Merge remote-tracking branch 'isis/bug24660_r1'

src/common/address_set.c

@@ -15,7 +15,7 @@
 #include "address.h"
 #include "compat.h"
 #include "container.h"
-#include "crypto.h"
+#include "crypto_rand.h"
 #include "util.h"
 #include "siphash.h"
 

src/common/aes.c

@@ -17,7 +17,6 @@
 #endif
 
 #include <openssl/opensslv.h>
-#include "crypto.h"
 #include "crypto_openssl_mgt.h"
 
 #if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,0)

src/common/compat_libevent.c

@@ -11,7 +11,7 @@
 #define COMPAT_LIBEVENT_PRIVATE
 #include "compat_libevent.h"
 
-#include "crypto.h"
+#include "crypto_rand.h"
 
 #include "util.h"
 #include "torlog.h"

src/common/crypto.c

@@ -23,22 +23,21 @@
 #endif /* defined(_WIN32) */
 
 #define CRYPTO_PRIVATE
-#include "crypto.h"
 #include "compat_openssl.h"
+#include "crypto.h"
 #include "crypto_curve25519.h"
+#include "crypto_digest.h"
 #include "crypto_ed25519.h"
 #include "crypto_format.h"
+#include "crypto_rand.h"
 #include "crypto_rsa.h"
-#include "crypto_digest.h"
+#include "crypto_util.h"
 
 DISABLE_GCC_WARNING(redundant-decls)
 
 #include <openssl/err.h>
-#include <openssl/rsa.h>
-#include <openssl/pem.h>
 #include <openssl/evp.h>
 #include <openssl/engine.h>
-#include <openssl/rand.h>
 #include <openssl/bn.h>
 #include <openssl/dh.h>
 #include <openssl/conf.h>
@@ -61,12 +60,6 @@ ENABLE_GCC_WARNING(redundant-decls)
 #ifdef HAVE_UNISTD_H
 #include <unistd.h>
 #endif
-#ifdef HAVE_FCNTL_H
-#include <fcntl.h>
-#endif
-#ifdef HAVE_SYS_FCNTL_H
-#include <sys/fcntl.h>
-#endif
 #ifdef HAVE_SYS_SYSCALL_H
 #include <sys/syscall.h>
 #endif
@@ -85,12 +78,6 @@ ENABLE_GCC_WARNING(redundant-decls)
 
 #include "keccak-tiny/keccak-tiny.h"
 
-/** Longest recognized */
-#define MAX_DNS_LABEL_SIZE 63
-
-/** Largest strong entropy request */
-#define MAX_STRONGEST_RAND_SIZE 256
-
 /** A structure to hold the first half (x, g^x) of a Diffie-Hellman handshake
  * while we're waiting for the second.*/
 struct crypto_dh_t {
@@ -163,23 +150,6 @@ try_load_engine(const char *path, const char *engine)
 }
 #endif /* !defined(DISABLE_ENGINES) */
 
-/** Make sure that openssl is using its default PRNG. Return 1 if we had to
- * adjust it; 0 otherwise. */
-STATIC int
-crypto_force_rand_ssleay(void)
-{
-  RAND_METHOD *default_method;
-  default_method = RAND_OpenSSL();
-  if (RAND_get_rand_method() != default_method) {
-    log_notice(LD_CRYPTO, "It appears that one of our engines has provided "
-               "a replacement the OpenSSL RNG. Resetting it to the default "
-               "implementation.");
-    RAND_set_rand_method(default_method);
-    return 1;
-  }
-  return 0;
-}
-
 static int have_seeded_siphash = 0;
 
 /** Set up the siphash key if we haven't already done so. */
@@ -1091,576 +1061,6 @@ crypto_dh_free_(crypto_dh_t *dh)
   tor_free(dh);
 }
 
