From fe3aca149191f2eac410caa7113fb6f7e0804d8c Mon Sep 17 00:00:00 2001 From: Isis Lovecruft Date: Fri, 6 Apr 2018 21:23:29 +0000 Subject: [PATCH 1/9] crypto: Refactor (P)RNG functionality into new crypto_rand module. * ADD new /src/common/crypto_rand.[ch] module. * ADD new /src/common/crypto_util.[ch] module (contains the memwipe() function, since all crypto_* modules need this). * FIXES part of #24658: https://bugs.torproject.org/24658 --- src/common/address_set.c | 2 +- src/common/compat_libevent.c | 2 +- src/common/crypto.c | 602 +---------------- src/common/crypto.h | 36 -- src/common/crypto_curve25519.c | 2 + src/common/crypto_digest.c | 9 +- src/common/crypto_ed25519.c | 2 + src/common/crypto_format.c | 1 + src/common/crypto_pwbox.c | 2 + src/common/crypto_rand.c | 609 ++++++++++++++++++ src/common/crypto_rand.h | 53 ++ src/common/crypto_rsa.c | 2 + src/common/crypto_s2k.c | 2 + src/common/crypto_util.c | 105 +++ src/common/crypto_util.h | 27 + src/common/include.am | 4 + src/common/tortls.c | 2 + src/common/workqueue.c | 2 +- .../donna/ed25519-randombytes-custom.h | 2 +- src/ext/ed25519/donna/ed25519_tor.c | 2 + src/ext/ed25519/ref10/blinding.c | 2 +- src/ext/ed25519/ref10/keypair.c | 3 + src/ext/keccak-tiny/keccak-tiny-unrolled.c | 2 +- src/or/addressmap.c | 1 + src/or/channelpadding.c | 1 + src/or/circpathbias.c | 1 + src/or/circuitbuild.c | 2 +- src/or/circuitlist.c | 2 + src/or/circuitstats.c | 1 + src/or/command.c | 1 + src/or/config.c | 2 + src/or/connection.c | 1 + src/or/connection_edge.c | 1 + src/or/connection_or.c | 2 + src/or/conscache.c | 1 + src/or/control.c | 2 + src/or/cpuworker.c | 2 + src/or/directory.c | 2 + src/or/dns.c | 1 + src/or/dos.c | 1 + src/or/entrynodes.c | 1 + src/or/ext_orport.c | 2 + src/or/hibernate.c | 1 + src/or/hs_cache.c | 1 + src/or/hs_cell.c | 1 + src/or/hs_circuit.c | 2 + src/or/hs_client.c | 2 + src/or/hs_common.c | 2 + src/or/hs_control.c | 1 + src/or/hs_descriptor.c | 2 + src/or/hs_descriptor.h | 1 + src/or/hs_ident.c | 1 + src/or/hs_ntor.c | 1 + src/or/hs_service.c | 2 + src/or/main.c | 1 + src/or/networkstatus.c | 2 + src/or/onion.c | 1 + src/or/onion_fast.c | 2 + src/or/onion_ntor.c | 1 + src/or/onion_tap.c | 2 + src/or/proto_socks.c | 1 + src/or/relay.c | 2 + src/or/rendclient.c | 2 + src/or/rendcommon.c | 2 + src/or/rendservice.c | 2 + src/or/rephist.c | 1 + src/or/router.c | 2 + src/or/routerkeys.c | 1 + src/or/routerlist.c | 1 + src/or/routerparse.c | 1 + src/or/shared_random.c | 2 + src/or/shared_random_state.c | 1 + src/or/torcert.c | 2 +- src/test/bench.c | 1 + src/test/rend_test_helpers.c | 1 + src/test/test-memwipe.c | 2 +- src/test/test-timers.c | 2 +- src/test/test.c | 1 + src/test/test_address_set.c | 1 + src/test/test_buffers.c | 1 + src/test/test_cell_formats.c | 1 + src/test/test_channel.c | 1 + src/test/test_consdiffmgr.c | 1 + src/test/test_containers.c | 1 + src/test/test_crypto.c | 3 +- src/test/test_crypto_openssl.c | 4 +- src/test/test_crypto_slow.c | 1 + src/test/test_dir.c | 1 + src/test/test_dos.c | 1 + src/test/test_entrynodes.c | 1 + src/test/test_extorport.c | 1 + src/test/test_helpers.c | 1 + src/test/test_hs_cell.c | 1 + src/test/test_hs_common.c | 1 + src/test/test_hs_descriptor.c | 1 + src/test/test_hs_intropoint.c | 2 +- src/test/test_hs_service.c | 2 +- src/test/test_nodelist.c | 1 + src/test/test_oom.c | 1 + src/test/test_routerlist.c | 1 + src/test/test_shared_random.c | 1 + src/test/test_storagedir.c | 1 + src/test/test_util.c | 1 + src/test/test_util_format.c | 1 + src/test/test_workqueue.c | 2 +- src/test/testing_common.c | 1 + src/test/testing_rsakeys.c | 1 + src/tools/tor-gencert.c | 2 + src/trunnel/trunnel-local.h | 2 +- 109 files changed, 939 insertions(+), 657 deletions(-) create mode 100644 src/common/crypto_rand.c create mode 100644 src/common/crypto_rand.h create mode 100644 src/common/crypto_util.c create mode 100644 src/common/crypto_util.h diff --git a/src/common/address_set.c b/src/common/address_set.c index f61fa294e..b2f4bb4c9 100644 --- a/src/common/address_set.c +++ b/src/common/address_set.c @@ -15,7 +15,7 @@ #include "address.h" #include "compat.h" #include "container.h" -#include "crypto.h" +#include "crypto_rand.h" #include "util.h" #include "siphash.h" diff --git a/src/common/compat_libevent.c b/src/common/compat_libevent.c index 735385557..6d8cac70e 100644 --- a/src/common/compat_libevent.c +++ b/src/common/compat_libevent.c @@ -11,7 +11,7 @@ #define COMPAT_LIBEVENT_PRIVATE #include "compat_libevent.h" -#include "crypto.h" +#include "crypto_rand.h" #include "util.h" #include "torlog.h" diff --git a/src/common/crypto.c b/src/common/crypto.c index 9fcd17742..8d5897e49 100644 --- a/src/common/crypto.c +++ b/src/common/crypto.c @@ -28,8 +28,10 @@ #include "crypto_curve25519.h" #include "crypto_ed25519.h" #include "crypto_format.h" +#include "crypto_rand.h" #include "crypto_rsa.h" #include "crypto_digest.h" +#include "crypto_util.h" DISABLE_GCC_WARNING(redundant-decls) @@ -38,7 +40,6 @@ DISABLE_GCC_WARNING(redundant-decls) #include #include #include -#include #include #include #include @@ -60,12 +61,6 @@ ENABLE_GCC_WARNING(redundant-decls) #ifdef HAVE_UNISTD_H #include #endif -#ifdef HAVE_FCNTL_H -#include -#endif -#ifdef HAVE_SYS_FCNTL_H -#include -#endif #ifdef HAVE_SYS_SYSCALL_H #include #endif @@ -84,12 +79,6 @@ ENABLE_GCC_WARNING(redundant-decls) #include "keccak-tiny/keccak-tiny.h" -/** Longest recognized */ -#define MAX_DNS_LABEL_SIZE 63 - -/** Largest strong entropy request */ -#define MAX_STRONGEST_RAND_SIZE 256 - /** A structure to hold the first half (x, g^x) of a Diffie-Hellman handshake * while we're waiting for the second.*/ struct crypto_dh_t { @@ -162,23 +151,6 @@ try_load_engine(const char *path, const char *engine) } #endif /* !defined(DISABLE_ENGINES) */ -/** Make sure that openssl is using its default PRNG. Return 1 if we had to - * adjust it; 0 otherwise. */ -STATIC int -crypto_force_rand_ssleay(void) -{ - RAND_METHOD *default_method; - default_method = RAND_OpenSSL(); - if (RAND_get_rand_method() != default_method) { - log_notice(LD_CRYPTO, "It appears that one of our engines has provided " - "a replacement the OpenSSL RNG. Resetting it to the default " - "implementation."); - RAND_set_rand_method(default_method); - return 1; - } - return 0; -} - static int have_seeded_siphash = 0; /** Set up the siphash key if we haven't already done so. */ @@ -1083,576 +1055,6 @@ crypto_dh_free_(crypto_dh_t *dh) tor_free(dh); } -/* random numbers */ - -/** How many bytes of entropy we add at once. - * - * This is how much entropy OpenSSL likes to add right now, so maybe it will - * work for us too. */ -#define ADD_ENTROPY 32 - -/** Set the seed of the weak RNG to a random value. */ -void -crypto_seed_weak_rng(tor_weak_rng_t *rng) -{ - unsigned seed; - crypto_rand((void*)&seed, sizeof(seed)); - tor_init_weak_random(rng, seed); -} - -#ifdef TOR_UNIT_TESTS -int break_strongest_rng_syscall = 0; -int break_strongest_rng_fallback = 0; -#endif - -/** Try to get out_len bytes of the strongest entropy we can generate, - * via system calls, storing it into out. Return 0 on success, -1 on - * failure. A maximum request size of 256 bytes is imposed. - */ -static int -crypto_strongest_rand_syscall(uint8_t *out, size_t out_len) -{ - tor_assert(out_len <= MAX_STRONGEST_RAND_SIZE); - - /* We only log at notice-level here because in the case that this function - * fails the crypto_strongest_rand_raw() caller will log with a warning-level - * message and let crypto_strongest_rand() error out and finally terminating - * Tor with an assertion error. - */ - -#ifdef TOR_UNIT_TESTS - if (break_strongest_rng_syscall) - return -1; -#endif - -#if defined(_WIN32) - static int provider_set = 0; - static HCRYPTPROV provider; - - if (!provider_set) { - if (!CryptAcquireContext(&provider, NULL, NULL, PROV_RSA_FULL, - CRYPT_VERIFYCONTEXT)) { - log_notice(LD_CRYPTO, "Unable to set Windows CryptoAPI provider [1]."); - return -1; - } - provider_set = 1; - } - if (!CryptGenRandom(provider, out_len, out)) { - log_notice(LD_CRYPTO, "Unable get entropy from the Windows CryptoAPI."); - return -1; - } - - return 0; -#elif defined(__linux__) && defined(SYS_getrandom) - static int getrandom_works = 1; /* Be optimistic about our chances... */ - - /* getrandom() isn't as straightforward as getentropy(), and has - * no glibc wrapper. - * - * As far as I can tell from getrandom(2) and the source code, the - * requests we issue will always succeed (though it will block on the - * call if /dev/urandom isn't seeded yet), since we are NOT specifying - * GRND_NONBLOCK and the request is <= 256 bytes. - * - * The manpage is unclear on what happens if a signal interrupts the call - * while the request is blocked due to lack of