
+ * <b>max</b> MUST be in range (min, INT_MAX].
+ **/
+int
+crypto_rand_int_range(unsigned int min, unsigned int max)
+{
+ tor_assert(min < max);
+ tor_assert(max <= INT_MAX);
+
+ /* The overflow is avoided here because crypto_rand_int() returns a value
+ * between 0 and (max - min) inclusive. */
+ return min + crypto_rand_int(max - min);
+}
+
+/**
+ * As crypto_rand_int_range, but supports uint64_t.
+ **/
+uint64_t
+crypto_rand_uint64_range(uint64_t min, uint64_t max)
+{
+ tor_assert(min < max);
+ return min + crypto_rand_uint64(max - min);
+}
+
+/**
+ * As crypto_rand_int_range, but supports time_t.
+ **/
+time_t
+crypto_rand_time_range(time_t min, time_t max)
+{
+ tor_assert(min < max);
+ return min + (time_t)crypto_rand_uint64(max - min);
+}
+
+/**
+ * Return a pseudorandom 64-bit integer, chosen uniformly from the values
+ * between 0 and <b>max</b>-1 inclusive.
+ **/
+uint64_t
+crypto_rand_uint64(uint64_t max)
+{
+ uint64_t val;
+ uint64_t cutoff;
+ tor_assert(max < UINT64_MAX);
+ tor_assert(max > 0); /* don't div by 0 */
+
+ /* We ignore any values that are >= 'cutoff,' to avoid biasing the
+ * distribution with clipping at the upper end of unsigned int's
+ * range.
+ */
+ cutoff = UINT64_MAX - (UINT64_MAX%max);
+ while (1) {
+ crypto_rand((char*)&val, sizeof(val));
+ if (val < cutoff)
+ return val % max;
+ }
+}
+
+/**
+ * Return a pseudorandom double d, chosen uniformly from the range
+ * 0.0 <= d < 1.0.
+ **/
+double
+crypto_rand_double(void)
+{
+ /* We just use an unsigned int here; we don't really care about getting
+ * more than 32 bits of resolution */
+ unsigned int u;
+ crypto_rand((char*)&u, sizeof(u));
+#if SIZEOF_INT == 4
+#define UINT_MAX_AS_DOUBLE 4294967296.0
+#elif SIZEOF_INT == 8
+#define UINT_MAX_AS_DOUBLE 1.8446744073709552e+19
+#else
+#error SIZEOF_INT is neither 4 nor 8
+#endif /* SIZEOF_INT == 4 || ... */
+ return ((double)u) / UINT_MAX_AS_DOUBLE;
+}
+
+/**
+ * Generate and return a new random hostname starting with <b>prefix</b>,
+ * ending with <b>suffix</b>, and containing no fewer than
+ * <b>min_rand_len</b> and no more than <b>max_rand_len</b> random base32
+ * characters. Does not check for failure.
+ *
+ * Clip <b>max_rand_len</b> to MAX_DNS_LABEL_SIZE.
+ **/
+char *
+crypto_random_hostname(int min_rand_len, int max_rand_len, const char *prefix,
+ const char *suffix)
+{
+ char *result, *rand_bytes;
+ int randlen, rand_bytes_len;
+ size_t resultlen, prefixlen;
+
+ if (max_rand_len > MAX_DNS_LABEL_SIZE)
+ max_rand_len = MAX_DNS_LABEL_SIZE;
+ if (min_rand_len > max_rand_len)
+ min_rand_len = max_rand_len;
+
+ randlen = crypto_rand_int_range(min_rand_len, max_rand_len+1);
+
+ prefixlen = strlen(prefix);
+ resultlen = prefixlen + strlen(suffix) + randlen + 16;
+
+ rand_bytes_len = ((randlen*5)+7)/8;
+ if (rand_bytes_len % 5)
+ rand_bytes_len += 5 - (rand_bytes_len%5);
+ rand_bytes = tor_malloc(rand_bytes_len);
+ crypto_rand(rand_bytes, rand_bytes_len);
+
+ result = tor_malloc(resultlen);
+ memcpy(result, prefix, prefixlen);
+ base32_encode(result+prefixlen, resultlen-prefixlen,
+ rand_bytes, rand_bytes_len);
+ tor_free(rand_bytes);
+ strlcpy(result+prefixlen+randlen, suffix, resultlen-(prefixlen+randlen));
+
+ return result;
+}
+
+/**
+ * Return a randomly chosen element of <b>sl</b>; or NULL if <b>sl</b>
+ * is empty.
+ **/
+void *
+smartlist_choose(const smartlist_t *sl)
+{
+ int len = smartlist_len(sl);
+ if (len)
+ return smartlist_get(sl,crypto_rand_int(len));
+ return NULL; /* no elements to choose from */
+}
+
+/**
+ * Scramble the elements of <b>sl</b> into a random order.
+ **/
+void
+smartlist_shuffle(smartlist_t *sl)
+{
+ int i;
+ /* From the end of the list to the front, choose at random from the
+ positions we haven't looked at yet, and swap that position into the
+ current position. Remember to give "no swap" the same probability as
+ any other swap. */
+ for (i = smartlist_len(sl)-1; i > 0; --i) {
+ int j = crypto_rand_int(i+1);
+ smartlist_swap(sl, i, j);
+ }
+}
+
+/** Make sure that openssl is using its default PRNG. Return 1 if we had to
+ * adjust it; 0 otherwise. */
+int
+crypto_force_rand_ssleay(void)
+{
+ RAND_METHOD *default_method;
+ default_method = RAND_OpenSSL();
+ if (RAND_get_rand_method() != default_method) {
+ log_notice(LD_CRYPTO, "It appears that one of our engines has provided "
+ "a replacement the OpenSSL RNG. Resetting it to the default "
+ "implementation.");
+ RAND_set_rand_method(default_method);
+ return 1;
+ }
+ return 0;
+}
+
+#endif /* !defined(CRYPTO_RAND_PRIVATE) */
+
diff --git a/src/common/crypto_rand.h b/src/common/crypto_rand.h
new file mode 100644
index 000000000..c78195633
--- /dev/null
+++ b/src/common/crypto_rand.h
@@ -0,0 +1,53 @@
+/* Copyright (c) 2001, Matej Pfajfar.
+ * Copyright (c) 2001-2004, Roger Dingledine.
+ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
+ * Copyright (c) 2007-2018, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file crypto_rand.h
+ *
+ * \brief Common functions for using (psuedo-)random number generators.