-/* random numbers */
-
-/** How many bytes of entropy we add at once.
- *
- * This is how much entropy OpenSSL likes to add right now, so maybe it will
- * work for us too. */
-#define ADD_ENTROPY 32
-
-/** Set the seed of the weak RNG to a random value. */
-void
-crypto_seed_weak_rng(tor_weak_rng_t *rng)
-{
-  unsigned seed;
-  crypto_rand((void*)&seed, sizeof(seed));
-  tor_init_weak_random(rng, seed);
-}
-
-#ifdef TOR_UNIT_TESTS
-int break_strongest_rng_syscall = 0;
-int break_strongest_rng_fallback = 0;
-#endif
-
-/** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
- * via system calls, storing it into <b>out</b>. Return 0 on success, -1 on
- * failure.  A maximum request size of 256 bytes is imposed.
- */
-static int
-crypto_strongest_rand_syscall(uint8_t *out, size_t out_len)
-{
-  tor_assert(out_len <= MAX_STRONGEST_RAND_SIZE);
-
-  /* We only log at notice-level here because in the case that this function
-   * fails the crypto_strongest_rand_raw() caller will log with a warning-level
-   * message and let crypto_strongest_rand() error out and finally terminating
-   * Tor with an assertion error.
-   */
-
-#ifdef TOR_UNIT_TESTS
-  if (break_strongest_rng_syscall)
-    return -1;
-#endif
-
-#if defined(_WIN32)
-  static int provider_set = 0;
-  static HCRYPTPROV provider;
-
-  if (!provider_set) {
-    if (!CryptAcquireContext(&provider, NULL, NULL, PROV_RSA_FULL,
-                             CRYPT_VERIFYCONTEXT)) {
-      log_notice(LD_CRYPTO, "Unable to set Windows CryptoAPI provider [1].");
-      return -1;
-    }
-    provider_set = 1;
-  }
-  if (!CryptGenRandom(provider, out_len, out)) {
-    log_notice(LD_CRYPTO, "Unable get entropy from the Windows CryptoAPI.");
-    return -1;
-  }
-
-  return 0;
-#elif defined(__linux__) && defined(SYS_getrandom)
-  static int getrandom_works = 1; /* Be optimistic about our chances... */
-
-  /* getrandom() isn't as straightforward as getentropy(), and has
-   * no glibc wrapper.
-   *
-   * As far as I can tell from getrandom(2) and the source code, the
-   * requests we issue will always succeed (though it will block on the
-   * call if /dev/urandom isn't seeded yet), since we are NOT specifying
-   * GRND_NONBLOCK and the request is <= 256 bytes.
-   *
-   * The manpage is unclear on what happens if a signal interrupts the call
-   * while the request is blocked due to lack of entropy....
-   *
-   * We optimistically assume that getrandom() is available and functional
-   * because it is the way of the future, and 2 branch mispredicts pale in
-   * comparison to the overheads involved with failing to open
-   * /dev/srandom followed by opening and reading from /dev/urandom.
-   */
-  if (PREDICT_LIKELY(getrandom_works)) {
-    long ret;
-    /* A flag of '0' here means to read from '/dev/urandom', and to
-     * block if insufficient entropy is available to service the
-     * request.
-     */
-    const unsigned int flags = 0;
-    do {
-      ret = syscall(SYS_getrandom, out, out_len, flags);
-    } while (ret == -1 && ((errno == EINTR) ||(errno == EAGAIN)));
-
-    if (PREDICT_UNLIKELY(ret == -1)) {
-      /* LCOV_EXCL_START we can't actually make the syscall fail in testing. */
-      tor_assert(errno != EAGAIN);
-      tor_assert(errno != EINTR);
-
-      /* Useful log message for errno. */
-      if (errno == ENOSYS) {
-        log_notice(LD_CRYPTO, "Can't get entropy from getrandom()."
-                   " You are running a version of Tor built to support"
-                   " getrandom(), but the kernel doesn't implement this"
-                   " function--probably because it is too old?"
-                   " Trying fallback method instead.");
-      } else {
-        log_notice(LD_CRYPTO, "Can't get entropy from getrandom(): %s."
-                              " Trying fallback method instead.",
-                   strerror(errno));
-      }
-
-      getrandom_works = 0; /* Don't bother trying again. */
-      return -1;
-      /* LCOV_EXCL_STOP */
-    }
-
-    tor_assert(ret == (long)out_len);
-    return 0;
-  }
-
-  return -1; /* getrandom() previously failed unexpectedly. */
-#elif defined(HAVE_GETENTROPY)
-  /* getentropy() is what Linux's getrandom() wants to be when it grows up.
-   * the only gotcha is that requests are limited to 256 bytes.
-   */
-  return getentropy(out, out_len);
-#else
-  (void) out;
-#endif /* defined(_WIN32) || ... */
-
-  /* This platform doesn't have a supported syscall based random. */
-  return -1;
-}
-
-/** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
- * via the per-platform fallback mechanism, storing it into <b>out</b>.
- * Return 0 on success, -1 on failure.  A maximum request size of 256 bytes
- * is imposed.
- */
-static int
-crypto_strongest_rand_fallback(uint8_t *out, size_t out_len)
-{
-#ifdef TOR_UNIT_TESTS
-  if (break_strongest_rng_fallback)
-    return -1;
-#endif
-
-#ifdef _WIN32
-  /* Windows exclusively uses crypto_strongest_rand_syscall(). */
-  (void)out;
-  (void)out_len;
-  return -1;
-#else /* !(defined(_WIN32)) */
-  static const char *filenames[] = {
-    "/dev/srandom", "/dev/urandom", "/dev/random", NULL
-  };
-  int fd, i;
-  size_t n;
-
-  for (i = 0; filenames[i]; ++i) {
-    log_debug(LD_FS, "Considering %s as entropy source", filenames[i]);
-    fd = open(sandbox_intern_string(filenames[i]), O_RDONLY, 0);
-    if (fd<0) continue;
-    log_info(LD_CRYPTO, "Reading entropy from \"%s\"", filenames[i]);
-    n = read_all(fd, (char*)out, out_len, 0);
-    close(fd);
-    if (n != out_len) {
-      /* LCOV_EXCL_START
-       * We can't make /dev/foorandom actually fail. */
-      log_notice(LD_CRYPTO,
-                 "Error reading from entropy source %s (read only %lu bytes).",
-                 filenames[i],
-                 (unsigned long)n);
-      return -1;
-      /* LCOV_EXCL_STOP */
-    }
-
-    return 0;
-  }
-
-  return -1;
-#endif /* defined(_WIN32) */
-}
-
-/** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
- * storing it into <b>out</b>. Return 0 on success, -1 on failure.  A maximum
- * request size of 256 bytes is imposed.
- */
-STATIC int
-crypto_strongest_rand_raw(uint8_t *out, size_t out_len)
-{
-  static const size_t sanity_min_size = 16;
-  static const int max_attempts = 3;
-  tor_assert(out_len <= MAX_STRONGEST_RAND_SIZE);
-
-  /* For buffers >= 16 bytes (128 bits), we sanity check the output by
-   * zero filling the buffer and ensuring that it actually was at least
-   * partially modified.
-   *
-   * Checking that any individual byte is non-zero seems like it would
-   * fail too often (p = out_len * 1/256) for comfort, but this is an
-   * "adjust according to taste" sort of check.
-   */
-  memwipe(out, 0, out_len);
-  for (int i = 0; i < max_attempts; i++) {
-    /* Try to use the syscall/OS favored mechanism to get strong entropy. */
-    if (crypto_strongest_rand_syscall(out, out_len) != 0) {
-      /* Try to use the less-favored mechanism to get strong entropy. */
-      if (crypto_strongest_rand_fallback(out, out_len) != 0) {
-        /* Welp, we tried.  Hopefully the calling code terminates the process
-         * since we're basically boned without good entropy.
-         */
-        log_warn(LD_CRYPTO,
-                 "Cannot get strong entropy: no entropy source found.");
-        return -1;
-      }
-    }
-
-    if ((out_len < sanity_min_size) || !tor_mem_is_zero((char*)out, out_len))
-      return 0;
-  }
-
-  /* LCOV_EXCL_START
-   *
-   * We tried max_attempts times to fill a buffer >= 128 bits long,
-   * and each time it returned all '0's.  Either the system entropy
-   * source is busted, or the user should go out and buy a ticket to
-   * every lottery on the planet.
-   */
-  log_warn(LD_CRYPTO, "Strong OS entropy returned all zero buffer.");
-
-  return -1;
-  /* LCOV_EXCL_STOP */
-}
-
-/** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
- * storing it into <b>out</b>.
- */
-void
-crypto_strongest_rand(uint8_t *out, size_t out_len)
-{
-#define DLEN SHA512_DIGEST_LENGTH
-  /* We're going to hash DLEN bytes from the system RNG together with some
-   * bytes from the openssl PRNG, in order to yield DLEN bytes.
-   */
-  uint8_t inp[DLEN*2];
-  uint8_t tmp[DLEN];
-  tor_assert(out);
-  while (out_len) {
-    crypto_rand((char*) inp, DLEN);
-    if (crypto_strongest_rand_raw(inp+DLEN, DLEN) < 0) {
-      // LCOV_EXCL_START
-      log_err(LD_CRYPTO, "Failed to load strong entropy when generating an "
-              "important key. Exiting.");
-      /* Die with an assertion so we get a stack trace. */
-      tor_assert(0);
-      // LCOV_EXCL_STOP
-    }
-    if (out_len >= DLEN) {
-      SHA512(inp, sizeof(inp), out);
-      out += DLEN;
-      out_len -= DLEN;
-    } else {
-      SHA512(inp, sizeof(inp), tmp);
-      memcpy(out, tmp, out_len);
-      break;
-    }
-  }
-  memwipe(tmp, 0, sizeof(tmp));
-  memwipe(inp, 0, sizeof(inp));
-#undef DLEN
-}
-
-/** Seed OpenSSL's random number generator with bytes from the operating
- * system.  Return 0 on success, -1 on failure.
- */
-int
-crypto_seed_rng(void)
-{
-  int rand_poll_ok = 0, load_entropy_ok = 0;
-  uint8_t buf[ADD_ENTROPY];
-
-  /* OpenSSL has a RAND_poll function that knows about more kinds of
-   * entropy than we do.  We'll try calling that, *and* calling our own entropy
-   * functions.  If one succeeds, we'll accept the RNG as seeded. */
-  rand_poll_ok = RAND_poll();
-  if (rand_poll_ok == 0)
-    log_warn(LD_CRYPTO, "RAND_poll() failed."); // LCOV_EXCL_LINE
-
-  load_entropy_ok = !crypto_strongest_rand_raw(buf, sizeof(buf));
-  if (load_entropy_ok) {
-    RAND_seed(buf, sizeof(buf));
-  }
-
-  memwipe(buf, 0, sizeof(buf));
-
-  if ((rand_poll_ok || load_entropy_ok) && RAND_status() == 1)
-    return 0;
-  else
-    return -1;
-}
-
-/** Write <b>n</b> bytes of strong random data to <b>to</b>. Supports mocking
- * for unit tests.
- *
- * This function is not allowed to fail; if it would fail to generate strong
- * entropy, it must terminate the process instead.
- */
-MOCK_IMPL(void,
-crypto_rand, (char *to, size_t n))
-{
-  crypto_rand_unmocked(to, n);
-}
-
-/** Write <b>n</b> bytes of strong random data to <b>to</b>.  Most callers
- * will want crypto_rand instead.
- *
- * This function is not allowed to fail; if it would fail to generate strong
- * entropy, it must terminate the process instead.
- */
-void
-crypto_rand_unmocked(char *to, size_t n)
-{
-  int r;
-  if (n == 0)
-    return;
-
-  tor_assert(n < INT_MAX);
-  tor_assert(to);
-  r = RAND_bytes((unsigned char*)to, (int)n);
-  /* We consider a PRNG failure non-survivable. Let's assert so that we get a
-   * stack trace about where it happened.
-   */
-  tor_assert(r >= 0);
-}
-
-/** Return a pseudorandom integer, chosen uniformly from the values
- * between 0 and <b>max</b>-1 inclusive.  <b>max</b> must be between 1 and
- * INT_MAX+1, inclusive. */
-int
-crypto_rand_int(unsigned int max)
-{
-  unsigned int val;
-  unsigned int cutoff;
-  tor_assert(max <= ((unsigned int)INT_MAX)+1);
-  tor_assert(max > 0); /* don't div by 0 */
-
-  /* We ignore any values that are >= 'cutoff,' to avoid biasing the
-   * distribution with clipping at the upper end of unsigned int's
-   * range.
-   */
-  cutoff = UINT_MAX - (UINT_MAX%max);
-  while (1) {
-    crypto_rand((char*)&val, sizeof(val));
-    if (val < cutoff)
-      return val % max;
-  }
-}
-
-/** Return a pseudorandom integer, chosen uniformly from the values i such
- * that min <= i < max.
- *
- * <b>min</b> MUST be in range [0, <b>max</b>).
- * <b>max</b> MUST be in range (min, INT_MAX].
- */
-int
-crypto_rand_int_range(unsigned int min, unsigned int max)
-{
-  tor_assert(min < max);
-  tor_assert(max <= INT_MAX);
-
-  /* The overflow is avoided here because crypto_rand_int() returns a value
-   * between 0 and (max - min) inclusive. */
-  return min + crypto_rand_int(max - min);
-}
-
-/** As crypto_rand_int_range, but supports uint64_t. */
-uint64_t
-crypto_rand_uint64_range(uint64_t min, uint64_t max)
-{
-  tor_assert(min < max);
-  return min + crypto_rand_uint64(max - min);
-}
-
-/** As crypto_rand_int_range, but supports time_t. */
-time_t
-crypto_rand_time_range(time_t min, time_t max)
-{
-  tor_assert(min < max);
-  return min + (time_t)crypto_rand_uint64(max - min);
-}
-
-/** Return a pseudorandom 64-bit integer, chosen uniformly from the values
- * between 0 and <b>max</b>-1 inclusive. */
-uint64_t
-crypto_rand_uint64(uint64_t max)
-{
-  uint64_t val;
-  uint64_t cutoff;
-  tor_assert(max < UINT64_MAX);
-  tor_assert(max > 0); /* don't div by 0 */
-
-  /* We ignore any values that are >= 'cutoff,' to avoid biasing the
-   * distribution with clipping at the upper end of unsigned int's
-   * range.
-   */
-  cutoff = UINT64_MAX - (UINT64_MAX%max);
-  while (1) {
-    crypto_rand((char*)&val, sizeof(val));
-    if (val < cutoff)
-      return val % max;
-  }
-}
-
-/** Return a pseudorandom double d, chosen uniformly from the range
- * 0.0 <= d < 1.0.
- */
-double
-crypto_rand_double(void)
-{
-  /* We just use an unsigned int here; we don't really care about getting
-   * more than 32 bits of resolution */
-  unsigned int u;
-  crypto_rand((char*)&u, sizeof(u));
-#if SIZEOF_INT == 4
-#define UINT_MAX_AS_DOUBLE 4294967296.0
-#elif SIZEOF_INT == 8
-#define UINT_MAX_AS_DOUBLE 1.8446744073709552e+19
-#else
-#error SIZEOF_INT is neither 4 nor 8
-#endif /* SIZEOF_INT == 4 || ... */
-  return ((double)u) / UINT_MAX_AS_DOUBLE;
-}
-
-/** Generate and return a new random hostname starting with <b>prefix</b>,
- * ending with <b>suffix</b>, and containing no fewer than
- * <b>min_rand_len</b> and no more than <b>max_rand_len</b> random base32
- * characters. Does not check for failure.
- *
- * Clip <b>max_rand_len</b> to MAX_DNS_LABEL_SIZE.
- **/
-char *
-crypto_random_hostname(int min_rand_len, int max_rand_len, const char *prefix,
-                       const char *suffix)
-{
-  char *result, *rand_bytes;
-  int randlen, rand_bytes_len;
-  size_t resultlen, prefixlen;
-
-  if (max_rand_len > MAX_DNS_LABEL_SIZE)
-    max_rand_len = MAX_DNS_LABEL_SIZE;
-  if (min_rand_len > max_rand_len)
-    min_rand_len = max_rand_len;
-
-  randlen = crypto_rand_int_range(min_rand_len, max_rand_len+1);
-
-  prefixlen = strlen(prefix);
-  resultlen = prefixlen + strlen(suffix) + randlen + 16;
-
-  rand_bytes_len = ((randlen*5)+7)/8;
-  if (rand_bytes_len % 5)
-    rand_bytes_len += 5 - (rand_bytes_len%5);
-  rand_bytes = tor_malloc(rand_bytes_len);
-  crypto_rand(rand_bytes, rand_bytes_len);
-
-  result = tor_malloc(resultlen);
-  memcpy(result, prefix, prefixlen);
-  base32_encode(result+prefixlen, resultlen-prefixlen,
-                rand_bytes, rand_bytes_len);
-  tor_free(rand_bytes);
-  strlcpy(result+prefixlen+randlen, suffix, resultlen-(prefixlen+randlen));
-
-  return result;
-}
-
-/** Return a randomly chosen element of <b>sl</b>; or NULL if <b>sl</b>
- * is empty. */
-void *
-smartlist_choose(const smartlist_t *sl)
-{
-  int len = smartlist_len(sl);
-  if (len)
-    return smartlist_get(sl,crypto_rand_int(len));
-  return NULL; /* no elements to choose from */
-}
-
-/** Scramble the elements of <b>sl</b> into a random order. */
-void
-smartlist_shuffle(smartlist_t *sl)
-{
-  int i;
-  /* From the end of the list to the front, choose at random from the
-     positions we haven't looked at yet, and swap that position into the
-     current position.  Remember to give "no swap" the same probability as
-     any other swap. */
-  for (i = smartlist_len(sl)-1; i > 0; --i) {
-    int j = crypto_rand_int(i+1);
-    smartlist_swap(sl, i, j);
-  }
-}
-
-/**
- * Destroy the <b>sz</b> bytes of data stored at <b>mem</b>, setting them to
- * the value <b>byte</b>.
- * If <b>mem</b> is NULL or <b>sz</b> is zero, nothing happens.
- *
- * This function is preferable to memset, since many compilers will happily
- * optimize out memset() when they can convince themselves that the data being
- * cleared will never be read.
- *
- * Right now, our convention is to use this function when we are wiping data
- * that's about to become inaccessible, such as stack buffers that are about
- * to go out of scope or structures that are about to get freed.  (In
- * practice, it appears that the compilers we're currently using will optimize
- * out the memset()s for stack-allocated buffers, but not those for
- * about-to-be-freed structures. That could change, though, so we're being
- * wary.)  If there are live reads for the data, then you can just use
- * memset().
- */
-void
-memwipe(void *mem, uint8_t byte, size_t sz)
-{
-  if (sz == 0) {
-    return;
-  }
-  /* If sz is nonzero, then mem must not be NULL. */
-  tor_assert(mem != NULL);
-
-  /* Data this large is likely to be an underflow. */
-  tor_assert(sz < SIZE_T_CEILING);
-
-  /* Because whole-program-optimization exists, we may not be able to just
-   * have this function call "memset".  A smart compiler could inline it, then
-   * eliminate dead memsets, and declare itself to be clever. */
-
-#if defined(SecureZeroMemory) || defined(HAVE_SECUREZEROMEMORY)
-  /* Here's what you do on windows. */
-  SecureZeroMemory(mem,sz);
-#elif defined(HAVE_RTLSECUREZEROMEMORY)
-  RtlSecureZeroMemory(mem,sz);
-#elif defined(HAVE_EXPLICIT_BZERO)
-  /* The BSDs provide this. */
-  explicit_bzero(mem, sz);
-#elif defined(HAVE_MEMSET_S)
-  /* This is in the C99 standard. */
-  memset_s(mem, sz, 0, sz);
-#else
-  /* This is a slow and ugly function from OpenSSL that fills 'mem' with junk
-   * based on the pointer value, then uses that junk to update a global
-   * variable.  It's an elaborate ruse to trick the compiler into not
-   * optimizing out the "wipe this memory" code.  Read it if you like zany
-   * programming tricks! In later versions of Tor, we should look for better
-   * not-optimized-out memory wiping stuff...
-   *
-   * ...or maybe not.  In practice, there are pure-asm implementations of
-   * OPENSSL_cleanse() on most platforms, which ought to do the job.
-   **/
-
-  OPENSSL_cleanse(mem, sz);
-#endif /* defined(SecureZeroMemory) || defined(HAVE_SECUREZEROMEMORY) || ... */
-
-  /* Just in case some caller of memwipe() is relying on getting a buffer
-   * filled with a particular value, fill the buffer.
-   *
-   * If this function gets inlined, this memset might get eliminated, but
-   * that's okay: We only care about this particular memset in the case where
-   * the caller should have been using memset(), and the memset() wouldn't get
-   * eliminated.  In other words, this is here so that we won't break anything
-   * if somebody accidentally calls memwipe() instead of memset().
-   **/
-  memset(mem, byte, sz);
-}
-
 /** @{ */
 /** Uninitialize the crypto library. Return 0 on success. Does not detect
  * failure.