entropy.... - * - * We optimistically assume that getrandom() is available and functional - * because it is the way of the future, and 2 branch mispredicts pale in - * comparison to the overheads involved with failing to open - * /dev/srandom followed by opening and reading from /dev/urandom. - */ - if (PREDICT_LIKELY(getrandom_works)) { - long ret; - /* A flag of '0' here means to read from '/dev/urandom', and to - * block if insufficient entropy is available to service the - * request. - */ - const unsigned int flags = 0; - do { - ret = syscall(SYS_getrandom, out, out_len, flags); - } while (ret == -1 && ((errno == EINTR) ||(errno == EAGAIN))); - - if (PREDICT_UNLIKELY(ret == -1)) { - /* LCOV_EXCL_START we can't actually make the syscall fail in testing. */ - tor_assert(errno != EAGAIN); - tor_assert(errno != EINTR); - - /* Useful log message for errno. */ - if (errno == ENOSYS) { - log_notice(LD_CRYPTO, "Can't get entropy from getrandom()." - " You are running a version of Tor built to support" - " getrandom(), but the kernel doesn't implement this" - " function--probably because it is too old?" - " Trying fallback method instead."); - } else { - log_notice(LD_CRYPTO, "Can't get entropy from getrandom(): %s." - " Trying fallback method instead.", - strerror(errno)); - } - - getrandom_works = 0; /* Don't bother trying again. */ - return -1; - /* LCOV_EXCL_STOP */ - } - - tor_assert(ret == (long)out_len); - return 0; - } - - return -1; /* getrandom() previously failed unexpectedly. */ -#elif defined(HAVE_GETENTROPY) - /* getentropy() is what Linux's getrandom() wants to be when it grows up. - * the only gotcha is that requests are limited to 256 bytes. - */ - return getentropy(out, out_len); -#else - (void) out; -#endif /* defined(_WIN32) || ... */ - - /* This platform doesn't have a supported syscall based random. */ - return -1; -} - -/** Try to get out_len bytes of the strongest entropy we can generate, - * via the per-platform fallback mechanism, storing it into out. - * Return 0 on success, -1 on failure. A maximum request size of 256 bytes - * is imposed. - */ -static int -crypto_strongest_rand_fallback(uint8_t *out, size_t out_len) -{ -#ifdef TOR_UNIT_TESTS - if (break_strongest_rng_fallback) - return -1; -#endif - -#ifdef _WIN32 - /* Windows exclusively uses crypto_strongest_rand_syscall(). */ - (void)out; - (void)out_len; - return -1; -#else /* !(defined(_WIN32)) */ - static const char *filenames[] = { - "/dev/srandom", "/dev/urandom", "/dev/random", NULL - }; - int fd, i; - size_t n; - - for (i = 0; filenames[i]; ++i) { - log_debug(LD_FS, "Considering %s as entropy source", filenames[i]); - fd = open(sandbox_intern_string(filenames[i]), O_RDONLY, 0); - if (fd<0) continue; - log_info(LD_CRYPTO, "Reading entropy from \"%s\"", filenames[i]); - n = read_all(fd, (char*)out, out_len, 0); - close(fd); - if (n != out_len) { - /* LCOV_EXCL_START - * We can't make /dev/foorandom actually fail. */ - log_notice(LD_CRYPTO, - "Error reading from entropy source %s (read only %lu bytes).", - filenames[i], - (unsigned long)n); - return -1; - /* LCOV_EXCL_STOP */ - } - - return 0; - } - - return -1; -#endif /* defined(_WIN32) */ -} - -/** Try to get out_len bytes of the strongest entropy we can generate, - * storing it into out. Return 0 on success, -1 on failure. A maximum - * request size of 256 bytes is imposed. - */ -STATIC int -crypto_strongest_rand_raw(uint8_t *out, size_t out_len) -{ - static const size_t sanity_min_size = 16; - static const int max_attempts = 3; - tor_assert(out_len <= MAX_STRONGEST_RAND_SIZE); - - /* For buffers >= 16 bytes (128 bits), we sanity check the output by - * zero filling the buffer and ensuring that it actually was at least - * partially modified. - * - * Checking that any individual byte is non-zero seems like it would - * fail too often (p = out_len * 1/256) for comfort, but this is an - * "adjust according to taste" sort of check. - */ - memwipe(out, 0, out_len); - for (int i = 0; i < max_attempts; i++) { - /* Try to use the syscall/OS favored mechanism to get strong entropy. */ - if (crypto_strongest_rand_syscall(out, out_len) != 0) { - /* Try to use the less-favored mechanism to get strong entropy. */ - if (crypto_strongest_rand_fallback(out, out_len) != 0) { - /* Welp, we tried. Hopefully the calling code terminates the process - * since we're basically boned without good entropy. - */ - log_warn(LD_CRYPTO, - "Cannot get strong entropy: no entropy source found."); - return -1; - } - } - - if ((out_len < sanity_min_size) || !tor_mem_is_zero((char*)out, out_len)) - return 0; - } - - /* LCOV_EXCL_START - * - * We tried max_attempts times to fill a buffer >= 128 bits long, - * and each time it returned all '0's. Either the system entropy - * source is busted, or the user should go out and buy a ticket to - * every lottery on the planet. - */ - log_warn(LD_CRYPTO, "Strong OS entropy returned all zero buffer."); - - return -1; - /* LCOV_EXCL_STOP */ -} - -/** Try to get out_len bytes of the strongest entropy we can generate, - * storing it into out. - */ -void -crypto_strongest_rand(uint8_t *out, size_t out_len) -{ -#define DLEN SHA512_DIGEST_LENGTH - /* We're going to hash DLEN bytes from the system RNG together with some - * bytes from the openssl PRNG, in order to yield DLEN bytes. - */ - uint8_t inp[DLEN*2]; - uint8_t tmp[DLEN]; - tor_assert(out); - while (out_len) { - crypto_rand((char*) inp, DLEN); - if (crypto_strongest_rand_raw(inp+DLEN, DLEN) < 0) { - // LCOV_EXCL_START - log_err(LD_CRYPTO, "Failed to load strong entropy when generating an " - "important key. Exiting."); - /* Die with an assertion so we get a stack trace. */ - tor_assert(0); - // LCOV_EXCL_STOP - } - if (out_len >= DLEN) { - SHA512(inp, sizeof(inp), out); - out += DLEN; - out_len -= DLEN; - } else { - SHA512(inp, sizeof(inp), tmp); - memcpy(out, tmp, out_len); - break; - } - } - memwipe(tmp, 0, sizeof(tmp)); - memwipe(inp, 0, sizeof(inp)); -#undef DLEN -} - -/** Seed OpenSSL's random number generator with bytes from the operating - * system. Return 0 on success, -1 on failure. - */ -int -crypto_seed_rng(void) -{ - int rand_poll_ok = 0, load_entropy_ok = 0; - uint8_t buf[ADD_ENTROPY]; - - /* OpenSSL has a RAND_poll function that knows about more kinds of - * entropy than we do. We'll try calling that, *and* calling our own entropy - * functions. If one succeeds, we'll accept the RNG as seeded. */ - rand_poll_ok = RAND_poll(); - if (rand_poll_ok == 0) - log_warn(LD_CRYPTO, "RAND_poll() failed."); // LCOV_EXCL_LINE - - load_entropy_ok = !crypto_strongest_rand_raw(buf, sizeof(buf)); - if (load_entropy_ok) { - RAND_seed(buf, sizeof(buf)); - } - - memwipe(buf, 0, sizeof(buf)); - - if ((rand_poll_ok || load_entropy_ok) && RAND_status() == 1) - return 0; - else - return -1; -} - -/** Write n bytes of strong random data to to. Supports mocking - * for unit tests. - * - * This function is not allowed to fail; if it would fail to generate strong - * entropy, it must terminate the process instead. - */ -MOCK_IMPL(void, -crypto_rand, (char *to, size_t n)) -{ - crypto_rand_unmocked(to, n); -} - -/** Write n bytes of strong random data to to. Most callers - * will want crypto_rand instead. - * - * This function is not allowed to fail; if it would fail to generate strong - * entropy, it must terminate the process instead. - */ -void -crypto_rand_unmocked(char *to, size_t n) -{ - int r; - if (n == 0) - return; - - tor_assert(n < INT_MAX); - tor_assert(to); - r = RAND_bytes((unsigned char*)to, (int)n); - /* We consider a PRNG failure non-survivable. Let's assert so that we get a - * stack trace about where it happened. - */ - tor_assert(r >= 0); -} - -/** Return a pseudorandom integer, chosen uniformly from the values - * between 0 and max-1 inclusive. max must be between 1 and - * INT_MAX+1, inclusive. */ -int -crypto_rand_int(unsigned int max) -{ - unsigned int val; - unsigned int cutoff; - tor_assert(max <= ((unsigned int)INT_MAX)+1); - tor_assert(max > 0); /* don't div by 0 */ - - /* We ignore any values that are >= 'cutoff,' to avoid biasing the - * distribution with clipping at the upper end of unsigned int's - * range. - */ - cutoff = UINT_MAX - (UINT_MAX%max); - while (1) { - crypto_rand((char*)&val, sizeof(val)); - if (val < cutoff) - return val % max; - } -} - -/** Return a pseudorandom integer, chosen uniformly from the values i such - * that min <= i < max. - * - * min MUST be in range [0, max). - * max MUST be in range (min, INT_MAX]. - */ -int -crypto_rand_int_range(unsigned int min, unsigned int max) -{ - tor_assert(min < max); - tor_assert(max <= INT_MAX); - - /* The overflow is avoided here because crypto_rand_int() returns a value - * between 0 and (max - min) inclusive. */ - return