+ **/
+
+#ifndef TOR_CRYPTO_RAND_H
+#define TOR_CRYPTO_RAND_H
+
+#include "torint.h"
+#include "util.h"
+
+/* random numbers */
+int crypto_seed_rng(void) ATTR_WUR;
+MOCK_DECL(void,crypto_rand,(char *to, size_t n));
+void crypto_rand_unmocked(char *to, size_t n);
+void crypto_strongest_rand(uint8_t *out, size_t out_len);
+int crypto_rand_int(unsigned int max);
+int crypto_rand_int_range(unsigned int min, unsigned int max);
+uint64_t crypto_rand_uint64_range(uint64_t min, uint64_t max);
+time_t crypto_rand_time_range(time_t min, time_t max);
+uint64_t crypto_rand_uint64(uint64_t max);
+double crypto_rand_double(void);
+struct tor_weak_rng_t;
+void crypto_seed_weak_rng(struct tor_weak_rng_t *rng);
+int crypto_init_siphash_key(void);
+
+char *crypto_random_hostname(int min_rand_len, int max_rand_len,
+ const char *prefix, const char *suffix);
+
+struct smartlist_t;
+void *smartlist_choose(const struct smartlist_t *sl);
+void smartlist_shuffle(struct smartlist_t *sl);
+int crypto_force_rand_ssleay(void);
+
+#ifdef CRYPTO_RAND_PRIVATE
+
+STATIC int crypto_strongest_rand_raw(uint8_t *out, size_t out_len);
+
+#ifdef TOR_UNIT_TESTS
+extern int break_strongest_rng_syscall;
+extern int break_strongest_rng_fallback;
+#endif
+#endif /* defined(CRYPTO_RAND_PRIVATE) */
+
+#endif /* !defined(TOR_CRYPTO_RAND_H) */
+
diff --git a/src/common/crypto_rsa.c b/src/common/crypto_rsa.c
index 986ccb0ee..0e006b0eb 100644
--- a/src/common/crypto_rsa.c
+++ b/src/common/crypto_rsa.c
@@ -15,6 +15,8 @@
#include "crypto_curve25519.h"
#include "crypto_format.h"
#include "crypto_digest.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
DISABLE_GCC_WARNING(redundant-decls)
diff --git a/src/common/crypto_s2k.c b/src/common/crypto_s2k.c
index 316445e40..7d7f475b6 100644
--- a/src/common/crypto_s2k.c
+++ b/src/common/crypto_s2k.c
@@ -17,6 +17,8 @@
#include "compat.h"
#include "crypto_s2k.h"
#include "crypto_digest.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
#include <openssl/evp.h>
diff --git a/src/common/crypto_util.c b/src/common/crypto_util.c
new file mode 100644
index 000000000..c09afe6ee
--- /dev/null
+++ b/src/common/crypto_util.c
@@ -0,0 +1,105 @@
+/* Copyright (c) 2001, Matej Pfajfar.
+ * Copyright (c) 2001-2004, Roger Dingledine.
+ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
+ * Copyright (c) 2007-2018, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file crypto_util.c
+ *
+ * \brief Common cryptographic utilities.
+ **/
+
+#ifndef CRYPTO_UTIL_PRIVATE
+#define CRYPTO_UTIL_PRIVATE
+
+#include <string.h>
+
+#ifdef _WIN32
+#include <windows.h>
+#include <wincrypt.h>
+#endif /* defined(_WIN32) */
+
+#include "crypto_util.h"
+#include "util.h"
+
+DISABLE_GCC_WARNING(redundant-decls)
+
+#include <openssl/crypto.h>
+
+ENABLE_GCC_WARNING(redundant-decls)
+
+/**
+ * Destroy the <b>sz</b> bytes of data stored at <b>mem</b>, setting them to
+ * the value <b>byte</b>.
+ * If <b>mem</b> is NULL or <b>sz</b> is zero, nothing happens.
+ *
+ * This function is preferable to memset, since many compilers will happily
+ * optimize out memset() when they can convince themselves that the data being
+ * cleared will never be read.
+ *
+ * Right now, our convention is to use this function when we are wiping data
+ * that's about to become inaccessible, such as stack buffers that are about
+ * to go out of scope or structures that are about to get freed. (In
+ * practice, it appears that the compilers we're currently using will optimize
+ * out the memset()s for stack-allocated buffers, but not those for
+ * about-to-be-freed structures. That could change, though, so we're being
+ * wary.) If there are live reads for the data, then you can just use
+ * memset().
+ */
+void
+memwipe(void *mem, uint8_t byte, size_t sz)
+{
+ if (sz == 0) {
+ return;
+ }
+ /* If sz is nonzero, then mem must not be NULL. */
+ tor_assert(mem != NULL);
+
+ /* Data this large is likely to be an underflow. */
+ tor_assert(sz < SIZE_T_CEILING);
+
+ /* Because whole-program-optimization exists, we may not be able to just
+ * have this function call "memset". A smart compiler could inline it, then
+ * eliminate dead memsets, and declare itself to be clever. */
+
+#if defined(SecureZeroMemory) || defined(HAVE_SECUREZEROMEMORY)
+ /* Here's what you do on windows. */
+ SecureZeroMemory(mem,sz);
+#elif defined(HAVE_RTLSECUREZEROMEMORY)
+ RtlSecureZeroMemory(mem,sz);
+#elif defined(HAVE_EXPLICIT_BZERO)
+ /* The BSDs provide this. */
+ explicit_bzero(mem, sz);
+#elif defined(HAVE_MEMSET_S)
+ /* This is in the C99 standard. */
+ memset_s(mem, sz, 0, sz);
+#else
+ /* This is a slow and ugly function from OpenSSL that fills 'mem' with junk
+ * based on the pointer value, then uses that junk to update a global
+ * variable. It's an elaborate ruse to trick the compiler into not
+ * optimizing out the "wipe this memory" code. Read it if you like zany
+ * programming tricks! In later versions of Tor, we should look for better
+ * not-optimized-out memory wiping stuff...
+ *
+ * ...or maybe not. In practice, there are pure-asm implementations of
+ * OPENSSL_cleanse() on most platforms, which ought to do the job.
+ **/
+
+ OPENSSL_cleanse(mem, sz);
+#endif /* defined(SecureZeroMemory) || defined(HAVE_SECUREZEROMEMORY) || ... */
+
+ /* Just in case some caller of memwipe() is relying on getting a buffer
+ * filled with a particular value, fill the buffer.
+ *
+ * If this function gets inlined, this memset might get eliminated, but
+ * that's okay: We only care about this particular memset in the case where
+ * the caller should have been using memset(), and the memset() wouldn't get
+ * eliminated. In other words, this is here so that we won't break anything
+ * if somebody accidentally calls memwipe() instead of memset().
+ **/
+ memset(mem, byte, sz);
+}
+
+#endif /* !defined(CRYPTO_UTIL_PRIVATE) */
+
diff --git a/src/common/crypto_util.h b/src/common/crypto_util.h
new file mode 100644
index 000000000..922942b37
--- /dev/null
+++ b/src/common/crypto_util.h
@@ -0,0 +1,27 @@
+/* Copyright (c) 2001, Matej Pfajfar.
+ * Copyright (c) 2001-2004, Roger Dingledine.
+ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
+ * Copyright (c) 2007-2018, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file crypto_util.h
+ *
+ * \brief Common functions for cryptographic routines.
+ **/
+
+#ifndef TOR_CRYPTO_UTIL_H
+#define TOR_CRYPTO_UTIL_H
+
+#include "torint.h"
+
+/** OpenSSL-based utility functions. */
+void memwipe(void *mem, uint8_t byte, size_t sz);
+
+#ifdef CRYPTO_UTIL_PRIVATE
+#ifdef TOR_UNIT_TESTS
+#endif /* defined(TOR_UNIT_TESTS) */
+#endif /* defined(CRYPTO_UTIL_PRIVATE) */
+
+#endif /* !defined(TOR_CRYPTO_UTIL_H) */
+
diff --git a/src/common/include.am b/src/common/include.am
index 73c51ff0b..f0cbd0e1d 100644
--- a/src/common/include.am
+++ b/src/common/include.am
@@ -118,8 +118,10 @@ LIBOR_CRYPTO_A_SRC = \
src/common/crypto_rsa.c \
src/common/crypto_openssl_mgt.c \
src/common/crypto_pwbox.c \
+ src/common/crypto_rand.c \
src/common/crypto_s2k.c \
src/common/crypto_format.c \
+ src/common/crypto_util.c \
src/common/tortls.c \
src/common/crypto_curve25519.c \
src/common/crypto_ed25519.c
@@ -173,7 +175,9 @@ COMMONHEADERS = \
src/common/crypto_openssl_mgt.h \
src/common/crypto_rsa.h \
src/common/crypto_pwbox.h \
+ src/common/crypto_rand.h \
src/common/crypto_s2k.h \
+ src/common/crypto_util.h \
src/common/di_ops.h \
src/common/handles.h \
src/common/memarea.h \
diff --git a/src/common/tortls.c b/src/common/tortls.c
index 05e29e22f..e58afd9a9 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -26,6 +26,8 @@
#endif
#include "crypto.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
#include "compat.h"
/* Some versions of OpenSSL declare SSL_get_selected_srtp_profile twice in
diff --git a/src/common/workqueue.c b/src/common/workqueue.c
index ec96959b7..de0079b75 100644
--- a/src/common/workqueue.c
+++ b/src/common/workqueue.c
@@ -25,7 +25,7 @@
#include "orconfig.h"
#include "compat.h"
#include "compat_threads.h"
-#include "crypto.h"
+#include "crypto_rand.h"
#include "util.h"
#include "workqueue.h"
#include "tor_queue.h"
diff --git a/src/ext/ed25519/donna/ed25519-randombytes-custom.h b/src/ext/ed25519/donna/ed25519-randombytes-custom.h
index 3fb0959fc..27eade4f9 100644
--- a/src/ext/ed25519/donna/ed25519-randombytes-custom.h
+++ b/src/ext/ed25519/donna/ed25519-randombytes-custom.h
@@ -8,7 +8,7 @@
*/
/* Tor: Instead of calling OpenSSL's CSPRNG directly, call the wrapper. */
-#include "crypto.h"
+#include "crypto_rand.h"
static void
ED25519_FN(ed25519_randombytes_unsafe) (void *p, size_t len)
diff --git a/src/ext/ed25519/donna/ed25519_tor.c b/src/ext/ed25519/donna/ed25519_tor.c
index 84fc3850a..43de9faae 100644
--- a/src/ext/ed25519/donna/ed25519_tor.c
+++ b/src/ext/ed25519/donna/ed25519_tor.c
@@ -40,6 +40,8 @@
#include "ed25519-randombytes.h"
#include "ed25519-hash.h"
+#include "crypto_util.h"
+
typedef unsigned char ed25519_signature[64];
typedef unsigned char ed25519_public_key[32];
typedef unsigned char ed25519_secret_key[32];
diff --git a/src/ext/ed25519/ref10/blinding.c b/src/ext/ed25519/ref10/blinding.c
index a3b32fa80..88e84cac2 100644
--- a/src/ext/ed25519/ref10/blinding.c
+++ b/src/ext/ed25519/ref10/blinding.c
@@ -7,7 +7,7 @@
#include "ed25519_ref10.h"
#include <string.h>
-#include "crypto.h"
+#include "crypto_util.h"
static void
ed25519_ref10_gettweak(unsigned char *out, const unsigned char *param)
diff --git a/src/ext/ed25519/ref10/keypair.c b/src/ext/ed25519/ref10/keypair.c
index 68a88f9ad..c437f0a4f 100644
--- a/src/ext/ed25519/ref10/keypair.c
+++ b/src/ext/ed25519/ref10/keypair.c
@@ -6,6 +6,9 @@
#include "crypto_hash_sha512.h"
#include "ge.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
+
int
crypto_sign_seckey(unsigned char *sk)
{
diff --git a/src/ext/keccak-tiny/keccak-tiny-unrolled.c b/src/ext/keccak-tiny/keccak-tiny-unrolled.c
index d8d7fe335..07e8c95bc 100644
--- a/src/ext/keccak-tiny/keccak-tiny-unrolled.c
+++ b/src/ext/keccak-tiny/keccak-tiny-unrolled.c
@@ -9,7 +9,7 @@
#include "keccak-tiny.h"
#include <string.h>
-#include "crypto.h"
+#include "crypto_util.h"
#include "byteorder.h"
/******** Endianness conversion helpers ********/
diff --git a/src/or/addressmap.c b/src/or/addressmap.c
index 96ce27557..f691ef9aa 100644
--- a/src/or/addressmap.c
+++ b/src/or/addressmap.c
@@ -21,6 +21,7 @@
#include "config.h"
#include "connection_edge.h"
#include "control.h"
+#include "crypto_rand.h"
#include "dns.h"
#include "routerset.h"
#include "nodelist.h"
diff --git a/src/or/channelpadding.c b/src/or/channelpadding.c
index 5da3009e6..0c20d6dd3 100644
--- a/src/or/channelpadding.c
+++ b/src/or/channelpadding.c
@@ -16,6 +16,7 @@
#include "networkstatus.h"
#include "connection.h"
#include "connection_or.h"
+#include "crypto_rand.h"
#include "main.h"
#include "rephist.h"
#include "router.h"
diff --git a/src/or/circpathbias.c b/src/or/circpathbias.c
index c1c1ca31b..ff42bf91e 100644
--- a/src/or/circpathbias.c
+++ b/src/or/circpathbias.c
@@ -30,6 +30,7 @@
#include "circuitstats.h"
#include "connection_edge.h"
#include "config.h"
+#include "crypto_rand.h"
#include "entrynodes.h"
#include "networkstatus.h"
#include "relay.h"
diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c
index 8b7990e5f..fbc4fc4ac 100644
--- a/src/or/circuitbuild.c
+++ b/src/or/circuitbuild.c
@@ -43,7 +43,7 @@
#include "connection_edge.h"
#include "connection_or.h"
#include "control.h"
-#include "crypto.h"
+#include "crypto_rand.h"
#include "directory.h"
#include "entrynodes.h"
#include "hs_ntor.h"