src/common/crypto.h

@@ -17,13 +17,10 @@
 
 #include <stdio.h>
 #include "torint.h"
-#include "testsupport.h"
 #include "compat.h"
 #include "util.h"
 #include "crypto_rsa.h"
 
-#include "keccak-tiny/keccak-tiny.h"
-
 /** Length of our symmetric cipher's keys of 128-bit. */
 #define CIPHER_KEY_LEN 16
 /** Length of our symmetric cipher's IV of 128-bit. */
@@ -41,6 +38,7 @@ typedef struct aes_cnt_cipher crypto_cipher_t;
 typedef struct crypto_dh_t crypto_dh_t;
 
 /* global state */
+int crypto_init_siphash_key(void);
 int crypto_early_init(void) ATTR_WUR;
 int crypto_global_init(int hardwareAccel,
                        const char *accelName,
@@ -105,31 +103,6 @@ int crypto_expand_key_material_rfc5869_sha256(
                                     const uint8_t *info_in, size_t info_in_len,
                                     uint8_t *key_out, size_t key_out_len);
 
-/* random numbers */
-int crypto_seed_rng(void) ATTR_WUR;
-MOCK_DECL(void,crypto_rand,(char *to, size_t n));
-void crypto_rand_unmocked(char *to, size_t n);
-void crypto_strongest_rand(uint8_t *out, size_t out_len);
-int crypto_rand_int(unsigned int max);
-int crypto_rand_int_range(unsigned int min, unsigned int max);
-uint64_t crypto_rand_uint64_range(uint64_t min, uint64_t max);
-time_t crypto_rand_time_range(time_t min, time_t max);
-uint64_t crypto_rand_uint64(uint64_t max);
-double crypto_rand_double(void);
-struct tor_weak_rng_t;
-void crypto_seed_weak_rng(struct tor_weak_rng_t *rng);
-int crypto_init_siphash_key(void);
-
-char *crypto_random_hostname(int min_rand_len, int max_rand_len,
-                             const char *prefix, const char *suffix);
-
-struct smartlist_t;
-void *smartlist_choose(const struct smartlist_t *sl);
-void smartlist_shuffle(struct smartlist_t *sl);
-
-/** OpenSSL-based utility functions. */
-void memwipe(void *mem, uint8_t byte, size_t sz);
-
 /* Prototypes for private functions only used by tortls.c, crypto.c, and the
  * unit tests. */
 struct dh_st;
@@ -137,16 +110,5 @@ struct dh_st *crypto_dh_get_dh_(crypto_dh_t *dh);
 
 void crypto_add_spaces_to_fp(char *out, size_t outlen, const char *in);
 
-#ifdef CRYPTO_PRIVATE
-
-STATIC int crypto_force_rand_ssleay(void);
-STATIC int crypto_strongest_rand_raw(uint8_t *out, size_t out_len);
-
-#ifdef TOR_UNIT_TESTS
-extern int break_strongest_rng_syscall;
-extern int break_strongest_rng_fallback;
-#endif
-#endif /* defined(CRYPTO_PRIVATE) */
-
 #endif /* !defined(TOR_CRYPTO_H) */
 

src/common/crypto_curve25519.c

@@ -21,10 +21,11 @@
 #include <sys/stat.h>
 #endif
 #include "container.h"
-#include "crypto.h"
 #include "crypto_curve25519.h"
-#include "crypto_format.h"
 #include "crypto_digest.h"
+#include "crypto_format.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "util.h"
 #include "torlog.h"
 

src/common/crypto_digest.c

@@ -10,10 +10,13 @@
  * operations.
  **/
 
+#include "container.h"
 #include "crypto_digest.h"
-
-#include "crypto.h" /* common functions */
 #include "crypto_openssl_mgt.h"
+#include "crypto_util.h"
+#include "torlog.h"
+
+#include "keccak-tiny/keccak-tiny.h"
 
 DISABLE_GCC_WARNING(redundant-decls)
 
@@ -22,8 +25,6 @@ DISABLE_GCC_WARNING(redundant-decls)
 
 ENABLE_GCC_WARNING(redundant-decls)
 
-#include "container.h"
-
 /* Crypto digest functions */
 
 /** Compute the SHA1 digest of the <b>len</b> bytes on data stored in

src/common/crypto_ed25519.c

@@ -21,12 +21,12 @@
 #include <sys/stat.h>
 #endif
 
-#include "crypto.h"
-
-#include "crypto_digest.h"
 #include "crypto_curve25519.h"
+#include "crypto_digest.h"
 #include "crypto_ed25519.h"
 #include "crypto_format.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "torlog.h"
 #include "util.h"
 #include "util_format.h"

src/common/crypto_format.c

@@ -15,11 +15,11 @@
 #include <sys/stat.h>
 #endif
 #include "container.h"
-#include "crypto.h"
 #include "crypto_curve25519.h"
+#include "crypto_digest.h"
 #include "crypto_ed25519.h"
 #include "crypto_format.h"
-#include "crypto_digest.h"
+#include "crypto_util.h"
 #include "util.h"
 #include "util_format.h"
 #include "torlog.h"

src/common/crypto_pwbox.c

@@ -9,9 +9,11 @@
  */
 
 #include "crypto.h"
-#include "crypto_s2k.h"
-#include "crypto_pwbox.h"
 #include "crypto_digest.h"
+#include "crypto_pwbox.h"
+#include "crypto_rand.h"
+#include "crypto_s2k.h"
+#include "crypto_util.h"
 #include "di_ops.h"
 #include "util.h"
 #include "pwbox.h"