min + crypto_rand_int(max - min); -} - -/** As crypto_rand_int_range, but supports uint64_t. */ -uint64_t -crypto_rand_uint64_range(uint64_t min, uint64_t max) -{ - tor_assert(min < max); - return min + crypto_rand_uint64(max - min); -} - -/** As crypto_rand_int_range, but supports time_t. */ -time_t -crypto_rand_time_range(time_t min, time_t max) -{ - tor_assert(min < max); - return min + (time_t)crypto_rand_uint64(max - min); -} - -/** Return a pseudorandom 64-bit integer, chosen uniformly from the values - * between 0 and max-1 inclusive. */ -uint64_t -crypto_rand_uint64(uint64_t max) -{ - uint64_t val; - uint64_t cutoff; - tor_assert(max < UINT64_MAX); - tor_assert(max > 0); /* don't div by 0 */ - - /* We ignore any values that are >= 'cutoff,' to avoid biasing the - * distribution with clipping at the upper end of unsigned int's - * range. - */ - cutoff = UINT64_MAX - (UINT64_MAX%max); - while (1) { - crypto_rand((char*)&val, sizeof(val)); - if (val < cutoff) - return val % max; - } -} - -/** Return a pseudorandom double d, chosen uniformly from the range - * 0.0 <= d < 1.0. - */ -double -crypto_rand_double(void) -{ - /* We just use an unsigned int here; we don't really care about getting - * more than 32 bits of resolution */ - unsigned int u; - crypto_rand((char*)&u, sizeof(u)); -#if SIZEOF_INT == 4 -#define UINT_MAX_AS_DOUBLE 4294967296.0 -#elif SIZEOF_INT == 8 -#define UINT_MAX_AS_DOUBLE 1.8446744073709552e+19 -#else -#error SIZEOF_INT is neither 4 nor 8 -#endif /* SIZEOF_INT == 4 || ... */ - return ((double)u) / UINT_MAX_AS_DOUBLE; -} - -/** Generate and return a new random hostname starting with prefix, - * ending with suffix, and containing no fewer than - * min_rand_len and no more than max_rand_len random base32 - * characters. Does not check for failure. - * - * Clip max_rand_len to MAX_DNS_LABEL_SIZE. - **/ -char * -crypto_random_hostname(int min_rand_len, int max_rand_len, const char *prefix, - const char *suffix) -{ - char *result, *rand_bytes; - int randlen, rand_bytes_len; - size_t resultlen, prefixlen; - - if (max_rand_len > MAX_DNS_LABEL_SIZE) - max_rand_len = MAX_DNS_LABEL_SIZE; - if (min_rand_len > max_rand_len) - min_rand_len = max_rand_len; - - randlen = crypto_rand_int_range(min_rand_len, max_rand_len+1); - - prefixlen = strlen(prefix); - resultlen = prefixlen + strlen(suffix) + randlen + 16; - - rand_bytes_len = ((randlen*5)+7)/8; - if (rand_bytes_len % 5) - rand_bytes_len += 5 - (rand_bytes_len%5); - rand_bytes = tor_malloc(rand_bytes_len); - crypto_rand(rand_bytes, rand_bytes_len); - - result = tor_malloc(resultlen); - memcpy(result, prefix, prefixlen); - base32_encode(result+prefixlen, resultlen-prefixlen, - rand_bytes, rand_bytes_len); - tor_free(rand_bytes); - strlcpy(result+prefixlen+randlen, suffix, resultlen-(prefixlen+randlen)); - - return result; -} - -/** Return a randomly chosen element of sl; or NULL if sl - * is empty. */ -void * -smartlist_choose(const smartlist_t *sl) -{ - int len = smartlist_len(sl); - if (len) - return smartlist_get(sl,crypto_rand_int(len)); - return NULL; /* no elements to choose from */ -} - -/** Scramble the elements of sl into a random order. */ -void -smartlist_shuffle(smartlist_t *sl) -{ - int i; - /* From the end of the list to the front, choose at random from the - positions we haven't looked at yet, and swap that position into the - current position. Remember to give "no swap" the same probability as - any other swap. */ - for (i = smartlist_len(sl)-1; i > 0; --i) { - int j = crypto_rand_int(i+1); - smartlist_swap(sl, i, j); - } -} - -/** - * Destroy the sz bytes of data stored at mem, setting them to - * the value byte. - * If mem is NULL or sz is zero, nothing happens. - * - * This function is preferable to memset, since many compilers will happily - * optimize out memset() when they can convince themselves that the data being - * cleared will never be read. - * - * Right now, our convention is to use this function when we are wiping data - * that's about to become inaccessible, such as stack buffers that are about - * to go out of scope or structures that are about to get freed. (In - * practice, it appears that the compilers we're currently using will optimize - * out the memset()s for stack-allocated buffers, but not those for - * about-to-be-freed structures. That could change, though, so we're being - * wary.) If there are live reads for the data, then you can just use - * memset(). - */ -void -memwipe(void *mem, uint8_t byte, size_t sz) -{ - if (sz == 0) { - return; - } - /* If sz is nonzero, then mem must not be NULL. */ - tor_assert(mem != NULL); - - /* Data this large is likely to be an underflow. */ - tor_assert(sz < SIZE_T_CEILING); - - /* Because whole-program-optimization exists, we may not be able to just - * have this function call "memset". A smart compiler could inline it, then - * eliminate dead memsets, and declare itself to be clever. */ - -#if defined(SecureZeroMemory) || defined(HAVE_SECUREZEROMEMORY) - /* Here's what you do on windows. */ - SecureZeroMemory(mem,sz); -#elif defined(HAVE_RTLSECUREZEROMEMORY) - RtlSecureZeroMemory(mem,sz); -#elif defined(HAVE_EXPLICIT_BZERO) - /* The BSDs provide this. */ - explicit_bzero(mem, sz); -#elif defined(HAVE_MEMSET_S) - /* This is in the C99 standard. */ - memset_s(mem, sz, 0, sz); -#else - /* This is a slow and ugly function from OpenSSL that fills 'mem' with junk - * based on the pointer value, then uses that junk to update a global - * variable. It's an elaborate ruse to trick the compiler into not - * optimizing out the "wipe this memory" code. Read it if you like zany - * programming tricks! In later versions of Tor, we should look for better - * not-optimized-out memory wiping stuff... - * - * ...or maybe not. In practice, there are pure-asm implementations of - * OPENSSL_cleanse() on most platforms, which ought to do the job. - **/ - - OPENSSL_cleanse(mem, sz); -#endif /* defined(SecureZeroMemory) || defined(HAVE_SECUREZEROMEMORY) || ... */ - - /* Just in case some caller of memwipe() is relying on getting a buffer - * filled with a particular value, fill the buffer. - * - * If this function gets inlined, this memset might get eliminated, but - * that's okay: We only care about this particular memset in the case where - * the caller should have been using memset(), and the memset() wouldn't get - * eliminated. In other words, this is here so that we won't break anything - * if somebody accidentally calls memwipe() instead of memset(). - **/ - memset(mem, byte, sz); -} - /** @{ */ /** Uninitialize the crypto library. Return 0 on success. Does not detect * failure. diff --git a/src/common/crypto.h b/src/common/crypto.h index b58679032..61a2952d2 100644 --- a/src/common/crypto.h +++ b/src/common/crypto.h @@ -105,31 +105,6 @@ int crypto_expand_key_material_rfc5869_sha256( const uint8_t *info_in, size_t info_in_len, uint8_t *key_out, size_t key_out_len); -/* random numbers */ -int crypto_seed_rng(void) ATTR_WUR; -MOCK_DECL(void,crypto_rand,(char *to, size_t n)); -void crypto_rand_unmocked(char *to, size_t n); -void crypto_strongest_rand(uint8_t *out, size_t out_len); -int crypto_rand_int(unsigned int max); -int crypto_rand_int_range(unsigned int min, unsigned int max); -uint64_t crypto_rand_uint64_range(uint64_t min, uint64_t max); -time_t crypto_rand_time_range(time_t min, time_t max); -uint64_t crypto_rand_uint64(uint64_t max); -double crypto_rand_double(void); -struct tor_weak_rng_t; -void crypto_seed_weak_rng(struct tor_weak_rng_t *rng); -int crypto_init_siphash_key(void); - -char *crypto_random_hostname(int min_rand_len, int max_rand_len, - const char *prefix, const char *suffix); - -struct smartlist_t; -void *smartlist_choose(const struct smartlist_t *sl); -void smartlist_shuffle(struct smartlist_t *sl); - -/** OpenSSL-based utility functions. */ -void memwipe(void *mem, uint8_t byte, size_t sz); - /* Prototypes for private functions only used by tortls.c, crypto.c, and the * unit tests. */ struct dh_st; @@ -137,16 +112,5 @@ struct dh_st *crypto_dh_get_dh_(crypto_dh_t *dh); void crypto_add_spaces_to_fp(char *out, size_t outlen, const char *in); -#ifdef CRYPTO_PRIVATE - -STATIC int crypto_force_rand_ssleay(void); -STATIC int crypto_strongest_rand_raw(uint8_t *out, size_t out_len); - -#ifdef TOR_UNIT_TESTS -extern int break_strongest_rng_syscall; -extern int break_strongest_rng_fallback; -#endif -#endif /* defined(CRYPTO_PRIVATE) */ - #endif /* !defined(TOR_CRYPTO_H) */ diff --git a/src/common/crypto_curve25519.c b/src/common/crypto_curve25519.c index ccf12d00f..0719c2f85 100644 --- a/src/common/crypto_curve25519.c +++ b/src/common/crypto_curve25519.c @@ -25,6 +25,8 @@ #include "crypto_curve25519.h" #include "crypto_format.h" #include "crypto_digest.h" +#include "crypto_rand.h" +#include "crypto_util.h" #include "util.h" #include "torlog.h" diff --git a/src/common/crypto_digest.c b/src/common/crypto_digest.c index cdcc1828c..f7163de13 100644 --- a/src/common/crypto_digest.c +++ b/src/common/crypto_digest.c @@ -10,10 +10,13 @@ * operations. **/ +#include "container.h" #include "crypto_digest.h" - -#include "crypto.h" /* common functions */ #include "crypto_openssl_mgt.h" +#include "crypto_util.h" +#include "torlog.h" + +#include "keccak-tiny/keccak-tiny.h" DISABLE_GCC_WARNING(redundant-decls) @@ -22,8 +25,6 @@ DISABLE_GCC_WARNING(redundant-decls) ENABLE_GCC_WARNING(redundant-decls) -#include "container.h" - /* Crypto digest functions */ /** Compute the SHA1 digest of the len bytes on data stored in diff --git a/src/common/crypto_ed25519.c b/src/common/crypto_ed25519.c index f1cc0cb18..baddb77dd 100644 --- a/src/common/crypto_ed25519.c +++ b/src/common/crypto_ed25519.c @@ -27,6 +27,8 @@ #include "crypto_curve25519.h" #include "crypto_ed25519.h" #include "crypto_format.h" +#include "crypto_rand.h" +#include "crypto_util.h" #include "torlog.h" #include "util.h" #include "util_format.h" diff --git a/src/common/crypto_format.c b/src/common/crypto_format.c index 3f6fb9f54..c0cade2f5 100644 --- a/src/common/crypto_format.c +++ b/src/common/crypto_format.c @@ -20,6 +20,7 @@ #include "crypto_ed25519.h" #include "crypto_format.h" #include "crypto_digest.h" +#include "crypto_util.h" #include "util.h" #include "util_format.h" #include "torlog.h" diff --git a/src/common/crypto_pwbox.c b/src/common/crypto_pwbox.c index 604fc68e9..e49ca226e 100644 --- a/src/common/crypto_pwbox.c +++ b/src/common/crypto_pwbox.c @@ -12,6 +12,8 @@ #include "crypto_s2k.h" #include "crypto_pwbox.h" #include "crypto_digest.h" +#include "crypto_rand.h" +#include "crypto_util.h" #include "di_ops.h" #include "util.h" #include "pwbox.h" diff --git a/src/common/crypto_rand.c b/src/common/crypto_rand.c new file mode 100644 index 000000000..66506235a --- /dev/null +++ b/src/common/crypto_rand.c @@ -0,0 +1,609 @@ +/* Copyright (c) 2001, Matej Pfajfar. + * Copyright (c) 2001-2004, Roger Dingledine. + * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson. + * Copyright (c) 2007-2018, The Tor Project, Inc. */ +/* See LICENSE for licensing information */ + +/** + * \file crypto_rand.c + * + * \brief Functions for initialising and seeding (pseudo-)random + * number generators, and working with randomness. + **/ + +#ifndef CRYPTO_RAND_PRIVATE +#define CRYPTO_RAND_PRIVATE + +#ifdef _WIN32 +#include +#include +#endif /* defined(_WIN32) */ + +#include "crypto_rand.h" + +#include "container.h" +#include "compat.h" +#include "compat_openssl.h" +#include "crypto_util.h" +#include "sandbox.h" +#include "testsupport.h" +#include "torlog.h" +#include "util.h" +#include "util_format.h" + +DISABLE_GCC_WARNING(redundant-decls) +#include +ENABLE_GCC_WARNING(redundant-decls) + +#if __GNUC__ && GCC_VERSION >= 402 +#if GCC_VERSION >= 406 +#pragma GCC diagnostic pop +#else +#pragma GCC diagnostic warning "-Wredundant-decls" +#endif +#endif /* __GNUC__ && GCC_VERSION >= 402 */ + +#ifdef HAVE_FCNTL_H +#include +#endif +#ifdef HAVE_SYS_FCNTL_H +#include +#endif +#ifdef HAVE_SYS_STAT_H +#include +#endif +#ifdef HAVE_UNISTD_H +#include +#endif + +/** + * How many bytes of entropy we add at once. + * + * This is how much entropy OpenSSL likes to add right now, so maybe it will + * work for us too. + **/ +#define ADD_ENTROPY 32 + +/** + * Longest recognized DNS query. + **/ +#define MAX_DNS_LABEL_SIZE 63 + +/** + * Largest strong entropy request permitted. + **/ +#define MAX_STRONGEST_RAND_SIZE 256 + +/** + * Set the seed of the weak RNG to a random value. + **/ +void +crypto_seed_weak_rng(tor_weak_rng_t *rng) +{ + unsigned seed; + crypto_rand((void*)&seed, sizeof(seed)); + tor_init_weak_random(rng, seed); +} + +#ifdef TOR_UNIT_TESTS +int break_strongest_rng_syscall = 0; +int break_strongest_rng_fallback = 0; +#endif + +/** + * Try to get out_len bytes of the strongest entropy we can generate, + * via system calls, storing it into out. Return 0 on success, -1 on + * failure. A maximum request size of 256 bytes is imposed. + **/ +static int +crypto_strongest_rand_syscall(uint8_t *out, size_t out_len) +{ + tor_assert(out_len <= MAX_STRONGEST_RAND_SIZE); + + /* We only log at notice-level here because in the case that this function + * fails the crypto_strongest_rand_raw() caller will log with a warning-level + * message and let crypto_strongest_rand() error out and finally terminating + * Tor with an assertion error. + */ + +#ifdef TOR_UNIT_TESTS + if (break_strongest_rng_syscall) + return -1; +#endif + +#if defined(_WIN32) + static int provider_set = 0; + static HCRYPTPROV provider; + + if (!provider_set) { + if (!CryptAcquireContext(&provider, NULL, NULL, PROV_RSA_FULL, + CRYPT_VERIFYCONTEXT)) { + log_notice(LD_CRYPTO, "Unable to set Windows CryptoAPI provider [1]."); + return -1; + } + provider_set = 1; + } + if (!CryptGenRandom(provider, out_len, out)) { + log_notice(LD_CRYPTO, "Unable get entropy from the Windows CryptoAPI."); + return -1; + } + + return 0; +#elif defined(__linux__) && defined(SYS_getrandom) + static int getrandom_works = 1; /* Be optimistic about our chances... */ + + /* getrandom() isn't as straightforward as getentropy(), and has + * no glibc wrapper. + * + * As far as I can tell from getrandom(2) and the source code, the + * requests we issue will always succeed (though it will block on the + * call if /dev/urandom isn't seeded yet), since we are NOT specifying + * GRND_NONBLOCK and the request is <= 256 bytes. + * + * The manpage is unclear on what happens if a signal interrupts the call + * while the request is blocked due to lack of entropy.... + * + * We optimistically assume that getrandom() is available and functional + * because it is the way of the future, and 2 branch mispredicts pale in + * comparison to the overheads involved with failing to open + * /dev/srandom followed by opening and reading from /dev/urandom. + */ + if (PREDICT_LIKELY(getrandom_works)) { + long ret; + /* A flag of '0' here means to read from '/dev/urandom', and to + * block if insufficient entropy is available to service the + * request. + */ + const unsigned int flags = 0; + do { + ret = syscall(SYS_getrandom, out, out_len, flags); + } while (ret == -1 && ((errno == EINTR) ||(errno == EAGAIN))); + + if (PREDICT_UNLIKELY(ret == -1)) { + /* LCOV_EXCL_START we can't actually make the syscall fail in testing. */ + tor_assert(errno != EAGAIN); + tor_assert(errno != EINTR); + + /* Useful log message for errno. */ + if (errno == ENOSYS) { + log_notice(LD_CRYPTO, "Can't get entropy from getrandom()." + " You are running a version of Tor built to support" + " getrandom(), but the kernel doesn't implement this" + " function--probably because it is too old?" + " Trying fallback method instead."); + } else { + log_notice(LD_CRYPTO, "Can't get entropy from getrandom(): %s." + " Trying fallback method instead.", + strerror(errno)); + } + + getrandom_works = 0; /* Don't bother trying again. */ + return -1; + /* LCOV_EXCL_STOP */ + } + + tor_assert(ret == (long)out_len); + return 0; + } + + return -1; /* getrandom() previously failed unexpectedly. */ +#elif defined(HAVE_GETENTROPY) + /* getentropy() is what Linux's getrandom() wants to be when it grows up. + * the only gotcha is that requests are limited to 256 bytes. + */ + return getentropy(out, out_len); +#else + (void) out; +#endif /* defined(_WIN32) || ... */ + + /* This platform doesn't have a supported syscall based random. */ + return -1; +} + +/** + * Try to get out_len bytes of the strongest entropy we can generate, + * via the per-platform fallback mechanism, storing it into out. + * Return 0 on success, -1 on failure. A maximum request size of 256 bytes + * is imposed. + **/ +static int +crypto_strongest_rand_fallback(uint8_t *out, size_t out_len) +{ +#ifdef TOR_UNIT_TESTS + if (break_strongest_rng_fallback) + return -1; +#endif + +#ifdef _WIN32 + /* Windows exclusively uses crypto_strongest_rand_syscall(). */ + (void)out; + (void)out_len; + return -1; +#else /* !