diff --git a/src/or/circuitlist.c b/src/or/circuitlist.c
index f362b8e97..02e218134 100644
--- a/src/or/circuitlist.c
+++ b/src/or/circuitlist.c
@@ -65,6 +65,8 @@
#include "connection_edge.h"
#include "connection_or.h"
#include "control.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
#include "entrynodes.h"
#include "main.h"
#include "hs_circuit.h"
diff --git a/src/or/circuitstats.c b/src/or/circuitstats.c
index 643831927..0dfde67f8 100644
--- a/src/or/circuitstats.c
+++ b/src/or/circuitstats.c
@@ -31,6 +31,7 @@
#include "config.h"
#include "confparse.h"
#include "control.h"
+#include "crypto_rand.h"
#include "main.h"
#include "networkstatus.h"
#include "rendclient.h"
diff --git a/src/or/command.c b/src/or/command.c
index 4f99462f3..aa792a006 100644
--- a/src/or/command.c
+++ b/src/or/command.c
@@ -46,6 +46,7 @@
#include "config.h"
#include "control.h"
#include "cpuworker.h"
+#include "crypto_util.h"
#include "dos.h"
#include "hibernate.h"
#include "nodelist.h"
diff --git a/src/or/config.c b/src/or/config.c
index 212c6c6b9..18298937e 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -78,6 +78,8 @@
#include "control.h"
#include "confparse.h"
#include "cpuworker.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
#include "dirserv.h"
#include "dirvote.h"
#include "dns.h"
diff --git a/src/or/connection.c b/src/or/connection.c
index 5532551cf..69a8d24c9 100644
--- a/src/or/connection.c
+++ b/src/or/connection.c
@@ -76,6 +76,7 @@
#include "connection_edge.h"
#include "connection_or.h"
#include "control.h"
+#include "crypto_util.h"
#include "directory.h"
#include "dirserv.h"
#include "dns.h"
diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c
index 948c8722b..d74512c45 100644
--- a/src/or/connection_edge.c
+++ b/src/or/connection_edge.c
@@ -70,6 +70,7 @@
#include "connection_edge.h"
#include "connection_or.h"
#include "control.h"
+#include "crypto_util.h"
#include "dns.h"
#include "dnsserv.h"
#include "directory.h"
diff --git a/src/or/connection_or.c b/src/or/connection_or.c
index 267463312..ad5ee6a2b 100644
--- a/src/or/connection_or.c
+++ b/src/or/connection_or.c
@@ -39,6 +39,8 @@
#include "connection.h"
#include "connection_or.h"
#include "control.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
#include "dirserv.h"
#include "entrynodes.h"
#include "geoip.h"
diff --git a/src/or/conscache.c b/src/or/conscache.c
index e25ac5f40..51dc9d621 100644
--- a/src/or/conscache.c
+++ b/src/or/conscache.c
@@ -5,6 +5,7 @@
#include "config.h"
#include "conscache.h"
+#include "crypto_util.h"
#include "storagedir.h"
#define CCE_MAGIC 0x17162253
diff --git a/src/or/control.c b/src/or/control.c
index 5cac0e172..ee4f02cb2 100644
--- a/src/or/control.c
+++ b/src/or/control.c
@@ -52,6 +52,8 @@
#include "connection_edge.h"
#include "connection_or.h"
#include "control.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
#include "directory.h"
#include "dirserv.h"
#include "dnsserv.h"
diff --git a/src/or/cpuworker.c b/src/or/cpuworker.c
index 7da7dc5f8..8f03d654a 100644
--- a/src/or/cpuworker.c
+++ b/src/or/cpuworker.c
@@ -24,6 +24,8 @@
#include "connection_or.h"
#include "config.h"
#include "cpuworker.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
#include "main.h"
#include "onion.h"
#include "rephist.h"
diff --git a/src/or/directory.c b/src/or/directory.c
index c419b61d0..44e3d2f2a 100644
--- a/src/or/directory.c
+++ b/src/or/directory.c
@@ -18,6 +18,8 @@
#include "consdiffmgr.h"
#include "control.h"
#include "compat.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
#include "directory.h"
#include "dirserv.h"
#include "dirvote.h"
diff --git a/src/or/dns.c b/src/or/dns.c
index e4dc8048e..34f28252f 100644
--- a/src/or/dns.c
+++ b/src/or/dns.c
@@ -56,6 +56,7 @@
#include "connection.h"
#include "connection_edge.h"
#include "control.h"
+#include "crypto_rand.h"
#include "dns.h"
#include "main.h"
#include "policies.h"
diff --git a/src/or/dos.c b/src/or/dos.c
index 4d1797eec..f78409a7b 100644
--- a/src/or/dos.c
+++ b/src/or/dos.c
@@ -11,6 +11,7 @@
#include "or.h"
#include "channel.h"
#include "config.h"
+#include "crypto_rand.h"
#include "geoip.h"
#include "main.h"
#include "networkstatus.h"
diff --git a/src/or/entrynodes.c b/src/or/entrynodes.c
index 2b6ff38c9..42a776fe4 100644
--- a/src/or/entrynodes.c
+++ b/src/or/entrynodes.c
@@ -123,6 +123,7 @@
#include "confparse.h"
#include "connection.h"
#include "control.h"
+#include "crypto_rand.h"
#include "directory.h"
#include "entrynodes.h"
#include "main.h"
diff --git a/src/or/ext_orport.c b/src/or/ext_orport.c
index 16a250fa5..8fff0f955 100644
--- a/src/or/ext_orport.c
+++ b/src/or/ext_orport.c
@@ -23,6 +23,8 @@
#include "ext_orport.h"
#include "control.h"
#include "config.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
#include "main.h"
#include "proto_ext_or.h"
#include "util.h"
diff --git a/src/or/hibernate.c b/src/or/hibernate.c
index 7261cf800..2b50aa5f0 100644
--- a/src/or/hibernate.c
+++ b/src/or/hibernate.c
@@ -36,6 +36,7 @@ hibernating, phase 2:
#include "connection_edge.h"
#include "connection_or.h"
#include "control.h"
+#include "crypto_rand.h"
#include "hibernate.h"
#include "main.h"
#include "router.h"
diff --git a/src/or/hs_cache.c b/src/or/hs_cache.c
index df53efd32..ecc845d17 100644
--- a/src/or/hs_cache.c
+++ b/src/or/hs_cache.c
@@ -11,6 +11,7 @@
#include "or.h"
#include "config.h"
+#include "crypto_util.h"
#include "hs_ident.h"
#include "hs_common.h"