src/common/crypto_rand.c

@@ -0,0 +1,609 @@
+/* Copyright (c) 2001, Matej Pfajfar.
+ * Copyright (c) 2001-2004, Roger Dingledine.
+ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
+ * Copyright (c) 2007-2018, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file crypto_rand.c
+ *
+ * \brief Functions for initialising and seeding (pseudo-)random
+ * number generators, and working with randomness.
+ **/
+
+#ifndef CRYPTO_RAND_PRIVATE
+#define CRYPTO_RAND_PRIVATE
+
+#ifdef _WIN32
+#include <windows.h>
+#include <wincrypt.h>
+#endif /* defined(_WIN32) */
+
+#include "crypto_rand.h"
+
+#include "container.h"
+#include "compat.h"
+#include "compat_openssl.h"
+#include "crypto_util.h"
+#include "sandbox.h"
+#include "testsupport.h"
+#include "torlog.h"
+#include "util.h"
+#include "util_format.h"
+
+DISABLE_GCC_WARNING(redundant-decls)
+#include <openssl/rand.h>
+ENABLE_GCC_WARNING(redundant-decls)
+
+#if __GNUC__ && GCC_VERSION >= 402
+#if GCC_VERSION >= 406
+#pragma GCC diagnostic pop
+#else
+#pragma GCC diagnostic warning "-Wredundant-decls"
+#endif
+#endif /* __GNUC__ && GCC_VERSION >= 402 */
+
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_SYS_FCNTL_H
+#include <sys/fcntl.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+/**
+ * How many bytes of entropy we add at once.
+ *
+ * This is how much entropy OpenSSL likes to add right now, so maybe it will
+ * work for us too.
+ **/
+#define ADD_ENTROPY 32
+
+/**
+ * Longest recognized DNS query.
+ **/
+#define MAX_DNS_LABEL_SIZE 63
+
+/**
+ * Largest strong entropy request permitted.
+ **/
+#define MAX_STRONGEST_RAND_SIZE 256
+
+/**
+ * Set the seed of the weak RNG to a random value.
+ **/
+void
+crypto_seed_weak_rng(tor_weak_rng_t *rng)
+{
+  unsigned seed;
+  crypto_rand((void*)&seed, sizeof(seed));
+  tor_init_weak_random(rng, seed);
+}
+
+#ifdef TOR_UNIT_TESTS
+int break_strongest_rng_syscall = 0;
+int break_strongest_rng_fallback = 0;
+#endif
+
+/**
+ * Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
+ * via system calls, storing it into <b>out</b>. Return 0 on success, -1 on
+ * failure.  A maximum request size of 256 bytes is imposed.
+ **/
+static int
+crypto_strongest_rand_syscall(uint8_t *out, size_t out_len)
+{
+  tor_assert(out_len <= MAX_STRONGEST_RAND_SIZE);
+
+  /* We only log at notice-level here because in the case that this function
+   * fails the crypto_strongest_rand_raw() caller will log with a warning-level
+   * message and let crypto_strongest_rand() error out and finally terminating
+   * Tor with an assertion error.
+   */
+
+#ifdef TOR_UNIT_TESTS
+  if (break_strongest_rng_syscall)
+    return -1;
+#endif
+
+#if defined(_WIN32)
+  static int provider_set = 0;
+  static HCRYPTPROV provider;
+
+  if (!provider_set) {
+    if (!CryptAcquireContext(&provider, NULL, NULL, PROV_RSA_FULL,
+                             CRYPT_VERIFYCONTEXT)) {
+      log_notice(LD_CRYPTO, "Unable to set Windows CryptoAPI provider [1].");
+      return -1;
+    }
+    provider_set = 1;
+  }
+  if (!CryptGenRandom(provider, out_len, out)) {
+    log_notice(LD_CRYPTO, "Unable get entropy from the Windows CryptoAPI.");
+    return -1;
+  }
+
+  return 0;
+#elif defined(__linux__) && defined(SYS_getrandom)
+  static int getrandom_works = 1; /* Be optimistic about our chances... */
+
+  /* getrandom() isn't as straightforward as getentropy(), and has
+   * no glibc wrapper.
+   *
+   * As far as I can tell from getrandom(2) and the source code, the
+   * requests we issue will always succeed (though it will block on the
+   * call if /dev/urandom isn't seeded yet), since we are NOT specifying
+   * GRND_NONBLOCK and the request is <= 256 bytes.
+   *
+   * The manpage is unclear on what happens if a signal interrupts the call
+   * while the request is blocked due to lack of entropy....
+   *
+   * We optimistically assume that getrandom() is available and functional
+   * because it is the way of the future, and 2 branch mispredicts pale in
+   * comparison to the overheads involved with failing to open
+   * /dev/srandom followed by opening and reading from /dev/urandom.
+   */
+  if (PREDICT_LIKELY(getrandom_works)) {
+    long ret;
+    /* A flag of '0' here means to read from '/dev/urandom', and to
+     * block if insufficient entropy is available to service the
+     * request.
+     */
+    const unsigned int flags = 0;
+    do {
+      ret = syscall(SYS_getrandom, out, out_len, flags);
+    } while (ret == -1 && ((errno == EINTR) ||(errno == EAGAIN)));
+
+    if (PREDICT_UNLIKELY(ret == -1)) {
+      /* LCOV_EXCL_START we can't actually make the syscall fail in testing. */
+      tor_assert(errno != EAGAIN);
+      tor_assert(errno != EINTR);
+
+      /* Useful log message for errno. */
+      if (errno == ENOSYS) {
+        log_notice(LD_CRYPTO, "Can't get entropy from getrandom()."
+                   " You are running a version of Tor built to support"
+                   " getrandom(), but the kernel doesn't implement this"
+                   " function--probably because it is too old?"
+                   " Trying fallback method instead.");
+      } else {
+        log_notice(LD_CRYPTO, "Can't get entropy from getrandom(): %s."
+                              " Trying fallback method instead.",
+                   strerror(errno));
+      }
+
+      getrandom_works = 0; /* Don't bother trying again. */
+      return -1;
+      /* LCOV_EXCL_STOP */
+    }
+
+    tor_assert(ret == (long)out_len);
+    return 0;
+  }
+
+  return -1; /* getrandom() previously failed unexpectedly. */
+#elif defined(HAVE_GETENTROPY)
+  /* getentropy() is what Linux's getrandom() wants to be when it grows up.
+   * the only gotcha is that requests are limited to 256 bytes.
+   */
+  return getentropy(out, out_len);
+#else
+  (void) out;
+#endif /* defined(_WIN32) || ... */
+
+  /* This platform doesn't have a supported syscall based random. */
+  return -1;
+}
+
+/**
+ * Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
+ * via the per-platform fallback mechanism, storing it into <b>out</b>.
+ * Return 0 on success, -1 on failure.  A maximum request size of 256 bytes
+ * is imposed.
+ **/
+static int
+crypto_strongest_rand_fallback(uint8_t *out, size_t out_len)
+{
+#ifdef TOR_UNIT_TESTS
+  if (break_strongest_rng_fallback)
+    return -1;
+#endif
+
+#ifdef _WIN32
+  /* Windows exclusively uses crypto_strongest_rand_syscall(). */
+  (void)out;
+  (void)out_len;
+  return -1;
+#else /* !(defined(_WIN32)) */
+  static const char *filenames[] = {
+    "/dev/srandom", "/dev/urandom", "/dev/random", NULL
+  };
+  int fd, i;
+  size_t n;
+
+  for (i = 0; filenames[i]; ++i) {
+    log_debug(LD_FS, "Considering %s as entropy source", filenames[i]);
+    fd = open(sandbox_intern_string(filenames[i]), O_RDONLY, 0);
+    if (fd<0) continue;
+    log_info(LD_CRYPTO, "Reading entropy from \"%s\"", filenames[i]);
+    n = read_all(fd, (char*)out, out_len, 0);
+    close(fd);
+    if (n != out_len) {
+      /* LCOV_EXCL_START
+       * We can't make /dev/foorandom actually fail. */
+      log_notice(LD_CRYPTO,
+                 "Error reading from entropy source %s (read only %lu bytes).",
+                 filenames[i],
+                 (unsigned long)n);
+      return -1;
+      /* LCOV_EXCL_STOP */
+    }
+
+    return 0;
+  }
+
+  return -1;
+#endif /* defined(_WIN32) */
+}
+
+/**
+ * Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
+ * storing it into <b>out</b>. Return 0 on success, -1 on failure.  A maximum
+ * request size of 256 bytes is imposed.
+ **/
+STATIC int
+crypto_strongest_rand_raw(uint8_t *out, size_t out_len)
+{
+  static const size_t sanity_min_size = 16;
+  static const int max_attempts = 3;
+  tor_assert(out_len <= MAX_STRONGEST_RAND_SIZE);
+
+  /* For buffers >= 16 bytes (128 bits), we sanity check the output by
+   * zero filling the buffer and ensuring that it actually was at least
+   * partially modified.
+   *
+   * Checking that any individual byte is non-zero seems like it would
+   * fail too often (p = out_len * 1/256) for comfort, but this is an
+   * "adjust according to taste" sort of check.
+   */
+  memwipe(out, 0, out_len);
+  for (int i = 0; i < max_attempts; i++) {
+    /* Try to use the syscall/OS favored mechanism to get strong entropy. */
+    if (crypto_strongest_rand_syscall(out, out_len) != 0) {
+      /* Try to use the less-favored mechanism to get strong entropy. */
+      if (crypto_strongest_rand_fallback(out, out_len) != 0) {
+        /* Welp, we tried.  Hopefully the calling code terminates the process
+         * since we're basically boned without good entropy.
+         */
+        log_warn(LD_CRYPTO,
+                 "Cannot get strong entropy: no entropy source found.");
+        return -1;
+      }
+    }
+
+    if ((out_len < sanity_min_size) || !tor_mem_is_zero((char*)out, out_len))
+      return 0;
+  }
+
+  /* LCOV_EXCL_START
+   *
+   * We tried max_attempts times to fill a buffer >= 128 bits long,
+   * and each time it returned all '0's.  Either the system entropy
+   * source is busted, or the user should go out and buy a ticket to
+   * every lottery on the planet.
+   */
+  log_warn(LD_CRYPTO, "Strong OS entropy returned all zero buffer.");
+
+  return -1;
+  /* LCOV_EXCL_STOP */
+}
+
+/**
+ * Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
+ * storing it into <b>out</b>.
+ **/
+void
+crypto_strongest_rand(uint8_t *out, size_t out_len)
+{
+#define DLEN SHA512_DIGEST_LENGTH
+  /* We're going to hash DLEN bytes from the system RNG together with some
+   * bytes from the openssl PRNG, in order to yield DLEN bytes.
+   */
+  uint8_t inp[DLEN*2];
+  uint8_t tmp[DLEN];
+  tor_assert(out);
+  while (out_len) {
+    crypto_rand((char*) inp, DLEN);
+    if (crypto_strongest_rand_raw(inp+DLEN, DLEN) < 0) {
+      // LCOV_EXCL_START
+      log_err(LD_CRYPTO, "Failed to load strong entropy when generating an "
+              "important key. Exiting.");
+      /* Die with an assertion so we get a stack trace. */
+      tor_assert(0);
+      // LCOV_EXCL_STOP
+    }
+    if (out_len >= DLEN) {
+      SHA512(inp, sizeof(inp), out);
+      out += DLEN;
+      out_len -= DLEN;
+    } else {
+      SHA512(inp, sizeof(inp), tmp);
+      memcpy(out, tmp, out_len);
+      break;
+    }
+  }
+  memwipe(tmp, 0, sizeof(tmp));
+  memwipe(inp, 0, sizeof(inp));
+#undef DLEN
+}
+
+/**
+ * Seed OpenSSL's random number generator with bytes from the operating
+ * system.  Return 0 on success, -1 on failure.
+ **/
+int
+crypto_seed_rng(void)
+{
+  int rand_poll_ok = 0, load_entropy_ok = 0;
+  uint8_t buf[ADD_ENTROPY];
+
+  /* OpenSSL has a RAND_poll function that knows about more kinds of
+   * entropy than we do.  We'll try calling that, *and* calling our own entropy
+   * functions.  If one succeeds, we'll accept the RNG as seeded. */
+  rand_poll_ok = RAND_poll();
+  if (rand_poll_ok == 0)
+    log_warn(LD_CRYPTO, "RAND_poll() failed."); // LCOV_EXCL_LINE
+
+  load_entropy_ok = !crypto_strongest_rand_raw(buf, sizeof(buf));
+  if (load_entropy_ok) {
+    RAND_seed(buf, sizeof(buf));
+  }
+
+  memwipe(buf, 0, sizeof(buf));
+
+  if ((rand_poll_ok || load_entropy_ok) && RAND_status() == 1)
+    return 0;
+  else
+    return -1;
+}
+
+/**
+ * Write <b>n</b> bytes of strong random data to <b>to</b>. Supports mocking
+ * for unit tests.
+ *
+ * This function is not allowed to fail; if it would fail to generate strong
+ * entropy, it must terminate the process instead.
+ **/
+MOCK_IMPL(void,
+crypto_rand, (char *to, size_t n))
+{
+  crypto_rand_unmocked(to, n);
+}
+
+/**
+ * Write <b>n</b> bytes of strong random data to <b>to</b>.  Most callers
+ * will want crypto_rand instead.
+ *
+ * This function is not allowed to fail; if it would fail to generate strong
+ * entropy, it must terminate the process instead.
+ **/
+void
+crypto_rand_unmocked(char *to, size_t n)
+{
+  int r;
+  if (n == 0)
+    return;
+
+  tor_assert(n < INT_MAX);
+  tor_assert(to);
+  r = RAND_bytes((unsigned char*)to, (int)n);
+  /* We consider a PRNG failure non-survivable. Let's assert so that we get a
+   * stack trace about where it happened.
+   */
+  tor_assert(r >= 0);
+}
+
+/**
+ * Return a pseudorandom integer, chosen uniformly from the values
+ * between 0 and <b>max</b>-1 inclusive.  <b>max</b> must be between 1 and
+ * INT_MAX+1, inclusive.
+ */
+int
+crypto_rand_int(unsigned int max)
+{
+  unsigned int val;
+  unsigned int cutoff;
+  tor_assert(max <= ((unsigned int)INT_MAX)+1);
+  tor_assert(max > 0); /* don't div by 0 */
+
+  /* We ignore any values that are >= 'cutoff,' to avoid biasing the
+   * distribution with clipping at the upper end of unsigned int's
+   * range.
+   */
+  cutoff = UINT_MAX - (UINT_MAX%max);
+  while (1) {
+    crypto_rand((char*)&val, sizeof(val));
+    if (val < cutoff)
+      return val % max;
+  }
+}
+
+/**
+ * Return a pseudorandom integer, chosen uniformly from the values i such
+ * that min <= i < max.
+ *
+ * <b>min</b> MUST be in range [0, <b>max</b>).
+ * <b>max</b> MUST be in range (min, INT_MAX].
+ **/
+int
+crypto_rand_int_range(unsigned int min, unsigned int max)
+{
+  tor_assert(min < max);
+  tor_assert(max <= INT_MAX);
+
+  /* The overflow is avoided here because crypto_rand_int() returns a value
+   * between 0 and (max - min) inclusive. */
+  return min + crypto_rand_int(max - min);
+}
+
+/**
+ * As crypto_rand_int_range, but supports uint64_t.
+ **/
+uint64_t
+crypto_rand_uint64_range(uint64_t min, uint64_t max)
+{
+  tor_assert(min < max);
+  return min + crypto_rand_uint64(max - min);
+}
+
+/**
+ * As crypto_rand_int_range, but supports time_t.
+ **/
+time_t
+crypto_rand_time_range(time_t min, time_t max)
+{
+  tor_assert(min < max);
+  return min + (time_t)crypto_rand_uint64(max - min);
+}
+
+/**
+ * Return a pseudorandom 64-bit integer, chosen uniformly from the values
+ * between 0 and <b>max</b>-1 inclusive.
+ **/
+uint64_t
+crypto_rand_uint64(uint64_t max)
+{
+  uint64_t val;
+  uint64_t cutoff;
+  tor_assert(max < UINT64_MAX);
+  tor_assert(max > 0); /* don't div by 0 */
+
+  /* We ignore any values that are >= 'cutoff,' to avoid biasing the
+   * distribution with clipping at the upper end of unsigned int's
+   * range.
+   */
+  cutoff = UINT64_MAX - (UINT64_MAX%max);
+  while (1) {
+    crypto_rand((char*)&val, sizeof(val));
+    if (val < cutoff)
+      return val % max;
+  }
+}
+
+/**
+ * Return a pseudorandom double d, chosen uniformly from the range
+ * 0.0 <= d < 1.0.
+ **/
+double
+crypto_rand_double(void)
+{
+  /* We just use an unsigned int here; we don't really care about getting
+   * more than 32 bits of resolution */
+  unsigned int u;
+  crypto_rand((char*)&u, sizeof(u));
+#if SIZEOF_INT == 4
+#define UINT_MAX_AS_DOUBLE 4294967296.0
+#elif SIZEOF_INT == 8
+#define UINT_MAX_AS_DOUBLE 1.8446744073709552e+19
+#else
+#error SIZEOF_INT is neither 4 nor 8
+#endif /* SIZEOF_INT == 4 || ... */
+  return ((double)u) / UINT_MAX_AS_DOUBLE;
+}
+
+/**
+ * Generate and return a new random hostname starting with <b>prefix</b>,
+ * ending with <b>suffix</b>, and containing no fewer than
+ * <b>min_rand_len</b> and no more than <b>max_rand_len</b> random base32
+ * characters. Does not check for failure.
+ *
+ * Clip <b>max_rand_len</b> to MAX_DNS_LABEL_SIZE.
+ **/
+char *
+crypto_random_hostname(int min_rand_len, int max_rand_len, const char *prefix,
+                       const char *suffix)
+{
+  char *result, *rand_bytes;
+  int randlen, rand_bytes_len;
+  size_t resultlen, prefixlen;
+
+  if (max_rand_len > MAX_DNS_LABEL_SIZE)
+    max_rand_len = MAX_DNS_LABEL_SIZE;
+  if (min_rand_len > max_rand_len)
+    min_rand_len = max_rand_len;
+
+  randlen = crypto_rand_int_range(min_rand_len, max_rand_len+1);
+
+  prefixlen = strlen(prefix);
+  resultlen = prefixlen + strlen(suffix) + randlen + 16;
+
+  rand_bytes_len = ((randlen*5)+7)/8;
+  if (rand_bytes_len % 5)
+    rand_bytes_len += 5 - (rand_bytes_len%5);
+  rand_bytes = tor_malloc(rand_bytes_len);
+  crypto_rand(rand_bytes, rand_bytes_len);
+
+  result = tor_malloc(resultlen);
+  memcpy(result, prefix, prefixlen);
+  base32_encode(result+prefixlen, resultlen-prefixlen,
+                rand_bytes, rand_bytes_len);
+  tor_free(rand_bytes);
+  strlcpy(result+prefixlen+randlen, suffix, resultlen-(prefixlen+randlen));
+
+  return result;
+}
+
+/**
+ * Return a randomly chosen element of <b>sl</b>; or NULL if <b>sl</b>
+ * is empty.
+ **/
+void *
+smartlist_choose(const smartlist_t *sl)
+{
+  int len = smartlist_len(sl);
+  if (len)
+    return smartlist_get(sl,crypto_rand_int(len));
+  return NULL; /* no elements to choose from */
+}
+
+/**
+ * Scramble the elements of <b>sl</b> into a random order.
+ **/
+void
+smartlist_shuffle(smartlist_t *sl)
+{
+  int i;
+  /* From the end of the list to the front, choose at random from the
+     positions we haven't looked at yet, and swap that position into the
+     current position.  Remember to give "no swap" the same probability as
+     any other swap. */
+  for (i = smartlist_len(sl)-1; i > 0; --i) {
+    int j = crypto_rand_int(i+1);
+    smartlist_swap(sl, i, j);
+  }
+}
+
+/** Make sure that openssl is using its default PRNG. Return 1 if we had to
+ * adjust it; 0 otherwise. */
+int
+crypto_force_rand_ssleay(void)
+{
+  RAND_METHOD *default_method;
+  default_method = RAND_OpenSSL();
+  if (RAND_get_rand_method() != default_method) {
+    log_notice(LD_CRYPTO, "It appears that one of our engines has provided "
+               "a replacement the OpenSSL RNG. Resetting it to the default "
+               "implementation.");
+    RAND_set_rand_method(default_method);
+    return 1;
+  }
+  return 0;
+}
+
+#endif /* !defined(CRYPTO_RAND_PRIVATE) */
+