#include "hs_client.h"
diff --git a/src/or/hs_cell.c b/src/or/hs_cell.c
index ad92521d3..03273a44f 100644
--- a/src/or/hs_cell.c
+++ b/src/or/hs_cell.c
@@ -8,6 +8,7 @@
#include "or.h"
#include "config.h"
+#include "crypto_util.h"
#include "rendservice.h"
#include "replaycache.h"
#include "util.h"
diff --git a/src/or/hs_circuit.c b/src/or/hs_circuit.c
index 3a674f622..38434fba3 100644
--- a/src/or/hs_circuit.c
+++ b/src/or/hs_circuit.c
@@ -13,6 +13,8 @@
#include "circuitlist.h"
#include "circuituse.h"
#include "config.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
#include "nodelist.h"
#include "policies.h"
#include "relay.h"
diff --git a/src/or/hs_client.c b/src/or/hs_client.c
index 20963cd45..f07426052 100644
--- a/src/or/hs_client.c
+++ b/src/or/hs_client.c
@@ -13,6 +13,8 @@
#include "hs_ident.h"
#include "connection_edge.h"
#include "container.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
#include "rendclient.h"
#include "hs_descriptor.h"
#include "hs_cache.h"
diff --git a/src/or/hs_common.c b/src/or/hs_common.c
index aa34b0e8f..5b0c4c07f 100644
--- a/src/or/hs_common.c
+++ b/src/or/hs_common.c
@@ -15,6 +15,8 @@
#include "config.h"
#include "circuitbuild.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
#include "networkstatus.h"
#include "nodelist.h"
#include "hs_cache.h"
diff --git a/src/or/hs_control.c b/src/or/hs_control.c
index 87b4e3fca..87c41bf96 100644
--- a/src/or/hs_control.c
+++ b/src/or/hs_control.c
@@ -8,6 +8,7 @@
#include "or.h"
#include "control.h"
+#include "crypto_util.h"
#include "hs_common.h"
#include "hs_control.h"
#include "hs_descriptor.h"
diff --git a/src/or/hs_descriptor.c b/src/or/hs_descriptor.c
index 7388807bc..eb48cb060 100644
--- a/src/or/hs_descriptor.c
+++ b/src/or/hs_descriptor.c
@@ -59,6 +59,8 @@
#include "ed25519_cert.h" /* Trunnel interface. */
#include "hs_descriptor.h"
#include "circuitbuild.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
#include "parsecommon.h"
#include "rendcache.h"
#include "hs_cache.h"
diff --git a/src/or/hs_descriptor.h b/src/or/hs_descriptor.h
index 09979410e..8195c6efb 100644
--- a/src/or/hs_descriptor.h
+++ b/src/or/hs_descriptor.h
@@ -16,6 +16,7 @@
#include "container.h"
#include "crypto.h"
#include "crypto_ed25519.h"
+#include "ed25519_cert.h" /* needed for trunnel */
#include "torcert.h"
/* Trunnel */
diff --git a/src/or/hs_ident.c b/src/or/hs_ident.c
index 0bce2f625..3603e329d 100644
--- a/src/or/hs_ident.c
+++ b/src/or/hs_ident.c
@@ -7,6 +7,7 @@
* subsytem.
**/
+#include "crypto_util.h"
#include "hs_ident.h"
/* Return a newly allocated circuit identifier. The given public key is copied
diff --git a/src/or/hs_ntor.c b/src/or/hs_ntor.c
index a416bc46c..809fa83bb 100644
--- a/src/or/hs_ntor.c
+++ b/src/or/hs_ntor.c
@@ -25,6 +25,7 @@
*/
#include "or.h"
+#include "crypto_util.h"
#include "hs_ntor.h"
/* String constants used by the ntor HS protocol */
diff --git a/src/or/hs_service.c b/src/or/hs_service.c
index ba8abc423..fdd5e449c 100644
--- a/src/or/hs_service.c
+++ b/src/or/hs_service.c
@@ -15,6 +15,8 @@
#include "circuituse.h"
#include "config.h"
#include "connection.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
#include "directory.h"
#include "main.h"
#include "networkstatus.h"
diff --git a/src/or/main.c b/src/or/main.c
index a0d2ae075..b3f0a85cd 100644
--- a/src/or/main.c
+++ b/src/or/main.c
@@ -70,6 +70,7 @@
#include "control.h"
#include "cpuworker.h"
#include "crypto_s2k.h"
+#include "crypto_rand.h"
#include "directory.h"
#include "dirserv.h"
#include "dirvote.h"
diff --git a/src/or/networkstatus.c b/src/or/networkstatus.c
index 235b95b70..e223b6f1b 100644
--- a/src/or/networkstatus.c
+++ b/src/or/networkstatus.c
@@ -48,6 +48,8 @@
#include "connection_or.h"
#include "consdiffmgr.h"
#include "control.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
#include "directory.h"
#include "dirserv.h"
#include "dirvote.h"
diff --git a/src/or/onion.c b/src/or/onion.c
index 0c88c4d7e..829be12ba 100644
--- a/src/or/onion.c
+++ b/src/or/onion.c
@@ -67,6 +67,7 @@
#include "circuitlist.h"
#include "config.h"
#include "cpuworker.h"
+#include "crypto_util.h"
#include "networkstatus.h"
#include "onion.h"
#include "onion_fast.h"
diff --git a/src/or/onion_fast.c b/src/or/onion_fast.c
index de9103b1f..9f9b2199d 100644
--- a/src/or/onion_fast.c
+++ b/src/or/onion_fast.c
@@ -29,6 +29,8 @@
#include "or.h"
#include "onion_fast.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
/** Release all state held in <b>victim</b>. */
void
diff --git a/src/or/onion_ntor.c b/src/or/onion_ntor.c
index 8ad876a58..02d43cb72 100644
--- a/src/or/onion_ntor.c
+++ b/src/or/onion_ntor.c
@@ -23,6 +23,7 @@
#define ONION_NTOR_PRIVATE
#include "crypto.h"
#include "crypto_digest.h"
+#include "crypto_util.h"
#include "onion_ntor.h"
#include "torlog.h"
#include "util.h"
diff --git a/src/or/onion_tap.c b/src/or/onion_tap.c
index c71fa236e..44737034f 100644
--- a/src/or/onion_tap.c
+++ b/src/or/onion_tap.c
@@ -29,6 +29,8 @@
#include "or.h"
#include "config.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
#include "onion_tap.h"
#include "rephist.h"
diff --git a/src/or/proto_socks.c b/src/or/proto_socks.c
index 8700fe126..57a7d1cd6 100644
--- a/src/or/proto_socks.c
+++ b/src/or/proto_socks.c
@@ -9,6 +9,7 @@
#include "buffers.h"
#include "control.h"
#include "config.h"
+#include "crypto_util.h"
#include "ext_orport.h"
#include "proto_socks.h"
#include "reasons.h"
diff --git a/src/or/relay.c b/src/or/relay.c
index 5651579c3..96f43ca60 100644
--- a/src/or/relay.c
+++ b/src/or/relay.c
@@ -61,6 +61,8 @@
#include "connection_edge.h"
#include "connection_or.h"
#include "control.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
#include "geoip.h"
#include "hs_cache.h"
#include "main.h"
diff --git a/src/or/rendclient.c b/src/or/rendclient.c
index 9a1b97c6d..61dde8869 100644
--- a/src/or/rendclient.c
+++ b/src/or/rendclient.c
@@ -15,6 +15,8 @@
#include "config.h"
#include "connection.h"
#include "connection_edge.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
#include "directory.h"
#include "hs_common.h"
#include "hs_circuit.h"
diff --git a/src/or/rendcommon.c b/src/or/rendcommon.c
index 230da4be5..50ca04838 100644
--- a/src/or/rendcommon.c
+++ b/src/or/rendcommon.c
@@ -14,6 +14,8 @@
#include "circuitbuild.h"
#include "config.h"
#include "control.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
#include "hs_common.h"
#include "rendclient.h"
#include "rendcommon.h"
diff --git a/src/or/rendservice.c b/src/or/rendservice.c
index cc2242977..91ee321bc 100644
--- a/src/or/rendservice.c
+++ b/src/or/rendservice.c
@@ -16,6 +16,8 @@
#include "circuituse.h"
#include "config.h"
#include "control.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
#include "directory.h"
#include "hs_common.h"
#include "hs_config.h"
diff --git a/src/or/rephist.c b/src/or/rephist.c
index ac3e9f502..fe52d206c 100644
--- a/src/or/rephist.c
+++ b/src/or/rephist.c
@@ -78,6 +78,7 @@
#include "circuitlist.h"
#include "circuituse.h"
#include "config.h"
+#include "crypto_rand.h"
#include "networkstatus.h"
#include "nodelist.h"
#include "rephist.h"
diff --git a/src/or/router.c b/src/or/router.c
index e5996f665..c52831348 100644
--- a/src/or/router.c
+++ b/src/or/router.c
@@ -13,6 +13,8 @@
#include "config.h"
#include "connection.h"
#include "control.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
#include "crypto_curve25519.h"
#include "directory.h"
#include "dirserv.h"
diff --git a/src/or/routerkeys.c b/src/or/routerkeys.c
index 1933aaf4b..43460da8c 100644
--- a/src/or/routerkeys.c
+++ b/src/or/routerkeys.c
@@ -16,6 +16,7 @@
#include "or.h"
#include "config.h"
+#include "crypto_util.h"
#include "router.h"
#include "crypto_pwbox.h"
#include "routerkeys.h"
diff --git a/src/or/routerlist.c b/src/or/routerlist.c
index bc3abb236..8793c64ed 100644
--- a/src/or/routerlist.c
+++ b/src/or/routerlist.c
@@ -99,6 +99,7 @@
#include "config.h"
#include "connection.h"
#include "control.h"
+#include "crypto_rand.h"
#include "directory.h"
#include "dirserv.h"
#include "dirvote.h"
diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index 79499f2e6..9967e139f 100644
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -58,6 +58,7 @@
#include "or.h"
#include "config.h"
#include "circuitstats.h"
+#include "crypto_util.h"
#include "dirserv.h"
#include "dirvote.h"
#include "parsecommon.h"
diff --git a/src/or/shared_random.c b/src/or/shared_random.c
index 13416d6bc..745566877 100644
--- a/src/or/shared_random.c
+++ b/src/or/shared_random.c
@@ -91,6 +91,8 @@
#include "shared_random.h"
#include "config.h"
#include "confparse.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
#include "dirvote.h"
#include "networkstatus.h"
#include "routerkeys.h"
diff --git a/src/or/shared_random_state.c b/src/or/shared_random_state.c
index 53782af59..80470e4e9 100644
--- a/src/or/shared_random_state.c
+++ b/src/or/shared_random_state.c
@@ -14,6 +14,7 @@
#include "shared_random.h"
#include "config.h"
#include "confparse.h"
+#include "crypto_util.h"
#include "dirvote.h"
#include "networkstatus.h"
#include "router.h"
diff --git a/src/or/torcert.c b/src/or/torcert.c
index 51935ddf7..1c5afd965 100644
--- a/src/or/torcert.c
+++ b/src/or/torcert.c
@@ -27,7 +27,7 @@
#include "or.h"
#include "config.h"
-#include "crypto.h"
+#include "crypto_util.h"
#include "torcert.h"
#include "ed25519_cert.h"
#include "torlog.h"
diff --git a/src/test/bench.c b/src/test/bench.c
index 92d7a244f..c99860acc 100644
--- a/src/test/bench.c
+++ b/src/test/bench.c
@@ -23,6 +23,7 @@
#include "crypto_curve25519.h"
#include "onion_ntor.h"
#include "crypto_ed25519.h"
+#include "crypto_rand.h"
#include "consdiff.h"
#if defined(HAVE_CLOCK_GETTIME) && defined(CLOCK_PROCESS_CPUTIME_ID)
diff --git a/src/test/rend_test_helpers.c b/src/test/rend_test_helpers.c
index 095bfecf2..9ac3894b0 100644
--- a/src/test/rend_test_helpers.c
+++ b/src/test/rend_test_helpers.c
@@ -2,6 +2,7 @@
/* See LICENSE for licensing information */
#include "or.h"
+#include "crypto_rand.h"
#include "test.h"
#include "rendcommon.h"
#include "rend_test_helpers.h"
diff --git a/src/test/test-memwipe.c b/src/test/test-memwipe.c
index 89d946d50..aaaf2e7f6 100644
--- a/src/test/test-memwipe.c
+++ b/src/test/test-memwipe.c
@@ -7,7 +7,7 @@
#include <sys/types.h>
#include <stdlib.h>
-#include "crypto.h"
+#include "crypto_util.h"
#include "compat.h"
#include "util.h"
diff --git a/src/test/test-timers.c b/src/test/test-timers.c
index a0b5b535c..a5c3a3b96 100644
--- a/src/test/test-timers.c
+++ b/src/test/test-timers.c
@@ -11,7 +11,7 @@
#include "compat.h"
#include "compat_libevent.h"
-#include "crypto.h"
+#include "crypto_rand.h"
#include "timers.h"
#include "util.h"
diff --git a/src/test/test.c b/src/test/test.c
index db70a24fc..6fe0dc7a3 100644
--- a/src/test/test.c
+++ b/src/test/test.c
@@ -9,6 +9,7 @@
**/
#include "orconfig.h"