src/common/crypto_rand.h

@@ -0,0 +1,52 @@
+/* Copyright (c) 2001, Matej Pfajfar.
+ * Copyright (c) 2001-2004, Roger Dingledine.
+ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
+ * Copyright (c) 2007-2018, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file crypto_rand.h
+ *
+ * \brief Common functions for using (psuedo-)random number generators.
+ **/
+
+#ifndef TOR_CRYPTO_RAND_H
+#define TOR_CRYPTO_RAND_H
+
+#include "torint.h"
+#include "util.h"
+
+/* random numbers */
+int crypto_seed_rng(void) ATTR_WUR;
+MOCK_DECL(void,crypto_rand,(char *to, size_t n));
+void crypto_rand_unmocked(char *to, size_t n);
+void crypto_strongest_rand(uint8_t *out, size_t out_len);
+int crypto_rand_int(unsigned int max);
+int crypto_rand_int_range(unsigned int min, unsigned int max);
+uint64_t crypto_rand_uint64_range(uint64_t min, uint64_t max);
+time_t crypto_rand_time_range(time_t min, time_t max);
+uint64_t crypto_rand_uint64(uint64_t max);
+double crypto_rand_double(void);
+struct tor_weak_rng_t;
+void crypto_seed_weak_rng(struct tor_weak_rng_t *rng);
+
+char *crypto_random_hostname(int min_rand_len, int max_rand_len,
+                             const char *prefix, const char *suffix);
+
+struct smartlist_t;
+void *smartlist_choose(const struct smartlist_t *sl);
+void smartlist_shuffle(struct smartlist_t *sl);
+int crypto_force_rand_ssleay(void);
+
+#ifdef CRYPTO_RAND_PRIVATE
+
+STATIC int crypto_strongest_rand_raw(uint8_t *out, size_t out_len);
+
+#ifdef TOR_UNIT_TESTS
+extern int break_strongest_rng_syscall;
+extern int break_strongest_rng_fallback;
+#endif
+#endif /* defined(CRYPTO_RAND_PRIVATE) */
+
+#endif /* !defined(TOR_CRYPTO_RAND_H) */
+

src/common/crypto_rsa.c

@@ -9,12 +9,14 @@
  * \brief Block of functions related with RSA utilities and operations.
  **/
 
-#include "crypto_rsa.h"
 #include "crypto.h"
-#include "compat_openssl.h"
 #include "crypto_curve25519.h"
-#include "crypto_format.h"
 #include "crypto_digest.h"
+#include "crypto_format.h"
+#include "compat_openssl.h"
+#include "crypto_rand.h"
+#include "crypto_rsa.h"
+#include "crypto_util.h"
 
 DISABLE_GCC_WARNING(redundant-decls)
 

src/common/crypto_s2k.c

@@ -12,11 +12,13 @@
 
 #define CRYPTO_S2K_PRIVATE
 
-#include "crypto.h"
-#include "util.h"
 #include "compat.h"
-#include "crypto_s2k.h"
+#include "crypto.h"
 #include "crypto_digest.h"
+#include "crypto_rand.h"
+#include "crypto_s2k.h"
+#include "crypto_util.h"
+#include "util.h"
 
 #include <openssl/evp.h>
 

src/common/crypto_util.c

@@ -0,0 +1,105 @@
+/* Copyright (c) 2001, Matej Pfajfar.
+ * Copyright (c) 2001-2004, Roger Dingledine.
+ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
+ * Copyright (c) 2007-2018, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file crypto_util.c
+ *
+ * \brief Common cryptographic utilities.
+ **/
+
+#ifndef CRYPTO_UTIL_PRIVATE
+#define CRYPTO_UTIL_PRIVATE
+
+#include <string.h>
+
+#ifdef _WIN32
+#include <windows.h>
+#include <wincrypt.h>
+#endif /* defined(_WIN32) */
+
+#include "crypto_util.h"
+#include "util.h"
+
+DISABLE_GCC_WARNING(redundant-decls)
+
+#include <openssl/crypto.h>
+
+ENABLE_GCC_WARNING(redundant-decls)
+
+/**
+ * Destroy the <b>sz</b> bytes of data stored at <b>mem</b>, setting them to
+ * the value <b>byte</b>.
+ * If <b>mem</b> is NULL or <b>sz</b> is zero, nothing happens.
+ *
+ * This function is preferable to memset, since many compilers will happily
+ * optimize out memset() when they can convince themselves that the data being
+ * cleared will never be read.
+ *
+ * Right now, our convention is to use this function when we are wiping data
+ * that's about to become inaccessible, such as stack buffers that are about
+ * to go out of scope or structures that are about to get freed.  (In
+ * practice, it appears that the compilers we're currently using will optimize
+ * out the memset()s for stack-allocated buffers, but not those for
+ * about-to-be-freed structures. That could change, though, so we're being
+ * wary.)  If there are live reads for the data, then you can just use
+ * memset().
+ */
+void
+memwipe(void *mem, uint8_t byte, size_t sz)
+{
+  if (sz == 0) {
+    return;
+  }
+  /* If sz is nonzero, then mem must not be NULL. */
+  tor_assert(mem != NULL);
+
+  /* Data this large is likely to be an underflow. */
+  tor_assert(sz < SIZE_T_CEILING);
+
+  /* Because whole-program-optimization exists, we may not be able to just
+   * have this function call "memset".  A smart compiler could inline it, then
+   * eliminate dead memsets, and declare itself to be clever. */
+
+#if defined(SecureZeroMemory) || defined(HAVE_SECUREZEROMEMORY)
+  /* Here's what you do on windows. */
+  SecureZeroMemory(mem,sz);
+#elif defined(HAVE_RTLSECUREZEROMEMORY)
+  RtlSecureZeroMemory(mem,sz);
+#elif defined(HAVE_EXPLICIT_BZERO)
+  /* The BSDs provide this. */
+  explicit_bzero(mem, sz);
+#elif defined(HAVE_MEMSET_S)
+  /* This is in the C99 standard. */
+  memset_s(mem, sz, 0, sz);
+#else
+  /* This is a slow and ugly function from OpenSSL that fills 'mem' with junk
+   * based on the pointer value, then uses that junk to update a global
+   * variable.  It's an elaborate ruse to trick the compiler into not
+   * optimizing out the "wipe this memory" code.  Read it if you like zany
+   * programming tricks! In later versions of Tor, we should look for better
+   * not-optimized-out memory wiping stuff...
+   *
+   * ...or maybe not.  In practice, there are pure-asm implementations of
+   * OPENSSL_cleanse() on most platforms, which ought to do the job.
+   **/
+
+  OPENSSL_cleanse(mem, sz);
+#endif /* defined(SecureZeroMemory) || defined(HAVE_SECUREZEROMEMORY) || ... */
+
+  /* Just in case some caller of memwipe() is relying on getting a buffer
+   * filled with a particular value, fill the buffer.
+   *
+   * If this function gets inlined, this memset might get eliminated, but
+   * that's okay: We only care about this particular memset in the case where
+   * the caller should have been using memset(), and the memset() wouldn't get
+   * eliminated.  In other words, this is here so that we won't break anything
+   * if somebody accidentally calls memwipe() instead of memset().
+   **/
+  memset(mem, byte, sz);
+}
+
+#endif /* !defined(CRYPTO_UTIL_PRIVATE) */
+

src/common/crypto_util.h

@@ -0,0 +1,27 @@
+/* Copyright (c) 2001, Matej Pfajfar.
+ * Copyright (c) 2001-2004, Roger Dingledine.
+ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
+ * Copyright (c) 2007-2018, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file crypto_util.h
+ *
+ * \brief Common functions for cryptographic routines.
+ **/
+
+#ifndef TOR_CRYPTO_UTIL_H
+#define TOR_CRYPTO_UTIL_H
+
+#include "torint.h"
+
+/** OpenSSL-based utility functions. */
+void memwipe(void *mem, uint8_t byte, size_t sz);
+
+#ifdef CRYPTO_UTIL_PRIVATE
+#ifdef TOR_UNIT_TESTS
+#endif /* defined(TOR_UNIT_TESTS) */
+#endif /* defined(CRYPTO_UTIL_PRIVATE) */
+
+#endif /* !defined(TOR_CRYPTO_UTIL_H) */
+

src/common/include.am

@@ -116,11 +116,13 @@ LIBOR_CRYPTO_A_SRC = \
   src/common/compress_zstd.c	\
   src/common/crypto.c		\
   src/common/crypto_digest.c     \
-  src/common/crypto_rsa.c     \
+  src/common/crypto_format.c	\
   src/common/crypto_openssl_mgt.c    \
   src/common/crypto_pwbox.c     \
+  src/common/crypto_rand.c     \
+  src/common/crypto_rsa.c     \
   src/common/crypto_s2k.c	\
-  src/common/crypto_format.c	\
+  src/common/crypto_util.c	\
   src/common/tortls.c		\
   src/common/crypto_curve25519.c \
   src/common/crypto_ed25519.c
@@ -172,9 +174,11 @@ COMMONHEADERS = \
   src/common/crypto_ed25519.h			\
   src/common/crypto_format.h			\
   src/common/crypto_openssl_mgt.h         \
-  src/common/crypto_rsa.h           \
   src/common/crypto_pwbox.h			\
+  src/common/crypto_rand.h          \
+  src/common/crypto_rsa.h           \
   src/common/crypto_s2k.h			\
+  src/common/crypto_util.h			\
   src/common/di_ops.h				\
   src/common/handles.h				\
   src/common/memarea.h				\

src/common/tortls.c

@@ -26,6 +26,8 @@
 #endif
 
 #include "crypto.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "compat.h"
 