+#include "crypto_rand.h"
#include <stdio.h>
#ifdef HAVE_FCNTL_H
diff --git a/src/test/test_address_set.c b/src/test/test_address_set.c
index df022f539..f7441a649 100644
--- a/src/test/test_address_set.c
+++ b/src/test/test_address_set.c
@@ -2,6 +2,7 @@
/* See LICENSE for licensing information */
#include "or.h"
+#include "crypto_rand.h"
#include "address_set.h"
#include "microdesc.h"
#include "networkstatus.h"
diff --git a/src/test/test_buffers.c b/src/test/test_buffers.c
index 057d9fa2d..868f6a8ba 100644
--- a/src/test/test_buffers.c
+++ b/src/test/test_buffers.c
@@ -8,6 +8,7 @@
#include "or.h"
#include "buffers.h"
#include "buffers_tls.h"
+#include "crypto_rand.h"
#include "proto_http.h"
#include "proto_socks.h"
#include "test.h"
diff --git a/src/test/test_cell_formats.c b/src/test/test_cell_formats.c
index 88cdef383..54d971678 100644
--- a/src/test/test_cell_formats.c
+++ b/src/test/test_cell_formats.c
@@ -12,6 +12,7 @@
#include "connection_edge.h"
#include "connection_or.h"
#include "config.h"
+#include "crypto_rand.h"
#include "onion.h"
#include "onion_tap.h"
#include "onion_fast.h"
diff --git a/src/test/test_channel.c b/src/test/test_channel.c
index 812ec6c1a..d2ce94962 100644
--- a/src/test/test_channel.c
+++ b/src/test/test_channel.c
@@ -12,6 +12,7 @@
#include "circuitmux_ewma.h"
/* For var_cell_free */
#include "connection_or.h"
+#include "crypto_rand.h"
/* For packed_cell stuff */
#define RELAY_PRIVATE
#include "relay.h"
diff --git a/src/test/test_consdiffmgr.c b/src/test/test_consdiffmgr.c
index a9a4b6a98..3b91baca3 100644
--- a/src/test/test_consdiffmgr.c
+++ b/src/test/test_consdiffmgr.c
@@ -9,6 +9,7 @@
#include "consdiff.h"
#include "consdiffmgr.h"
#include "cpuworker.h"
+#include "crypto_rand.h"
#include "networkstatus.h"
#include "routerparse.h"
#include "workqueue.h"
diff --git a/src/test/test_containers.c b/src/test/test_containers.c
index c4dba7375..3fc3523af 100644
--- a/src/test/test_containers.c
+++ b/src/test/test_containers.c
@@ -5,6 +5,7 @@
#include "orconfig.h"
#include "or.h"
+#include "crypto_rand.h"
#include "fp_pair.h"
#include "test.h"
diff --git a/src/test/test_crypto.c b/src/test/test_crypto.c
index c8443fd3b..24eef156b 100644
--- a/src/test/test_crypto.c
+++ b/src/test/test_crypto.c
@@ -5,7 +5,7 @@
#include "orconfig.h"
#define CRYPTO_CURVE25519_PRIVATE
-#define CRYPTO_PRIVATE
+#define CRYPTO_RAND_PRIVATE
#include "or.h"
#include "test.h"
#include "aes.h"
@@ -13,6 +13,7 @@
#include "siphash.h"
#include "crypto_curve25519.h"
#include "crypto_ed25519.h"
+#include "crypto_rand.h"
#include "ed25519_vectors.inc"
/** Run unit tests for Diffie-Hellman functionality. */
diff --git a/src/test/test_crypto_openssl.c b/src/test/test_crypto_openssl.c
index 090cb4242..a01627750 100644
--- a/src/test/test_crypto_openssl.c
+++ b/src/test/test_crypto_openssl.c
@@ -5,9 +5,9 @@
#include "orconfig.h"
-#define CRYPTO_PRIVATE
+#define CRYPTO_RAND_PRIVATE
-#include "crypto.h"
+#include "crypto_rand.h"
#include "util.h"
#include "util_format.h"
#include "compat.h"
diff --git a/src/test/test_crypto_slow.c b/src/test/test_crypto_slow.c
index 2afb71ff5..0e1f5bd22 100644
--- a/src/test/test_crypto_slow.c
+++ b/src/test/test_crypto_slow.c
@@ -9,6 +9,7 @@
#include "test.h"
#include "crypto_s2k.h"
#include "crypto_pwbox.h"
+#include "crypto_rand.h"
#if defined(HAVE_LIBSCRYPT_H) && defined(HAVE_LIBSCRYPT_SCRYPT)
#define HAVE_LIBSCRYPT
diff --git a/src/test/test_dir.c b/src/test/test_dir.c
index 5fac045b2..7d3b5344b 100644
--- a/src/test/test_dir.c
+++ b/src/test/test_dir.c
@@ -23,6 +23,7 @@
#include "config.h"
#include "control.h"
#include "crypto_ed25519.h"
+#include "crypto_rand.h"
#include "directory.h"
#include "dirserv.h"
#include "dirvote.h"
diff --git a/src/test/test_dos.c b/src/test/test_dos.c
index cb9d9e559..8ae967f3a 100644
--- a/src/test/test_dos.c
+++ b/src/test/test_dos.c
@@ -8,6 +8,7 @@
#include "or.h"
#include "dos.h"
#include "circuitlist.h"
+#include "crypto_rand.h"
#include "geoip.h"
#include "channel.h"
#include "microdesc.h"
diff --git a/src/test/test_entrynodes.c b/src/test/test_entrynodes.c
index 92a860360..85490d6bd 100644
--- a/src/test/test_entrynodes.c
+++ b/src/test/test_entrynodes.c
@@ -16,6 +16,7 @@
#include "circuitlist.h"
#include "config.h"
#include "confparse.h"
+#include "crypto_rand.h"
#include "directory.h"
#include "entrynodes.h"
#include "nodelist.h"
diff --git a/src/test/test_extorport.c b/src/test/test_extorport.c
index cadef257f..e05342cb8 100644
--- a/src/test/test_extorport.c
+++ b/src/test/test_extorport.c
@@ -10,6 +10,7 @@
#include "connection_or.h"
#include "config.h"
#include "control.h"
+#include "crypto_rand.h"
#include "ext_orport.h"
#include "main.h"
#include "test.h"
diff --git a/src/test/test_helpers.c b/src/test/test_helpers.c
index ab453d3bd..42e911431 100644
--- a/src/test/test_helpers.c
+++ b/src/test/test_helpers.c
@@ -18,6 +18,7 @@
#include "config.h"
#include "confparse.h"
#include "connection.h"
+#include "crypto_rand.h"
#include "main.h"
#include "nodelist.h"
#include "relay.h"
diff --git a/src/test/test_hs_cell.c b/src/test/test_hs_cell.c
index 1b3c788a6..5c5236b39 100644
--- a/src/test/test_hs_cell.c
+++ b/src/test/test_hs_cell.c
@@ -14,6 +14,7 @@
#include "log_test_helpers.h"
#include "crypto_ed25519.h"
+#include "crypto_rand.h"
#include "hs_cell.h"
#include "hs_intropoint.h"
#include "hs_service.h"
diff --git a/src/test/test_hs_common.c b/src/test/test_hs_common.c