 /* Some versions of OpenSSL declare SSL_get_selected_srtp_profile twice in

src/common/workqueue.c

@@ -27,7 +27,7 @@
 #include "compat.h"
 #include "compat_libevent.h"
 #include "compat_threads.h"
-#include "crypto.h"
+#include "crypto_rand.h"
 #include "util.h"
 #include "workqueue.h"
 #include "tor_queue.h"

src/ext/ed25519/donna/ed25519-randombytes-custom.h

@@ -8,7 +8,7 @@
 */
 
 /* Tor: Instead of calling OpenSSL's CSPRNG directly, call the wrapper. */
-#include "crypto.h"
+#include "crypto_rand.h"
 
 static void
 ED25519_FN(ed25519_randombytes_unsafe) (void *p, size_t len)

src/ext/ed25519/donna/ed25519_tor.c

@@ -40,6 +40,8 @@
 #include "ed25519-randombytes.h"
 #include "ed25519-hash.h"
 
+#include "crypto_util.h"
+
 typedef unsigned char ed25519_signature[64];
 typedef unsigned char ed25519_public_key[32];
 typedef unsigned char ed25519_secret_key[32];

src/ext/ed25519/ref10/blinding.c

@@ -7,7 +7,7 @@
 #include "ed25519_ref10.h"
 
 #include <string.h>
-#include "crypto.h"
+#include "crypto_util.h"
 
 static void
 ed25519_ref10_gettweak(unsigned char *out, const unsigned char *param)

src/ext/ed25519/ref10/keypair.c

@@ -6,6 +6,9 @@
 #include "crypto_hash_sha512.h"
 #include "ge.h"
 
+#include "crypto_rand.h"
+#include "crypto_util.h"
+
 int
 crypto_sign_seckey(unsigned char *sk)
 {

src/ext/ed25519/ref10/randombytes.h

@@ -1,4 +1,4 @@
 /* Added for Tor. */
-#include "crypto.h"
+#include "crypto_rand.h"
 #define randombytes(b, n) \
   (crypto_strongest_rand((b), (n)), 0)

src/ext/keccak-tiny/keccak-tiny-unrolled.c

@@ -9,7 +9,7 @@
 #include "keccak-tiny.h"
 
 #include <string.h>
-#include "crypto.h"
+#include "crypto_util.h"
 #include "byteorder.h"
 
 /******** Endianness conversion helpers ********/

src/or/addressmap.c

@@ -21,9 +21,10 @@
 #include "config.h"
 #include "connection_edge.h"
 #include "control.h"
+#include "crypto_rand.h"
 #include "dns.h"
-#include "routerset.h"
 #include "nodelist.h"
+#include "routerset.h"
 
 /** A client-side struct to remember requests to rewrite addresses
  * to new addresses. These structs are stored in the hash table

src/or/channelpadding.c

@@ -16,6 +16,7 @@
 #include "networkstatus.h"
 #include "connection.h"
 #include "connection_or.h"
+#include "crypto_rand.h"
 #include "main.h"
 #include "rephist.h"
 #include "router.h"

src/or/circpathbias.c

@@ -30,6 +30,7 @@
 #include "circuitstats.h"
 #include "connection_edge.h"
 #include "config.h"
+#include "crypto_rand.h"
 #include "entrynodes.h"
 #include "networkstatus.h"
 #include "relay.h"

src/or/circuitbuild.c

@@ -43,7 +43,7 @@
 #include "connection_edge.h"
 #include "connection_or.h"
 #include "control.h"
-#include "crypto.h"
+#include "crypto_rand.h"
 #include "directory.h"
 #include "entrynodes.h"
 #include "hs_ntor.h"

src/or/circuitlist.c

@@ -65,6 +65,8 @@
 #include "connection_edge.h"
 #include "connection_or.h"
 #include "control.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "entrynodes.h"
 #include "main.h"
 #include "hs_circuit.h"

src/or/circuitmux_ewma.c

@@ -37,6 +37,7 @@
 #include "or.h"
 #include "circuitmux.h"
 #include "circuitmux_ewma.h"
+#include "crypto_rand.h"
 #include "networkstatus.h"
 
 /*** EWMA parameter #defines ***/

src/or/circuitstats.c

@@ -31,6 +31,7 @@
 #include "config.h"
 #include "confparse.h"
 #include "control.h"
+#include "crypto_rand.h"
 #include "main.h"
 #include "networkstatus.h"
 #include "rendclient.h"

src/or/command.c

@@ -46,6 +46,7 @@
 #include "config.h"
 #include "control.h"
 #include "cpuworker.h"
+#include "crypto_util.h"
 #include "dos.h"
 #include "hibernate.h"
 #include "nodelist.h"

src/or/config.c

@@ -79,6 +79,8 @@
 #include "control.h"
 #include "confparse.h"
 #include "cpuworker.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "dirserv.h"
 #include "dns.h"
 #include "dos.h"

src/or/connection.c

@@ -76,6 +76,7 @@
 #include "connection_edge.h"
 #include "connection_or.h"
 #include "control.h"
+#include "crypto_util.h"
 #include "directory.h"
 #include "dirserv.h"
 #include "dns.h"

src/or/connection_edge.c

@@ -70,6 +70,7 @@
 #include "connection_edge.h"
 #include "connection_or.h"
 #include "control.h"
+#include "crypto_util.h"
 #include "dns.h"
 #include "dnsserv.h"
 #include "directory.h"

src/or/connection_or.c

@@ -39,6 +39,8 @@
 #include "connection.h"
 #include "connection_or.h"
 #include "control.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "dirserv.h"
 #include "entrynodes.h"
 #include "geoip.h"

src/or/conscache.c

@@ -5,6 +5,7 @@
 
 #include "config.h"
 #include "conscache.h"
+#include "crypto_util.h"
 #include "storagedir.h"
 
 #define CCE_MAGIC 0x17162253

src/or/control.c

@@ -52,6 +52,8 @@
 #include "connection_edge.h"
 #include "connection_or.h"
 #include "control.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "directory.h"
 #include "dirserv.h"
 #include "dnsserv.h"

src/or/cpuworker.c

@@ -24,6 +24,8 @@
 #include "connection_or.h"
 #include "config.h"
 #include "cpuworker.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "main.h"
 #include "onion.h"
 #include "rephist.h"

src/or/dirauth/shared_random.c

@@ -91,12 +91,14 @@
 #include "shared_random.h"
 #include "config.h"
 #include "confparse.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "networkstatus.h"
-#include "routerkeys.h"
 #include "router.h"
+#include "routerkeys.h"
 #include "routerlist.h"
-#include "shared_random_state.h"
 #include "shared_random_client.h"
+#include "shared_random_state.h"
 #include "util.h"
 #include "voting_schedule.h"
 

src/or/dirauth/shared_random_state.c

@@ -11,16 +11,16 @@
 #define SHARED_RANDOM_STATE_PRIVATE
 
 #include "or.h"
-#include "shared_random.h"
 #include "config.h"
 #include "confparse.h"
-#include "voting_schedule.h"
+#include "crypto_util.h"
+#include "dirauth/dirvote.h"
 #include "networkstatus.h"
 #include "router.h"
-#include "shared_random_state.h"
+#include "shared_random.h"
 #include "shared_random_client.h"
-
-#include "dirauth/dirvote.h"
+#include "shared_random_state.h"
+#include "voting_schedule.h"
 
 /* Default filename of the shared random state on disk. */
 static const char default_fname[] = "sr-state";

src/or/directory.c

@@ -18,6 +18,8 @@
 #include "consdiffmgr.h"
 #include "control.h"
 #include "compat.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "directory.h"
 #include "dirserv.h"
 #include "entrynodes.h"

src/or/dns.c

@@ -56,6 +56,7 @@
 #include "connection.h"
 #include "connection_edge.h"
 #include "control.h"
+#include "crypto_rand.h"
 #include "dns.h"
 #include "main.h"
 #include "policies.h"

src/or/dos.c

@@ -11,6 +11,7 @@
 #include "or.h"
 #include "channel.h"
 #include "config.h"
+#include "crypto_rand.h"
 #include "geoip.h"
 #include "main.h"
 #include "networkstatus.h"

src/or/entrynodes.c

@@ -123,6 +123,7 @@
 #include "confparse.h"
 #include "connection.h"
 #include "control.h"
+#include "crypto_rand.h"
 #include "directory.h"
 #include "entrynodes.h"
 #include "main.h"

src/or/ext_orport.c

@@ -20,9 +20,11 @@
 #include "or.h"
 #include "connection.h"
 #include "connection_or.h"
-#include "ext_orport.h"
 #include "control.h"
 #include "config.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
+#include "ext_orport.h"
 #include "main.h"
 #include "proto_ext_or.h"
 #include "util.h"

src/or/hibernate.c

@@ -36,6 +36,7 @@ hibernating, phase 2:
 #include "connection_edge.h"
 #include "connection_or.h"
 #include "control.h"
+#include "crypto_rand.h"
 #include "hibernate.h"
 #include "main.h"
 #include "router.h"

src/or/hs_cache.c

@@ -11,6 +11,7 @@
 
 #include "or.h"
 #include "config.h"
+#include "crypto_util.h"
 #include "hs_ident.h"
 #include "hs_common.h"
 #include "hs_client.h"

src/or/hs_cache.h

@@ -11,7 +11,6 @@
 
 #include <stdint.h>
 
-#include "crypto.h"
 #include "crypto_ed25519.h"
 #include "hs_common.h"
 #include "hs_descriptor.h"

src/or/hs_cell.c

@@ -8,6 +8,7 @@
 
 #include "or.h"
 #include "config.h"
+#include "crypto_util.h"
 #include "rendservice.h"
 #include "replaycache.h"
 #include "util.h"

src/or/hs_circuit.c

@@ -13,6 +13,8 @@
 #include "circuitlist.h"
 #include "circuituse.h"
 #include "config.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "nodelist.h"
 #include "policies.h"
 #include "relay.h"

src/or/hs_circuit.h

@@ -10,7 +10,6 @@
 #define TOR_HS_CIRCUIT_H
 
 #include "or.h"
-#include "crypto.h"
 #include "crypto_ed25519.h"
 
 #include "hs_service.h"

src/or/hs_client.c

@@ -9,29 +9,31 @@
 #define HS_CLIENT_PRIVATE
 
 #include "or.h"
-#include "hs_circuit.h"
-#include "hs_ident.h"
+#include "circpathbias.h"
+#include "circuitbuild.h"
+#include "circuitlist.h"
+#include "circuituse.h"
+#include "config.h"
+#include "connection.h"
 #include "connection_edge.h"
 #include "container.h"
-#include "rendclient.h"
-#include "hs_descriptor.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
+#include "directory.h"
 #include "hs_cache.h"
 #include "hs_cell.h"
-#include "config.h"
-#include "directory.h"
+#include "hs_circuit.h"
 #include "hs_client.h"
 #include "hs_control.h"
-#include "router.h"
-#include "routerset.h"
-#include "circuitlist.h"
-#include "circuituse.h"
-#include "connection.h"
-#include "nodelist.h"
-#include "circpathbias.h"
+#include "hs_descriptor.h"
+#include "hs_ident.h"
 #include "hs_ntor.h"
-#include "circuitbuild.h"
 #include "networkstatus.h"
+#include "nodelist.h"
 #include "reasons.h"
+#include "rendclient.h"
+#include "router.h"
+#include "routerset.h"
 