index 8c273c963..e5661ac86 100644
--- a/src/test/test_hs_common.c
+++ b/src/test/test_hs_common.c
@@ -17,6 +17,7 @@
#include "hs_test_helpers.h"
#include "connection_edge.h"
+#include "crypto_rand.h"
#include "hs_common.h"
#include "hs_client.h"
#include "hs_service.h"
diff --git a/src/test/test_hs_descriptor.c b/src/test/test_hs_descriptor.c
index 388b85f97..988f77f2f 100644
--- a/src/test/test_hs_descriptor.c
+++ b/src/test/test_hs_descriptor.c
@@ -10,6 +10,7 @@
#include "crypto_ed25519.h"
#include "crypto_digest.h"
+#include "crypto_rand.h"
#include "ed25519_cert.h"
#include "or.h"
#include "hs_descriptor.h"
diff --git a/src/test/test_hs_intropoint.c b/src/test/test_hs_intropoint.c
index fe3236c33..4253c9a38 100644
--- a/src/test/test_hs_intropoint.c
+++ b/src/test/test_hs_intropoint.c
@@ -13,7 +13,7 @@
#include "test.h"
#include "log_test_helpers.h"
-#include "crypto.h"
+#include "crypto_rand.h"
#include "or.h"
#include "circuitlist.h"
diff --git a/src/test/test_hs_service.c b/src/test/test_hs_service.c
index de74fdb30..cad12481c 100644
--- a/src/test/test_hs_service.c
+++ b/src/test/test_hs_service.c
@@ -33,7 +33,7 @@
#include "circuitbuild.h"
#include "circuitlist.h"
#include "circuituse.h"
-#include "crypto.h"
+#include "crypto_rand.h"
#include "dirvote.h"
#include "networkstatus.h"
#include "nodelist.h"
diff --git a/src/test/test_nodelist.c b/src/test/test_nodelist.c
index a873003d7..9499fd038 100644
--- a/src/test/test_nodelist.c
+++ b/src/test/test_nodelist.c
@@ -7,6 +7,7 @@
**/
#include "or.h"
+#include "crypto_rand.h"
#include "networkstatus.h"
#include "nodelist.h"
#include "torcert.h"
diff --git a/src/test/test_oom.c b/src/test/test_oom.c
index c172fe60c..abf889645 100644
--- a/src/test/test_oom.c
+++ b/src/test/test_oom.c
@@ -13,6 +13,7 @@
#include "compat_libevent.h"
#include "connection.h"
#include "config.h"
+#include "crypto_rand.h"
#include "relay.h"
#include "test.h"
#include "test_helpers.h"
diff --git a/src/test/test_routerlist.c b/src/test/test_routerlist.c
index c19d66ef9..e56a868e0 100644
--- a/src/test/test_routerlist.c
+++ b/src/test/test_routerlist.c
@@ -18,6 +18,7 @@
#include "connection.h"
#include "container.h"
#include "control.h"
+#include "crypto_rand.h"
#include "directory.h"
#include "dirvote.h"
#include "entrynodes.h"
diff --git a/src/test/test_shared_random.c b/src/test/test_shared_random.c
index 4fe9ee45f..7928518ef 100644
--- a/src/test/test_shared_random.c
+++ b/src/test/test_shared_random.c
@@ -9,6 +9,7 @@
#include "or.h"
#include "test.h"
#include "config.h"
+#include "crypto_rand.h"
#include "dirvote.h"
#include "shared_random.h"
#include "shared_random_state.h"
diff --git a/src/test/test_storagedir.c b/src/test/test_storagedir.c
index a27074c21..26606f9b6 100644
--- a/src/test/test_storagedir.c
+++ b/src/test/test_storagedir.c
@@ -2,6 +2,7 @@
/* See LICENSE for licensing information */
#include "or.h"
+#include "crypto_rand.h"
#include "storagedir.h"
#include "test.h"
diff --git a/src/test/test_util.c b/src/test/test_util.c
index ce8567d9a..e3a9eca2d 100644
--- a/src/test/test_util.c
+++ b/src/test/test_util.c
@@ -12,6 +12,7 @@
#include "buffers.h"
#include "config.h"
#include "control.h"
+#include "crypto_rand.h"
#include "test.h"
#include "memarea.h"
#include "util_process.h"
diff --git a/src/test/test_util_format.c b/src/test/test_util_format.c
index 683d5fdac..10645fe11 100644
--- a/src/test/test_util_format.c
+++ b/src/test/test_util_format.c
@@ -6,6 +6,7 @@
#include "test.h"
+#include "crypto_rand.h"
#define UTIL_FORMAT_PRIVATE
#include "util_format.h"
diff --git a/src/test/test_workqueue.c b/src/test/test_workqueue.c
index 2b0317371..972b655c1 100644
--- a/src/test/test_workqueue.c
+++ b/src/test/test_workqueue.c
@@ -7,8 +7,8 @@
#include "compat_threads.h"
#include "onion.h"
#include "workqueue.h"
-#include "crypto.h"
#include "crypto_curve25519.h"
+#include "crypto_rand.h"
#include "compat_libevent.h"
#include <stdio.h>
diff --git a/src/test/testing_common.c b/src/test/testing_common.c
index b9b36d96d..3e3b5a43f 100644
--- a/src/test/testing_common.c
+++ b/src/test/testing_common.c
@@ -12,6 +12,7 @@
#include "or.h"
#include "control.h"
#include "config.h"
+#include "crypto_rand.h"
#include "rephist.h"
#include "backtrace.h"
#include "test.h"
diff --git a/src/test/testing_rsakeys.c b/src/test/testing_rsakeys.c
index 7a24c0ed1..94d3db328 100644
--- a/src/test/testing_rsakeys.c
+++ b/src/test/testing_rsakeys.c
@@ -3,6 +3,7 @@
* Copyright (c) 2007-2017, The Tor Project, Inc. */
/* See LICENSE for licensing information */
+#include "crypto_rand.h"
#include "orconfig.h"
#include "or.h"
#include "test.h"
diff --git a/src/tools/tor-gencert.c b/src/tools/tor-gencert.c
index 639a6fbc2..aafefdad7 100644
--- a/src/tools/tor-gencert.c
+++ b/src/tools/tor-gencert.c
@@ -40,6 +40,8 @@ ENABLE_GCC_WARNING(redundant-decls)
#include "torlog.h"
#include "crypto.h"
#include "crypto_digest.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
#include "address.h"
#include "util_format.h"
diff --git a/src/trunnel/trunnel-local.h b/src/trunnel/trunnel-local.h
index b7c2ab98e..8aa6d0dda 100644
--- a/src/trunnel/trunnel-local.h
+++ b/src/trunnel/trunnel-local.h
@@ -4,7 +4,7 @@
#include "util.h"
#include "compat.h"
-#include "crypto.h"
+#include "crypto_util.h"
#define trunnel_malloc tor_malloc
#define trunnel_calloc tor_calloc
More information about the tor-commits
mailing list