 /* Return a human-readable string for the client fetch status code. */
 static const char *

src/or/hs_common.c

@@ -15,6 +15,8 @@
 
 #include "config.h"
 #include "circuitbuild.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "networkstatus.h"
 #include "nodelist.h"
 #include "hs_cache.h"

src/or/hs_control.c

@@ -8,6 +8,7 @@
 
 #include "or.h"
 #include "control.h"
+#include "crypto_util.h"
 #include "hs_common.h"
 #include "hs_control.h"
 #include "hs_descriptor.h"

src/or/hs_descriptor.c

@@ -59,6 +59,8 @@
 #include "ed25519_cert.h" /* Trunnel interface. */
 #include "hs_descriptor.h"
 #include "circuitbuild.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "parsecommon.h"
 #include "rendcache.h"
 #include "hs_cache.h"

src/or/hs_descriptor.h

@@ -16,6 +16,7 @@
 #include "container.h"
 #include "crypto.h"
 #include "crypto_ed25519.h"
+#include "ed25519_cert.h" /* needed for trunnel */
 #include "torcert.h"
 
 /* Trunnel */

src/or/hs_ident.c

@@ -7,6 +7,7 @@
  *        subsytem.
  **/
 
+#include "crypto_util.h"
 #include "hs_ident.h"
 
 /* Return a newly allocated circuit identifier. The given public key is copied

src/or/hs_ident.h

@@ -21,7 +21,6 @@
 #ifndef TOR_HS_IDENT_H
 #define TOR_HS_IDENT_H
 
-#include "crypto.h"
 #include "crypto_ed25519.h"
 
 #include "hs_common.h"

src/or/hs_ntor.c

@@ -25,6 +25,7 @@
  */
 
 #include "or.h"
+#include "crypto_util.h"
 #include "hs_ntor.h"
 
 /* String constants used by the ntor HS protocol */

src/or/hs_service.c

@@ -15,6 +15,8 @@
 #include "circuituse.h"
 #include "config.h"
 #include "connection.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "directory.h"
 #include "main.h"
 #include "networkstatus.h"

src/or/main.c

@@ -71,6 +71,7 @@
 #include "control.h"
 #include "cpuworker.h"
 #include "crypto_s2k.h"
+#include "crypto_rand.h"
 #include "directory.h"
 #include "dirserv.h"
 #include "dns.h"

src/or/networkstatus.c

@@ -48,6 +48,8 @@
 #include "connection_or.h"
 #include "consdiffmgr.h"
 #include "control.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "directory.h"
 #include "dirserv.h"
 #include "dos.h"

src/or/onion.c

@@ -67,6 +67,7 @@
 #include "circuitlist.h"
 #include "config.h"
 #include "cpuworker.h"
+#include "crypto_util.h"
 #include "networkstatus.h"
 #include "onion.h"
 #include "onion_fast.h"

src/or/onion_fast.c

@@ -29,6 +29,8 @@
 
 #include "or.h"
 #include "onion_fast.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 
 /** Release all state held in <b>victim</b>. */
 void

src/or/onion_ntor.c

@@ -23,6 +23,7 @@
 #define ONION_NTOR_PRIVATE
 #include "crypto.h"
 #include "crypto_digest.h"
+#include "crypto_util.h"
 #include "onion_ntor.h"
 #include "torlog.h"
 #include "util.h"

src/or/onion_tap.c

@@ -29,6 +29,8 @@
 
 #include "or.h"
 #include "config.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "onion_tap.h"
 #include "rephist.h"
 

src/or/proto_socks.c

@@ -9,6 +9,7 @@
 #include "buffers.h"
 #include "control.h"
 #include "config.h"
+#include "crypto_util.h"
 #include "ext_orport.h"
 #include "proto_socks.h"
 #include "reasons.h"

src/or/relay.c

@@ -61,6 +61,8 @@
 #include "connection_edge.h"
 #include "connection_or.h"
 #include "control.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "geoip.h"
 #include "hs_cache.h"
 #include "main.h"

src/or/relay_crypto.c

@@ -6,9 +6,10 @@
 
 #include "or.h"
 #include "config.h"
+#include "crypto_util.h"
 #include "hs_ntor.h" // for HS_NTOR_KEY_EXPANSION_KDF_OUT_LEN
-#include "relay_crypto.h"
 #include "relay.h"
+#include "relay_crypto.h"
 
 /** Update digest from the payload of cell. Assign integrity part to
  * cell.

src/or/rendclient.c

@@ -15,10 +15,13 @@
 #include "config.h"
 #include "connection.h"
 #include "connection_edge.h"
+#include "control.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "directory.h"
-#include "hs_common.h"
 #include "hs_circuit.h"
 #include "hs_client.h"
+#include "hs_common.h"
 #include "main.h"
 #include "networkstatus.h"
 #include "nodelist.h"
@@ -29,7 +32,6 @@
 #include "router.h"
 #include "routerlist.h"
 #include "routerset.h"
-#include "control.h"
 
 static extend_info_t *rend_client_get_random_intro_impl(
                           const rend_cache_entry_t *rend_query,

src/or/rendcommon.c

@@ -14,18 +14,20 @@
 #include "circuitbuild.h"
 #include "config.h"
 #include "control.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
+#include "hs_client.h"
 #include "hs_common.h"
+#include "hs_intropoint.h"
+#include "networkstatus.h"
 #include "rendclient.h"
 #include "rendcommon.h"
 #include "rendmid.h"
-#include "hs_intropoint.h"
-#include "hs_client.h"
 #include "rendservice.h"
 #include "rephist.h"
 #include "router.h"
 #include "routerlist.h"
 #include "routerparse.h"
-#include "networkstatus.h"
 
 /** Return 0 if one and two are the same service ids, else -1 or 1 */
 int

src/or/rendservice.c

@@ -16,6 +16,8 @@
 #include "circuituse.h"
 #include "config.h"
 #include "control.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "directory.h"
 #include "hs_common.h"
 #include "hs_config.h"

src/or/rephist.c

@@ -78,6 +78,7 @@
 #include "circuitlist.h"
 #include "circuituse.h"
 #include "config.h"
+#include "crypto_rand.h"
 #include "networkstatus.h"
 #include "nodelist.h"
 #include "rephist.h"

src/or/router.c

@@ -13,6 +13,8 @@
 #include "config.h"
 #include "connection.h"
 #include "control.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "crypto_curve25519.h"
 #include "directory.h"
 #include "dirserv.h"

src/or/routerkeys.c

@@ -16,6 +16,7 @@
 
 #include "or.h"
 #include "config.h"
+#include "crypto_util.h"
 #include "router.h"
 #include "crypto_pwbox.h"
 #include "routerkeys.h"

src/or/routerlist.c

@@ -99,6 +99,7 @@
 #include "config.h"
 #include "connection.h"
 #include "control.h"
+#include "crypto_rand.h"
 #include "directory.h"
 #include "dirserv.h"
 #include "entrynodes.h"

src/or/routerparse.c

@@ -56,27 +56,28 @@
 #define ROUTERPARSE_PRIVATE
 
 #include "or.h"
-#include "config.h"
 #include "circuitstats.h"
+#include "config.h"
+#include "crypto_util.h"
+#include "dirauth/shared_random.h"
 #include "dirserv.h"
+#include "entrynodes.h"
+#include "memarea.h"
+#include "microdesc.h"
+#include "networkstatus.h"
 #include "parsecommon.h"
 #include "policies.h"
 #include "protover.h"
 #include "rendcommon.h"
-#include "router.h"
-#include "routerlist.h"
-#include "memarea.h"
-#include "microdesc.h"
-#include "networkstatus.h"
 #include "rephist.h"
+#include "router.h"
 #include "routerkeys.h"
+#include "routerlist.h"
 #include "routerparse.h"
-#include "entrynodes.h"
-#include "torcert.h"
 #include "sandbox.h"
 #include "shared_random_client.h"
+#include "torcert.h"
 #include "voting_schedule.h"
-#include "dirauth/shared_random.h"
 
 #undef log
 #include <math.h>

src/or/torcert.c

@@ -27,7 +27,7 @@
 
 #include "or.h"
 #include "config.h"
-#include "crypto.h"
+#include "crypto_util.h"
 #include "torcert.h"
 #include "ed25519_cert.h"
 #include "torlog.h"

src/rust/Cargo.lock

@@ -22,6 +22,35 @@ dependencies = [
  "tor_util 0.0.1",
 ]
 
+[[package]]
+name = "rand"
+version = "0.0.1"
+dependencies = [
+ "external 0.0.1",
+ "libc 0.2.39 (registry+https://github.com/rust-lang/crates.io-index)",
+ "rand 0.5.0-pre.0",
+ "rand_core 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
+ "tor_allocate 0.0.1",
+ "tor_log 0.1.0",
+ "tor_util 0.0.1",
+]
+
+[[package]]
+name = "rand"
+version = "0.5.0-pre.0"
+dependencies = [
+ "rand_core 0.1.0",
+]
+
+[[package]]
+name = "rand_core"
+version = "0.1.0"
+
+[[package]]
+name = "rand_core"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+
 [[package]]
 name = "smartlist"
 version = "0.0.1"
@@ -63,3 +92,4 @@ dependencies = [
 
 [metadata]
 "checksum libc 0.2.39 (registry+https://github.com/rust-lang/crates.io-index)" = "f54263ad99207254cf58b5f701ecb432c717445ea2ee8af387334bdd1a03fdff"
+"checksum rand_core 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "0224284424a4b818387b58d59336c288f99b48f69681aa60cc681fe038bbca5d"

src/rust/Cargo.toml

@@ -1,6 +1,8 @@
 [workspace]
 members = ["tor_util", "protover", "smartlist", "external", "tor_allocate",
-"tor_rust", "tor_log"]
+"tor_rust", "tor_log",
+    "rand",
+]
 
 [profile.release]
 debug = true

src/rust/external/crypto_rand.rs

@@ -0,0 +1,87 @@
+// Copyright (c) 2018, The Tor Project, Inc.
+// Copyright (c) 2018, isis agora lovecruft
+// See LICENSE for licensing information
+
+//! Bindings to external (P)RNG interfaces and utilities in 
+//! src/common/crypto_rand.[ch].
+//!
+//! We wrap our C implementations in src/common/crypto_rand.[ch] here in order
+//! to provide wrappers with native Rust types, and then provide more Rusty
+//! types and and trait implementations in src/rust/crypto/rand/.
+
+use std::time::Duration;
+
+use libc::c_double;
+use libc::c_int;
+use libc::size_t;
+use libc::time_t;
+use libc::uint8_t;
+
+extern "C" {
+    fn crypto_seed_rng() -> c_int;
+    fn crypto_rand(out: *mut uint8_t, out_len: size_t);
+    fn crypto_strongest_rand(out: *mut uint8_t, out_len: size_t);
+    fn crypto_rand_time_range(min: time_t, max: time_t) -> time_t;
+    fn crypto_rand_double() -> c_double;
+}
+
+/// Seed OpenSSL's random number generator with bytes from the operating
+/// system.
+///
+/// # Returns
+///
+/// `true` on success; `false` on failure.
+pub fn c_tor_crypto_seed_rng() -> bool {
+    let ret: c_int;
+
+    unsafe {
+        ret = crypto_seed_rng();
+    }
+    match ret {
+        0 => return true,
+        _ => return false,
+    }
+}
+
+/// Fill the bytes of `dest` with random data.
+pub fn c_tor_crypto_rand(dest: &mut [u8]) {
+    unsafe {
+        crypto_rand(dest.as_mut_ptr(), dest.len() as size_t);
+    }
+}
+
+/// Fill the bytes of `dest` with "strong" random data by hashing
+/// together randomness obtained from OpenSSL's RNG and the operating
+/// system.
+pub fn c_tor_crypto_strongest_rand(dest: &mut [u8]) {
+    // We'll let the C side panic if the len is larger than
+    // MAX_STRONGEST_RAND_SIZE, rather than potentially panicking here.  A
+    // paranoid caller should assert on the length of dest *before* calling this
+    // function.
+    unsafe {
+        crypto_strongest_rand(dest.as_mut_ptr(), dest.len() as size_t);
+    }
+}
+
+/// Get a random time, in seconds since the Unix Epoch.
+///
+/// # Returns
+///
+/// A `std::time::Duration` of seconds since the Unix Epoch.
+pub fn c_tor_crypto_rand_time_range(min: &Duration, max: &Duration) -> Duration {
+    let ret: time_t;
+
+    unsafe {
+        ret = crypto_rand_time_range(min.as_secs() as time_t, max.as_secs() as time_t);
+    }
+
+    Duration::from_secs(ret as u64)
+}
+
+/// Return a pseudorandom 64-bit float, chosen uniformly from the range [0.0, 1.0).
+pub fn c_tor_crypto_rand_double() -> f64 {
+    unsafe {
+        crypto_rand_double()
+    }
+}
+

src/rust/external/lib.rs

@@ -1,4 +1,4 @@
-//! Copyright (c) 2016-2017, The Tor Project, Inc. */
+//! Copyright (c) 2016-2018, The Tor Project, Inc. */
 //! See LICENSE for licensing information */
 
 //! Interface for external calls to tor C ABI
@@ -9,6 +9,8 @@
 
 extern crate libc;
 
+mod crypto_rand;
 mod external;
 
+pub use crypto_rand::*;
 pub use external::*;

src/rust/rand/Cargo.toml

@@ -0,0 +1,27 @@
+# TODO: Note that this package should be merged into the "crypto" crate after #24659 is merged.
+
+[package]
+authors = ["The Tor Project"]
+version = "0.0.1"
+name = "rand"
+publish = false
+
+[features]
+testing = ["tor_log/testing"]
+
+[dependencies]
+libc = "=0.2.39"
+rand_core = "=0.1.0"
+
+external = { path = "../external" }
+tor_allocate = { path = "../tor_allocate" }
+tor_log = { path = "../tor_log" }
+tor_util = { path = "../tor_util" }
+
+[dev-dependencies]
+rand = { version = "=0.5.0-pre.0", default-features = false, path = "../../ext/rust/vendor/rand-8c5b0ac51d" }
+
+[lib]
+name = "rand"
+path = "lib.rs"
+crate_type = ["rlib", "staticlib"]

src/rust/rand/lib.rs

@@ -0,0 +1,16 @@
+// Copyright (c) 2018, The Tor Project, Inc.
+// Copyright (c) 2018, isis agora lovecruft
+// See LICENSE for licensing information
+
+// External dependencies
+#[cfg(test)]
+extern crate rand;
+extern crate rand_core;
+
+// Internal dependencies
+extern crate external;
+#[cfg(not(test))]
+#[macro_use]
+extern crate tor_log;
+
+pub mod rng;

src/rust/rand/rng.rs

@@ -0,0 +1,140 @@
+// Copyright (c) 2018, The Tor Project, Inc.
+// Copyright (c) 2018, isis agora lovecruft
+// See LICENSE for licensing information
+
+//! Wrappers for Tor's random number generators to provide implementations of
+//! `rand_core` traits.
+
+// This is the real implementation, in use in production, which calls into our C
+// wrappers in /src/common/crypto_rand.c, which call into OpenSSL, system
+// libraries, and make syscalls.
+#[cfg(not(test))]
+mod internal {
+    use std::u64;
+
+    use rand_core::CryptoRng;
+    use rand_core::Error;
+    use rand_core::RngCore;
+    use rand_core::impls::next_u32_via_fill;
+    use rand_core::impls::next_u64_via_fill;
+
+    use external::c_tor_crypto_rand;
+    use external::c_tor_crypto_strongest_rand;
+    use external::c_tor_crypto_seed_rng;
+
+    use tor_log::LogDomain;
+    use tor_log::LogSeverity;
+
+    /// Largest strong entropy request permitted.
+    //
+    // C_RUST_COUPLED: `MAX_STRONGEST_RAND_SIZE` /src/common/crypto_rand.c
+    const MAX_STRONGEST_RAND_SIZE: usize = 256;
+
+    /// A wrapper around OpenSSL's RNG.
+    pub struct TorRng {
+        // This private, zero-length field forces the struct to be treated the
+        // same as its opaque C couterpart.
+        _unused: [u8; 0],
+    }
+
+    /// Mark `TorRng` as being suitable for cryptographic purposes.
+    impl CryptoRng for TorRng {}
+
+    impl TorRng {
+        // C_RUST_COUPLED: `crypto_seed_rng()` /src/common/crypto_rand.c
+        #[allow(dead_code)]
+        fn new() -> Self {
+            if !c_tor_crypto_seed_rng() {
+                tor_log_msg!(LogSeverity::Warn, LogDomain::General,
+                             "TorRng::from_seed()",
+                             "The RNG could not be seeded!");
+            }
+            // XXX also log success at info level —isis
+            TorRng{ _unused: [0u8; 0] }
+        }
+    }
+
+    impl RngCore for TorRng {
+        // C_RUST_COUPLED: `crypto_strongest_rand()` /src/common/crypto_rand.c
+        fn next_u32(&mut self) -> u32 {
+            next_u32_via_fill(self)
+        }
+
+        // C_RUST_COUPLED: `crypto_strongest_rand()` /src/common/crypto_rand.c
+        fn next_u64(&mut self) -> u64 {
+            next_u64_via_fill(self)
+        }
+
+        // C_RUST_COUPLED: `crypto_strongest_rand()` /src/common/crypto_rand.c
+        fn fill_bytes(&mut self, dest: &mut [u8]) {
+            c_tor_crypto_rand(dest);
+        }
+
+        // C_RUST_COUPLED: `crypto_strongest_rand()` /src/common/crypto_rand.c
+        fn try_fill_bytes(&mut self, dest: &mut [u8]) -> Result<(), Error> {
+            Ok(self.fill_bytes(dest))
+        }
+    }
+
+    /// A CSPRNG which hashes together randomness from OpenSSL's RNG and entropy
+    /// obtained from the operating system.
+    pub struct TorStrongestRng {
+        // This private, zero-length field forces the struct to be treated the
+        // same as its opaque C couterpart.
+        _unused: [u8; 0],
+    }
+
+    /// Mark `TorRng` as being suitable for cryptographic purposes.
+    impl CryptoRng for TorStrongestRng {}
+
+    impl TorStrongestRng {
+        // C_RUST_COUPLED: `crypto_seed_rng()` /src/common/crypto_rand.c
+        #[allow(dead_code)]
+        fn new() -> Self {
+            if !c_tor_crypto_seed_rng() {
+                tor_log_msg!(LogSeverity::Warn, LogDomain::General,
+                             "TorStrongestRng::from_seed()",
+                             "The RNG could not be seeded!");
+            }
+            // XXX also log success at info level —isis
+            TorStrongestRng{ _unused: [0u8; 0] }
+        }
+    }
+
+    impl RngCore for TorStrongestRng {
+        // C_RUST_COUPLED: `crypto_strongest_rand()` /src/common/crypto_rand.c
+        fn next_u32(&mut self) -> u32 {
+            next_u32_via_fill(self)
+        }
+
+        // C_RUST_COUPLED: `crypto_strongest_rand()` /src/common/crypto_rand.c
+        fn next_u64(&mut self) -> u64 {
+            next_u64_via_fill(self)
+        }
+
+        // C_RUST_COUPLED: `crypto_strongest_rand()` /src/common/crypto_rand.c
+        fn fill_bytes(&mut self, dest: &mut [u8]) {
+            debug_assert!(dest.len() <= MAX_STRONGEST_RAND_SIZE);
+
+            c_tor_crypto_strongest_rand(dest);
+        }
+
+        // C_RUST_COUPLED: `crypto_strongest_rand()` /src/common/crypto_rand.c
+        fn try_fill_bytes(&mut self, dest: &mut [u8]) -> Result<(), Error> {
+            Ok(self.fill_bytes(dest))
+        }
+    }
+}
+
+// For testing, we expose a pure-Rust implementation.
+#[cfg(test)]
+mod internal {
+    // It doesn't matter if we pretend ChaCha is a CSPRNG in tests.
+    pub use rand::ChaChaRng as TorRng;
+    pub use rand::ChaChaRng as TorStrongestRng;
+}
+
+// Finally, expose the public functionality of whichever appropriate internal
+// module.
+pub use self::internal::*;
+

src/test/bench.c

@@ -23,6 +23,7 @@
 #include "crypto_curve25519.h"
 #include "onion_ntor.h"
 #include "crypto_ed25519.h"
+#include "crypto_rand.h"
 #include "consdiff.h"
 
 #if defined(HAVE_CLOCK_GETTIME) && defined(CLOCK_PROCESS_CPUTIME_ID)

src/test/rend_test_helpers.c

@@ -2,6 +2,7 @@
 /* See LICENSE for licensing information */
 
 #include "or.h"
+#include "crypto_rand.h"
 #include "test.h"
 #include "rendcommon.h"
 #include "rend_test_helpers.h"

src/test/test-memwipe.c

@@ -7,7 +7,7 @@
 #include <sys/types.h>
 #include <stdlib.h>
 
-#include "crypto.h"
+#include "crypto_util.h"
 #include "compat.h"
 #include "util.h"
 

src/test/test-timers.c

@@ -9,7 +9,7 @@
 
 #include "compat.h"
 #include "compat_libevent.h"
-#include "crypto.h"
+#include "crypto_rand.h"
 #include "timers.h"
 #include "util.h"
 

src/test/test.c

@@ -9,6 +9,7 @@
  **/
 
 #include "orconfig.h"
+#include "crypto_rand.h"
 
 #include <stdio.h>
 #ifdef HAVE_FCNTL_H

src/test/test_address_set.c

@@ -2,6 +2,7 @@
 /* See LICENSE for licensing information */
 
 #include "or.h"
+#include "crypto_rand.h"
 #include "address_set.h"
 #include "microdesc.h"
 #include "networkstatus.h"

src/test/test_buffers.c

@@ -8,6 +8,7 @@
 #include "or.h"
 #include "buffers.h"
 #include "buffers_tls.h"
+#include "crypto_rand.h"
 #include "proto_http.h"
 #include "proto_socks.h"
 #include "test.h"

src/test/test_cell_formats.c

@@ -12,6 +12,7 @@
 #include "connection_edge.h"
 #include "connection_or.h"
 #include "config.h"
+#include "crypto_rand.h"
 #include "onion.h"
 #include "onion_tap.h"
 #include "onion_fast.h"

src/test/test_channel.c

@@ -12,6 +12,7 @@
 #include "circuitmux_ewma.h"
 /* For var_cell_free */
 #include "connection_or.h"
+#include "crypto_rand.h"
 /* For packed_cell stuff */
 #define RELAY_PRIVATE
 #include "relay.h"

src/test/test_consdiffmgr.c

@@ -9,6 +9,7 @@
 #include "consdiff.h"
 #include "consdiffmgr.h"
 #include "cpuworker.h"
+#include "crypto_rand.h"
 #include "networkstatus.h"
 #include "routerparse.h"
 #include "workqueue.h"

src/test/test_containers.c

@@ -5,6 +5,7 @@
 
 #include "orconfig.h"
 #include "or.h"
+#include "crypto_rand.h"
 #include "fp_pair.h"
 #include "test.h"
 

src/test/test_crypto.c

@@ -5,7 +5,7 @@
 
 #include "orconfig.h"
 #define CRYPTO_CURVE25519_PRIVATE
-#define CRYPTO_PRIVATE
+#define CRYPTO_RAND_PRIVATE
 #include "or.h"
 #include "test.h"
 #include "aes.h"
@@ -13,6 +13,7 @@
 #include "siphash.h"
 #include "crypto_curve25519.h"
 #include "crypto_ed25519.h"
+#include "crypto_rand.h"
 #include "ed25519_vectors.inc"
 
 /** Run unit tests for Diffie-Hellman functionality. */

src/test/test_crypto_openssl.c

@@ -5,9 +5,9 @@
 
 #include "orconfig.h"
 
-#define CRYPTO_PRIVATE
+#define CRYPTO_RAND_PRIVATE
 
-#include "crypto.h"
+#include "crypto_rand.h"
 #include "util.h"
 #include "util_format.h"
 #include "compat.h"