(defined(_WIN32)) */ + static const char *filenames[] = { + "/dev/srandom", "/dev/urandom", "/dev/random", NULL + }; + int fd, i; + size_t n; + + for (i = 0; filenames[i]; ++i) { + log_debug(LD_FS, "Considering %s as entropy source", filenames[i]); + fd = open(sandbox_intern_string(filenames[i]), O_RDONLY, 0); + if (fd<0) continue; + log_info(LD_CRYPTO, "Reading entropy from \"%s\"", filenames[i]); + n = read_all(fd, (char*)out, out_len, 0); + close(fd); + if (n != out_len) { + /* LCOV_EXCL_START + * We can't make /dev/foorandom actually fail. */ + log_notice(LD_CRYPTO, + "Error reading from entropy source %s (read only %lu bytes).", + filenames[i], + (unsigned long)n); + return -1; + /* LCOV_EXCL_STOP */ + } + + return 0; + } + + return -1; +#endif /* defined(_WIN32) */ +} + +/** + * Try to get out_len bytes of the strongest entropy we can generate, + * storing it into out. Return 0 on success, -1 on failure. A maximum + * request size of 256 bytes is imposed. + **/ +STATIC int +crypto_strongest_rand_raw(uint8_t *out, size_t out_len) +{ + static const size_t sanity_min_size = 16; + static const int max_attempts = 3; + tor_assert(out_len <= MAX_STRONGEST_RAND_SIZE); + + /* For buffers >= 16 bytes (128 bits), we sanity check the output by + * zero filling the buffer and ensuring that it actually was at least + * partially modified. + * + * Checking that any individual byte is non-zero seems like it would + * fail too often (p = out_len * 1/256) for comfort, but this is an + * "adjust according to taste" sort of check. + */ + memwipe(out, 0, out_len); + for (int i = 0; i < max_attempts; i++) { + /* Try to use the syscall/OS favored mechanism to get strong entropy. */ + if (crypto_strongest_rand_syscall(out, out_len) != 0) { + /* Try to use the less-favored mechanism to get strong entropy. */ + if (crypto_strongest_rand_fallback(out, out_len) != 0) { + /* Welp, we tried. Hopefully the calling code terminates the process + * since we're basically boned without good entropy. + */ + log_warn(LD_CRYPTO, + "Cannot get strong entropy: no entropy source found."); + return -1; + } + } + + if ((out_len < sanity_min_size) || !tor_mem_is_zero((char*)out, out_len)) + return 0; + } + + /* LCOV_EXCL_START + * + * We tried max_attempts times to fill a buffer >= 128 bits long, + * and each time it returned all '0's. Either the system entropy + * source is busted, or the user should go out and buy a ticket to + * every lottery on the planet. + */ + log_warn(LD_CRYPTO, "Strong OS entropy returned all zero buffer."); + + return -1; + /* LCOV_EXCL_STOP */ +} + +/** + * Try to get out_len bytes of the strongest entropy we can generate, + * storing it into out. + **/ +void +crypto_strongest_rand(uint8_t *out, size_t out_len) +{ +#define DLEN SHA512_DIGEST_LENGTH + /* We're going to hash DLEN bytes from the system RNG together with some + * bytes from the openssl PRNG, in order to yield DLEN bytes. + */ + uint8_t inp[DLEN*2]; + uint8_t tmp[DLEN]; + tor_assert(out); + while (out_len) { + crypto_rand((char*) inp, DLEN); + if (crypto_strongest_rand_raw(inp+DLEN, DLEN) < 0) { + // LCOV_EXCL_START + log_err(LD_CRYPTO, "Failed to load strong entropy when generating an " + "important key. Exiting."); + /* Die with an assertion so we get a stack trace. */ + tor_assert(0); + // LCOV_EXCL_STOP + } + if (out_len >= DLEN) { + SHA512(inp, sizeof(inp), out); + out += DLEN; + out_len -= DLEN; + } else { + SHA512(inp, sizeof(inp), tmp); + memcpy(out, tmp, out_len); + break; + } + } + memwipe(tmp, 0, sizeof(tmp)); + memwipe(inp, 0, sizeof(inp)); +#undef DLEN +} + +/** + * Seed OpenSSL's random number generator with bytes from the operating + * system. Return 0 on success, -1 on failure. + **/ +int +crypto_seed_rng(void) +{ + int rand_poll_ok = 0, load_entropy_ok = 0; + uint8_t buf[ADD_ENTROPY]; + + /* OpenSSL has a RAND_poll function that knows about more kinds of + * entropy than we do. We'll try calling that, *and* calling our own entropy + * functions. If one succeeds, we'll accept the RNG as seeded. */ + rand_poll_ok = RAND_poll(); + if (rand_poll_ok == 0) + log_warn(LD_CRYPTO, "RAND_poll() failed."); // LCOV_EXCL_LINE + + load_entropy_ok = !crypto_strongest_rand_raw(buf, sizeof(buf)); + if (load_entropy_ok) { + RAND_seed(buf, sizeof(buf)); + } + + memwipe(buf, 0, sizeof(buf)); + + if ((rand_poll_ok || load_entropy_ok) && RAND_status() == 1) + return 0; + else + return -1; +} + +/** + * Write n bytes of strong random data to to. Supports mocking + * for unit tests. + * + * This function is not allowed to fail; if it would fail to generate strong + * entropy, it must terminate the process instead. + **/ +MOCK_IMPL(void, +crypto_rand, (char *to, size_t n)) +{ + crypto_rand_unmocked(to, n); +} + +/** + * Write n bytes of strong random data to to. Most callers + * will want crypto_rand instead. + * + * This function is not allowed to fail; if it would fail to generate strong + * entropy, it must terminate the process instead. + **/ +void +crypto_rand_unmocked(char *to, size_t n) +{ + int r; + if (n == 0) + return; + + tor_assert(n < INT_MAX); + tor_assert(to); + r = RAND_bytes((unsigned char*)to, (int)n); + /* We consider a PRNG failure non-survivable. Let's assert so that we get a + * stack trace about where it happened. + */ + tor_assert(r >= 0); +} + +/** + * Return a pseudorandom integer, chosen uniformly from the values + * between 0 and max-1 inclusive. max must be between 1 and + * INT_MAX+1, inclusive. + */ +int +crypto_rand_int(unsigned int max) +{ + unsigned int val; + unsigned int cutoff; + tor_assert(max <= ((unsigned int)INT_MAX)+1); + tor_assert(max > 0); /* don't div by 0 */ + + /* We ignore any values that are >= 'cutoff,' to avoid biasing the + * distribution with clipping at the upper end of unsigned int's + * range. + */ + cutoff = UINT_MAX - (UINT_MAX%max); + while (1) { + crypto_rand((char*)&val, sizeof(val)); + if (val < cutoff) + return val % max; + } +} + +/** + * Return a pseudorandom integer, chosen uniformly from the values i such + * that min <= i < max. + * + * min MUST be in range [0, max). + * max MUST be in range (min, INT_MAX]. + **/ +int +crypto_rand_int_range(unsigned int min, unsigned int max) +{ + tor_assert(min < max); + tor_assert(max <= INT_MAX); + + /* The overflow is avoided here because crypto_rand_int() returns a value + * between 0 and (max - min) inclusive. */ + return min + crypto_rand_int(max - min); +} + +/** + * As crypto_rand_int_range, but supports uint64_t. + **/ +uint64_t +crypto_rand_uint64_range(uint64_t min, uint64_t max) +{ + tor_assert(min < max); + return min + crypto_rand_uint64(max - min); +} + +/** + * As crypto_rand_int_range, but supports time_t. + **/ +time_t +crypto_rand_time_range(time_t min, time_t max) +{ + tor_assert(min < max); + return min + (time_t)crypto_rand_uint64(max - min); +} + +/** + * Return a pseudorandom 64-bit integer, chosen uniformly from the values + * between 0 and max-1 inclusive. + **/ +uint64_t +crypto_rand_uint64(uint64_t max) +{ + uint64_t val; + uint64_t cutoff; + tor_assert(max < UINT64_MAX); + tor_assert(max > 0); /* don't div by 0 */ + + /* We ignore any values that are >= 'cutoff,' to avoid biasing the + * distribution with clipping at the upper end of unsigned int's + * range. + */ + cutoff = UINT64_MAX - (UINT64_MAX%max); + while (1) { + crypto_rand((char*)&val, sizeof(val)); + if (val < cutoff) + return val % max; + } +} + +/** + * Return a pseudorandom double d, chosen uniformly from the range + * 0.0 <= d < 1.0. + **/ +double +crypto_rand_double(void) +{ + /* We just use an unsigned int here; we don't really care about getting + * more than 32 bits of resolution */ + unsigned int u; + crypto_rand((char*)&u, sizeof(u)); +#if SIZEOF_INT == 4 +#define UINT_MAX_AS_DOUBLE 4294967296.0 +#elif SIZEOF_INT == 8 +#define UINT_MAX_AS_DOUBLE 1.8446744073709552e+19 +#else +#error SIZEOF_INT is neither 4 nor 8 +#endif /* SIZEOF_INT == 4 || ... */ + return ((double)u) / UINT_MAX_AS_DOUBLE; +} + +/** + * Generate and return a new random hostname starting with prefix, + * ending with suffix, and containing no fewer than + * min_rand_len and no more than max_rand_len random base32 + * characters. Does not check for failure. + * + * Clip max_rand_len to MAX_DNS_LABEL_SIZE. + **/ +char * +crypto_random_hostname(int min_rand_len, int max_rand_len, const char *prefix, + const char *suffix) +{ + char *result, *rand_bytes; + int randlen, rand_bytes_len; + size_t resultlen, prefixlen; + + if (max_rand_len > MAX_DNS_LABEL_SIZE) + max_rand_len = MAX_DNS_LABEL_SIZE; + if (min_rand_len > max_rand_len) + min_rand_len = max_rand_len; + + randlen = crypto_rand_int_range(min_rand_len, max_rand_len+1); + + prefixlen = strlen(prefix); + resultlen = prefixlen + strlen(suffix) + randlen + 16; + + rand_bytes_len = ((randlen*5)+7)/8; + if (rand_bytes_len % 5) + rand_bytes_len += 5 - (rand_bytes_len%5); + rand_bytes = tor_malloc(rand_bytes_len); + crypto_rand(rand_bytes, rand_bytes_len); + + result = tor_malloc(resultlen); + memcpy(result, prefix, prefixlen); + base32_encode(result+prefixlen, resultlen-prefixlen, + rand_bytes, rand_bytes_len); + tor_free(rand_bytes); + strlcpy(result+prefixlen+randlen, suffix, resultlen-(prefixlen+randlen)); + + return result; +} + +/** + * Return a randomly chosen element of sl; or NULL if sl + * is empty. + **/ +void * +smartlist_choose(const smartlist_t *sl) +{ + int len = smartlist_len(sl); + if (len) + return smartlist_get(sl,crypto_rand_int(len)); + return NULL; /* no elements to choose from */ +} + +/** + * Scramble the elements of sl into a random order. + **/ +void +smartlist_shuffle(smartlist_t *sl) +{ + int i; + /* From the end of the list to the front, choose at random from the + positions we haven't looked at yet, and swap that position into the + current position. Remember to give "no swap" the same probability as + any other swap. */ + for (i = smartlist_len(sl)-1; i > 0; --i) { + int j = crypto_rand_int(i+1); + smartlist_swap(sl, i, j); + } +} + +/** Make sure that openssl is using its default PRNG. Return 1 if we had to + * adjust it; 0 otherwise. */ +int +crypto_force_rand_ssleay(void) +{ + RAND_METHOD *default_method; + default_method = RAND_OpenSSL(); + if (RAND_get_rand_method() != default_method) { + log_notice(LD_CRYPTO, "It appears that one of our engines has provided " + "a replacement the OpenSSL RNG. Resetting it to the default " + "implementation."); + RAND_set_rand_method(default_method); + return 1; + } + return 0; +} + +#endif /* !defined(CRYPTO_RAND_PRIVATE) */ + diff --git a/src/common/crypto_rand.h b/src/common/crypto_rand.h new file mode 100644 index 000000000..c78195633 --- /dev/null +++ b/src/common/crypto_rand.h @@ -0,0 +1,53 @@ +/* Copyright (c) 2001, Matej Pfajfar. + * Copyright (c) 2001-2004, Roger Dingledine. + * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson. + * Copyright (c) 2007-2018, The Tor Project, Inc. */ +/* See LICENSE for licensing information */ + +/** + * \file crypto_rand.h + * + * \brief Common functions for using (psuedo-)random number generators. + **/ + +#ifndef TOR_CRYPTO_RAND_H +#define TOR_CRYPTO_RAND_H + +#include "torint.h" +#include "util.h" + +/* random numbers */ +int crypto_seed_rng(void) ATTR_WUR; +MOCK_DECL(void,crypto_rand,(char *to, size_t n)); +void crypto_rand_unmocked(char *to, size_t n); +void crypto_strongest_rand(uint8_t *out, size_t out_len); +int crypto_rand_int(unsigned int max); +int crypto_rand_int_range(unsigned int min, unsigned int max); +uint64_t crypto_rand_uint64_range(uint64_t min, uint64_t max); +time_t crypto_rand_time_range(time_t min, time_t max); +uint64_t crypto_rand_uint64(uint64_t max); +double crypto_rand_double(void); +struct tor_weak_rng_t; +void crypto_seed_weak_rng(struct tor_weak_rng_t *rng); +int crypto_init_siphash_key(void); + +char *crypto_random_hostname(int min_rand_len, int max_rand_len, + const char *prefix, const char *suffix); + +struct smartlist_t; +void *smartlist_choose(const struct smartlist_t *sl); +void smartlist_shuffle(struct smartlist_t *sl); +int crypto_force_rand_ssleay(void); + +#ifdef CRYPTO_RAND_PRIVATE + +STATIC int crypto_strongest_rand_raw(uint8_t *out, size_t out_len); + +#ifdef TOR_UNIT_TESTS +extern int break_strongest_rng_syscall; +extern int break_strongest_rng_fallback; +#endif +#endif /* defined(CRYPTO_RAND_PRIVATE) */ + +#endif /* !defined(TOR_CRYPTO_RAND_H) */ + diff --git a/src/common/crypto_rsa.c b/src/common/crypto_rsa.c index 986ccb0ee..0e006b0eb 100644 --- a/src/common/crypto_rsa.c +++ b/src/common/crypto_rsa.c @@ -15,6 +15,8 @@ #include "crypto_curve25519.h" #include "crypto_format.h" #include "crypto_digest.h" +#include "crypto_rand.h" +#include "crypto_util.h" DISABLE_GCC_WARNING(redundant-decls) diff --git a/src/common/crypto_s2k.c b/src/common/crypto_s2k.c index 316445e40..7d7f475b6 100644 --- a/src/common/crypto_s2k.c +++ b/src/common/crypto_s2k.c @@ -17,6 +17,8 @@ #include "compat.h" #include "crypto_s2k.h" #include "crypto_digest.h" +#include "crypto_rand.h" +#include "crypto_util.h" #include diff --git a/src/common/crypto_util.c b/src/common/crypto_util.c new file mode 100644 index 000000000..c09afe6ee --- /dev/null +++ b/src/common/crypto_util.c @@ -0,0 +1,105 @@ +/* Copyright (c) 2001, Matej Pfajfar. + * Copyright (c) 2001-2004, Roger Dingledine. + * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson. + * Copyright (c) 2007-2018, The Tor Project, Inc. */ +/* See LICENSE for licensing information */ + +/** + * \file crypto_util.c + * + * \brief Common cryptographic utilities. + **/ + +#ifndef CRYPTO_UTIL_PRIVATE +#define CRYPTO_UTIL_PRIVATE + +#include + +#ifdef _WIN32 +#include +#include +#endif /* defined(_WIN32) */ + +#include "crypto_util.h" +#include "util.h" + +DISABLE_GCC_WARNING(redundant-decls) + +#include + +ENABLE_GCC_WARNING(redundant-decls) + +/** + * Destroy the sz bytes of data stored at mem, setting them to + * the value byte. + * If mem is NULL or sz is zero, nothing happens. + * + * This function is preferable to memset, since many compilers will happily + * optimize out memset() when they can convince themselves that the data being + * cleared will never be read. + * + * Right now, our convention is to use this function when we are wiping data + * that's about to become inaccessible, such as stack buffers that are about + * to go out of scope or structures that are about to get freed. (In + * practice, it appears that the compilers we're currently using will optimize + * out the memset()s for stack-allocated buffers, but not those for + * about-to-be-freed structures. That could change, though, so we're being + * wary.) If there are live reads for the data, then you can just use + * memset(). + */ +void +memwipe(void *mem, uint8_t byte, size_t sz) +{ + if (sz == 0) { + return; + } + /* If sz is nonzero, then mem must not be NULL. */ + tor_assert(mem != NULL); + + /* Data this large is likely to be an underflow. */ + tor_assert(sz < SIZE_T_CEILING); + + /* Because whole-program-optimization exists, we may not be able to just + * have this function call "memset". A smart compiler could inline it, then + * eliminate dead memsets, and declare itself to be clever. */ + +#if defined(SecureZeroMemory) || defined(HAVE_SECUREZEROMEMORY) + /* Here's what you do on windows. */ + SecureZeroMemory(mem,sz); +#elif defined(HAVE_RTLSECUREZEROMEMORY) + RtlSecureZeroMemory(mem,sz); +#elif defined(HAVE_EXPLICIT_BZERO) + /* The BSDs provide this. */ + explicit_bzero(mem, sz); +#elif defined(HAVE_MEMSET_S) + /* This is in the C99 standard. */ + memset_s(mem, sz, 0, sz); +#else + /* This is a slow and ugly function from OpenSSL that fills 'mem' with junk + * based on the pointer value, then uses that junk to update a global + * variable. It's an elaborate ruse to trick the compiler into not + * optimizing out the "wipe this memory" code. Read it if you like zany + * programming tricks! In later versions of Tor, we should look for better + * not-optimized-out memory wiping stuff... + * + * ...or maybe not. In practice, there are pure-asm implementations of + * OPENSSL_cleanse() on most platforms, which ought to do the job. + **/ + + OPENSSL_cleanse(mem, sz); +#endif /* defined(SecureZeroMemory) || defined(HAVE_SECUREZEROMEMORY) || ... */ + + /* Just in case some caller of memwipe() is relying on getting a buffer + * filled with a particular value, fill the buffer. + * + * If this function gets inlined, this memset might get eliminated, but + * that's okay: We only care about this particular memset in the case where + * the caller should have been using memset(), and the memset() wouldn't get + * eliminated. In other words, this is here so that we won't break anything + * if somebody accidentally calls memwipe() instead of memset(). + **/ + memset(mem, byte, sz); +} + +#endif /* !defined(CRYPTO_UTIL_PRIVATE) */ + diff --git a/src/common/crypto_util.h b/src/common/crypto_util.h new file mode 100644 index 000000000..922942b37 --- /dev/null +++ b/src/common/crypto_util.h @@ -0,0 +1,27 @@ +/* Copyright (c) 2001, Matej Pfajfar. + * Copyright (c) 2001-2004, Roger Dingledine. + * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson. + * Copyright (c) 2007-2018, The Tor Project, Inc. */ +/* See LICENSE for licensing information */ + +/** + * \file crypto_util.h + * + * \brief Common functions for cryptographic routines. + **/ + +#ifndef TOR_CRYPTO_UTIL_H +#define TOR_CRYPTO_UTIL_H + +#include "torint.h" + +/** OpenSSL-based utility functions. */ +void memwipe(void *mem, uint8_t byte, size_t sz); + +#ifdef CRYPTO_UTIL_PRIVATE +#ifdef TOR_UNIT_TESTS +#endif /* defined(TOR_UNIT_TESTS) */ +#endif /* defined(CRYPTO_UTIL_PRIVATE) */ + +#endif /* !defined(TOR_CRYPTO_UTIL_H) */ + diff --git a/src/common/include.am b/src/common/include.am index 73c51ff0b..f0cbd0e1d 100644 --- a/src/common/include.am +++ b/src/common/include.am @@ -118,8 +118,10 @@ LIBOR_CRYPTO_A_SRC = \ src/common/crypto_rsa.c \ src/common/crypto_openssl_mgt.c \ src/common/crypto_pwbox.c \ + src/common/crypto_rand.c \ src/common/crypto_s2k.c \ src/common/crypto_format.c \ + src/common/crypto_util.c \ src/common/tortls.c \ src/common/crypto_curve25519.c \ src/common/crypto_ed25519.c @@ -173,7 +175,9 @@ COMMONHEADERS = \ src/common/crypto_openssl_mgt.h \ src/common/crypto_rsa.h \ src/common/crypto_pwbox.h \ + src/common/crypto_rand.h \ src/common/crypto_s2k.h \ + src/common/crypto_util.h \ src/common/di_ops.h \ src/common/handles.h \ src/common/memarea.h \ diff --git a/src/common/tortls.c b/src/common/tortls.c index 05e29e22f..e58afd9a9 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -26,6 +26,8 @@ #endif #include "crypto.h" +#include "crypto_rand.h" +#include "crypto_util.h" #include "compat.h" /* Some versions of OpenSSL declare SSL_get_selected_srtp_profile twice in diff --git a/src/common/workqueue.c b/src/common/workqueue.c index ec96959b7..de0079b75 100644 --- a/src/common/workqueue.c +++ b/src/common/workqueue.c @@ -25,7 +25,7 @@ #include "orconfig.h" #include "compat.h" #include "compat_threads.h" -#include "crypto.h" +#include "crypto_rand.h" #include "util.h" #include "workqueue.h" #include "tor_queue.h" diff --git a/src/ext/ed25519/donna/ed25519-randombytes-custom.h b/src/ext/ed25519/donna/ed25519-randombytes-custom.h index 3fb0959fc..27eade4f9 100644 --- a/src/ext/ed25519/donna/ed25519-randombytes-custom.h +++ b/src/ext/ed25519/donna/ed25519-randombytes-custom.h @@ -8,7 +8,7 @@ */ /* Tor: Instead of calling OpenSSL's CSPRNG directly, call the wrapper. */ -#include "crypto.h" +#include "crypto_rand.h" static void ED25519_FN(ed25519_randombytes_unsafe) (void *p, size_t len) diff --git a/src/ext/ed25519/donna/ed25519_tor.c b/src/ext/ed25519/donna/ed25519_tor.c index 84fc3850a..43de9faae 100644 --- a/src/ext/ed25519/donna/ed25519_tor.c +++ b/src/ext/ed25519/donna/ed25519_tor.c @@ -40,6 +40,8 @@ #include "ed25519-randombytes.h" #include "ed25519-hash.h" +#include "crypto_util.h" + typedef unsigned char ed25519_signature[64]; typedef unsigned char ed25519_public_key[32]; typedef unsigned char ed25519_secret_key[32]; diff --git a/src/ext/ed25519/ref10/blinding.c b/src/ext/ed25519/ref10/blinding.c index a3b32fa80..88e84cac2 100644 --- a/src/ext/ed25519/ref10/blinding.c +++ b/src/ext/ed25519/ref10/blinding.c @@ -7,7 +7,7 @@ #include "ed25519_ref10.h" #include -#include "crypto.h" +#include "crypto_util.h" static void ed25519_ref10_gettweak(unsigned char *out, const unsigned char *param) diff --git a/src/ext/ed25519/ref10/keypair.c b/src/ext/ed25519/ref10/keypair.c index 68a88f9ad..c437f0a4f 100644 --- a/src/ext/ed25519/ref10/keypair.c +++ b/src/ext/ed25519/ref10/keypair.c @@ -6,6 +6,9 @@ #include "crypto_hash_sha512.h" #include "ge.h" +#include "crypto_rand.h" +#include "crypto_util.h" + int crypto_sign_seckey(unsigned char *sk) { diff --git a/src/ext/keccak-tiny/keccak-tiny-unrolled.c b/src/ext/keccak-tiny/keccak-tiny-unrolled.c index d8d7fe335..07e8c95bc 100644 --- a/src/ext/keccak-tiny/keccak-tiny-unrolled.c +++ b/src/ext/keccak-tiny/keccak-tiny-unrolled.c @@ -9,7 +9,7 @@ #include "keccak-tiny.h" #include -#include "crypto.h" +#include "crypto_util.h" #include "byteorder.h" /******** Endianness conversion helpers ********/ diff --git a/src/or/addressmap.c b/src/or/addressmap.c index 96ce27557..f691ef9aa 100644 --- a/src/or/addressmap.c +++ b/src/or/addressmap.c @@ -21,6 +21,7 @@ #include "config.h" #include "connection_edge.h" #include "control.h" +#include "crypto_rand.h" #include "dns.h" #include "routerset.h" #include "nodelist.h" diff --git a/src/or/channelpadding.c b/src/or/channelpadding.c index 5da3009e6..0c20d6dd3 100644 --- a/src/or/channelpadding.c +++ b/src/or/channelpadding.c @@ -16,6 +16,7 @@ #include "networkstatus.h" #include "connection.h" #include "connection_or.h" +#include "crypto_rand.h" #include "main.h" #include "rephist.h" #include "router.h" diff --git a/src/or/circpathbias.c b/src/or/circpathbias.c index c1c1ca31b..ff42bf91e 100644 --- a/src/or/circpathbias.c +++ b/src/or/circpathbias.c @@ -30,6 +30,7 @@ #include "circuitstats.h" #include "connection_edge.h" #include "config.h" +#include "crypto_rand.h" #include "entrynodes.h" #include "networkstatus.h" #include "relay.h" diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c index 8b7990e5f..fbc4fc4ac 100644 --- a/src/or/circuitbuild.c +++ b/src/or/circuitbuild.c @@ -43,7 +43,7 @@ #include "connection_edge.h" #include "connection_or.h" #include "control.h" -#include "crypto.h" +#include "crypto_rand.h" #include "directory.h" #include "entrynodes.h" #include "hs_ntor.h" diff --git a/src/or/circuitlist.c b/src/or/circuitlist.c index f362b8e97..02e218134 100644 --- a/src/or/circuitlist.c +++ b/src/or/circuitlist.c @@ -65,6 +65,8 @@ #include "connection_edge.h" #include "connection_or.h" #include "control.h" +#include "crypto_rand.h" +#include "crypto_util.h" #include "entrynodes.h" #include "main.h" #include "hs_circuit.h" diff --git a/src/or/circuitstats.c b/src/or/circuitstats.c index 643831927..0dfde67f8 100644 --- a/src/or/circuitstats.c +++ b/src/or/circuitstats.c @@ -31,6 +31,7 @@ #include "config.h" #include "confparse.h" #include "control.h" +#include "crypto_rand.h" #include "main.h" #include "networkstatus.h" #include "rendclient.h" diff --git a/src/or/command.c b/src/or/command.c index 4f99462f3..aa792a006 100644 --- a/src/or/command.c +++ b/src/or/command.c @@ -46,6 +46,7 @@ #include "config.h" #include "control.h" #include "cpuworker.h" +#include "crypto_util.h" #include "dos.h" #include "hibernate.h" #include "nodelist.h" diff --git a/src/or/config.c b/src/or/config.c index 212c6c6b9..18298937e 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -78,6 +78,8 @@ #include "control.h" #include "confparse.h" #include "cpuworker.h" +#include "crypto_rand.h" +#include "crypto_util.h" #include "dirserv.h" #include "dirvote.h" #include "dns.h" diff --git a/src/or/connection.c b/src/or/connection.c index 5532551cf..69a8d24c9 100644 --- a/src/or/connection.c +++ b/src/or/connection.c @@ -76,6 +76,7 @@ #include "connection_edge.h" #include "connection_or.h" #include "control.h" +#include "crypto_util.h" #include "directory.h" #include "dirserv.h" #include "dns.h" diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c index 948c8722b..d74512c45 100644 --- a/src/or/connection_edge.c +++ b/src/or/connection_edge.c @@ -70,6 +70,7 @@ #include "connection_edge.h" #include "connection_or.h" #include "control.h" +#include "crypto_util.h" #include "dns.h" #include "dnsserv.h" #include "directory.h" diff --git a/src/or/connection_or.c b/src/or/connection_or.c index 267463312..ad5ee6a2b 100644 --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@ -39,6 +39,8 @@ #include "connection.h" #include "connection_or.h" #include "control.h" +#include "crypto_rand.h" +#include "crypto_util.h" #include "dirserv.h" #include "entrynodes.h" #include "geoip.h" diff --git a/src/or/conscache.c b/src/or/conscache.c index e25ac5f40..51dc9d621 100644 --- a/src/or/conscache.c +++ b/src/or/conscache.c @@ -5,6 +5,7 @@ #include "config.h" #include "conscache.h" +#include "crypto_util.h" #include "storagedir.h" #define CCE_MAGIC 0x17162253 diff --git a/src/or/control.c b/src/or/control.c index 5cac0e172..ee4f02cb2 100644 --- a/src/or/control.c +++ b/src/or/control.c @@ -52,6 +52,8 @@ #include "connection_edge.h" #include "connection_or.h" #include "control.h" +#include "crypto_rand.h" +#include "crypto_util.h" #include "directory.h" #include "dirserv.h" #include "dnsserv.h" diff --git a/src/or/cpuworker.c b/src/or/cpuworker.c index 7da7dc5f8..8f03d654a 100644 --- a/src/or/cpuworker.c +++ b/src/or/cpuworker.c @@ -24,6 +24,8 @@ #include "connection_or.h" #include "config.h" #include "cpuworker.h" +#include "crypto_rand.h" +#include "crypto_util.h" #include "main.h" #include "onion.h" #include "rephist.h" diff --git a/src/or/directory.c b/src/or/directory.c index c419b61d0..44e3d2f2a 100644 --- a/src/or/directory.c +++ b/src/or/directory.c @@ -18,6 +18,8 @@ #include "consdiffmgr.h" #include "control.h" #include "compat.h" +#include "crypto_rand.h" +#include "crypto_util.h" #include "directory.h" #include "dirserv.h" #include "dirvote.h" diff --git a/src/or/dns.c b/src/or/dns.c index e4dc8048e..34f28252f 100644 --- a/src/or/dns.c +++ b/src/or/dns.c @@ -56,6 +56,7 @@ #include "connection.h" #include "connection_edge.h" #include "control.h" +#include "crypto_rand.h" #include "dns.h" #include "main.h" #include "policies.h" diff --git a/src/or/dos.c b/src/or/dos.c index 4d1797eec..f78409a7b 100644 --- a/src/or/dos.c +++ b/src/or/dos.c @@ -11,6 +11,7 @@ #include "or.h" #include "channel.h" #include "config.h" +#include "crypto_rand.h" #include "geoip.h" #include "main.h" #include "networkstatus.h" diff --git a/src/or/entrynodes.c b/src/or/entrynodes.c index 2b6ff38c9..42a776fe4 100644 --- a/src/or/entrynodes.c +++ b/src/or/entrynodes.c @@ -123,6 +123,7 @@ #include "confparse.h" #include "connection.h" #include "control.h" +#include "crypto_rand.h" #include "directory.h" #include "entrynodes.h" #include "main.h" diff --git a/src/or/ext_orport.c b/src/or/ext_orport.c index 16a250fa5..8fff0f955 100644 --- a/src/or/ext_orport.c +++ b/src/or/ext_orport.c @@ -23,6 +23,8 @@ #include "ext_orport.h" #include "control.h" #include "config.h" +#include "crypto_rand.h" +#include "crypto_util.h" #include "main.h" #include "proto_ext_or.h" #include "util.h" diff --git a/src/or/hibernate.c b/src/or/hibernate.c index 7261cf800..2b50aa5f0 100644 --- a/src/or/hibernate.c +++ b/src/or/hibernate.c @@ -36,6 +36,7 @@ hibernating, phase 2: #include "connection_edge.h" #include "connection_or.h" #include "control.h" +#include "crypto_rand.h" #include "hibernate.h" #include "main.h" #include "router.h" diff --git a/src/or/hs_cache.c b/src/or/hs_cache.c index df53efd32..ecc845d17 100644 --- a/src/or/hs_cache.c +++ b/src/or/hs_cache.c @@ -11,6 +11,7 @@ #include "or.h" #include "config.h" +#include "crypto_util.h" #include "hs_ident.h" #include "hs_common.h" #include "hs_client.h" diff --git a/src/or/hs_cell.c b/src/or/hs_cell.c index ad92521d3..03273a44f 100644 --- a/src/or/hs_cell.c +++ b/src/or/hs_cell.c @@ -8,6 +8,7 @@ #include "or.h" #include "config.h" +#include "crypto_util.h" #include "rendservice.h" #include "replaycache.h" #include "util.h" diff --git a/src/or/hs_circuit.c b/src/or/hs_circuit.c index 3a674f622..38434fba3 100644 --- a/src/or/hs_circuit.c +++ b/src/or/hs_circuit.c @@ -13,6 +13,8 @@ #include "circuitlist.h" #include "circuituse.h" #include "config.h" +#include "crypto_rand.h" +#include "crypto_util.h" #include "nodelist.h" #include "policies.h" #include "relay.h" diff --git a/src/or/hs_client.c b/src/or/hs_client.c index 20963cd45..f07426052 100644 --- a/src/or/hs_client.c +++ b/src/or/hs_client.c @@ -13,6 +13,8 @@ #include "hs_ident.h" #include "connection_edge.h" #include "container.h" +#include "crypto_rand.h" +#include "crypto_util.h" #include "rendclient.h" #include "hs_descriptor.h" #include "hs_cache.h" diff --git a/src/or/hs_common.c b/src/or/hs_common.c index aa34b0e8f..5b0c4c07f 100644 --- a/src/or/hs_common.c +++ b/src/or/hs_common.c @@ -15,6 +15,8 @@ #include "config.h" #include "circuitbuild.h" +#include "crypto_rand.h" +#include "crypto_util.h" #include "networkstatus.h" #include "nodelist.h" #include "hs_cache.h" diff --git a/src/or/hs_control.c b/src/or/hs_control.c index 87b4e3fca..87c41bf96 100644 --- a/src/or/hs_control.c +++ b/src/or/hs_control.c @@ -8,6 +8,7 @@ #include "or.h" #include "control.h" +#include "crypto_util.h" #include "hs_common.h" #include "hs_control.h" #include "hs_descriptor.h" diff --git a/src/or/hs_descriptor.c b/src/or/hs_descriptor.c index 7388807bc..eb48cb060 100644 --- a/src/or/hs_descriptor.c +++ b/src/or/hs_descriptor.c @@ -59,6 +59,8 @@ #include "ed25519_cert.h" /* Trunnel interface. */ #include "hs_descriptor.h" #include "circuitbuild.h" +#include "crypto_rand.h" +#include "crypto_util.h" #include "parsecommon.h" #include "rendcache.h" #include "hs_cache.h" diff --git a/src/or/hs_descriptor.h b/src/or/hs_descriptor.h index 09979410e..8195c6efb 100644 --- a/src/or/hs_descriptor.h +++ b/src/or/hs_descriptor.h @@ -16,6 +16,7 @@ #include "container.h" #include "crypto.h" #include "crypto_ed25519.h" +#include "ed25519_cert.h" /* needed for trunnel */ #include "torcert.h" /* Trunnel */ diff --git a/src/or/hs_ident.c b/src/or/hs_ident.c index 0bce2f625..3603e329d 100644 --- a/src/or/hs_ident.c +++ b/src/or/hs_ident.c @@ -7,6 +7,7 @@ * subsytem. **/ +#include "crypto_util.h" #include "hs_ident.h" /* Return a newly allocated circuit identifier. The given public key is copied diff --git a/src/or/hs_ntor.c b/src/or/hs_ntor.c index a416bc46c..809fa83bb 100644 --- a/src/or/hs_ntor.c +++ b/src/or/hs_ntor.c @@ -25,6 +25,7 @@ */ #include "or.h" +#include "crypto_util.h" #include "hs_ntor.h" /* String constants used by the ntor HS protocol */ diff --git a/src/or/hs_service.c b/src/or/hs_service.c index ba8abc423..fdd5e449c 100644 --- a/src/or/hs_service.c +++ b/src/or/hs_service.c @@ -15,6 +15,8 @@ #include "circuituse.h" #include "config.h" #include "connection.h" +#include "crypto_rand.h" +#include "crypto_util.h" #include "directory.h" #include "main.h" #include "networkstatus.h" diff --git a/src/or/main.c b/src/or/main.c index a0d2ae075..b3f0a85cd 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -70,6 +70,7 @@ #include "control.h" #include "cpuworker.h" #include "crypto_s2k.h" +#include "crypto_rand.h" #include "directory.h" #include "dirserv.h" #include "dirvote.h" diff --git a/src/or/networkstatus.c b/src/or/networkstatus.c index 235b95b70..e223b6f1b 100644 --- a/src/or/networkstatus.c +++ b/src/or/networkstatus.c @@ -48,6 +48,8 @@ #include "connection_or.h" #include "consdiffmgr.h" #include "control.h" +#include "crypto_rand.h" +#include "crypto_util.h" #include "directory.h" #include "dirserv.h" #include "dirvote.h" diff --git a/src/or/onion.c b/src/or/onion.c index 0c88c4d7e..829be12ba 100644 --- a/src/or/onion.c +++ b/src/or/onion.c @@ -67,6 +67,7 @@ #include "circuitlist.h" #include "config.h" #include "cpuworker.h" +#include "crypto_util.h" #include "networkstatus.h" #include "onion.h" #include "onion_fast.h" diff --git a/src/or/onion_fast.c b/src/or/onion_fast.c index de9103b1f..9f9b2199d 100644 --- a/src/or/onion_fast.c +++ b/src/or/onion_fast.c @@ -29,6 +29,8 @@ #include "or.h" #include "onion_fast.h" +#include "crypto_rand.h" +#include "crypto_util.h" /** Release all state held in victim. */ void diff --git a/src/or/onion_ntor.c b/src/or/onion_ntor.c index 8ad876a58..02d43cb72 100644 --- a/src/or/onion_ntor.c +++ b/src/or/onion_ntor.c @@ -23,6 +23,7 @@ #define ONION_NTOR_PRIVATE #include "crypto.h" #include "crypto_digest.h" +#include "crypto_util.h" #include "onion_ntor.h" #include "torlog.h" #include "util.h" diff --git a/src/or/onion_tap.c b/src/or/onion_tap.c index c71fa236e..44737034f 100644 --- a/src/or/onion_tap.c +++ b/src/or/onion_tap.c @@ -29,6 +29,8 @@ #include "or.h" #include "config.h" +#include "crypto_rand.h" +#include "crypto_util.h" #include "onion_tap.h" #include "rephist.h" diff --git a/src/or/proto_socks.c b/src/or/proto_socks.c index 8700fe126..57a7d1cd6 100644 --- a/src/or/proto_socks.c +++ b/src/or/proto_socks.c @@ -9,6 +9,7 @@ #include "buffers.h" #include "control.h" #include "config.h" +#include "crypto_util.h" #include "ext_orport.h" #include "proto_socks.h" #include "reasons.h" diff --git a/src/or/relay.c b/src/or/relay.c index 5651579c3..96f43ca60 100644 --- a/src/or/relay.c +++ b/src/or/relay.c @@ -61,6 +61,8 @@ #include "connection_edge.h" #include "connection_or.h" #include "control.h" +#include "crypto_rand.h" +#include "crypto_util.h" #include "geoip.h" #include "hs_cache.h" #include "main.h" diff --git a/src/or/rendclient.c b/src/or/rendclient.c index 9a1b97c6d..61dde8869 100644 --- a/src/or/rendclient.c +++ b/src/or/rendclient.c @@ -15,6 +15,8 @@ #include "config.h" #include "connection.h" #include "connection_edge.h" +#include "crypto_rand.h" +#include "crypto_util.h" #include "directory.h" #include "hs_common.h" #include "hs_circuit.h" diff --git a/src/or/rendcommon.c b/src/or/rendcommon.c index 230da4be5..50ca04838 100644 --- a/src/or/rendcommon.c +++ b/src/or/rendcommon.c @@ -14,6 +14,8 @@ #include "circuitbuild.h" #include "config.h" #include "control.h" +#include "crypto_rand.h" +#include "crypto_util.h" #include "hs_common.h" #include "rendclient.h" #include "rendcommon.h" diff --git a/src/or/rendservice.c b/src/or/rendservice.c index cc2242977..91ee321bc 100644 --- a/src/or/rendservice.c +++ b/src/or/rendservice.c @@ -16,6 +16,8 @@ #include "circuituse.h" #include "config.h" #include "control.h" +#include "crypto_rand.h" +#include "crypto_util.h" #include "directory.h" #include "hs_common.h" #include "hs_config.h" diff --git a/src/or/rephist.c b/src/or/rephist.c index ac3e9f502..fe52d206c 100644 --- a/src/or/rephist.c +++ b/src/or/rephist.c @@ -78,6 +78,7 @@ #include "circuitlist.h" #include "circuituse.h" #include "config.h" +#include "crypto_rand.h" #include "networkstatus.h" #include "nodelist.h" #include "rephist.h" diff --git a/src/or/router.c b/src/or/router.c index e5996f665..c52831348 100644 --- a/src/or/router.c +++ b/src/or/router.c @@ -13,6 +13,8 @@ #include "config.h" #include "connection.h" #include "control.h" +#include "crypto_rand.h" +#include "crypto_util.h" #include "crypto_curve25519.h" #include "directory.h" #include "dirserv.h" diff --git a/src/or/routerkeys.c b/src/or/routerkeys.c index 1933aaf4b..43460da8c 100644 --- a/src/or/routerkeys.c +++ b/src/or/routerkeys.c @@ -16,6 +16,7 @@ #include "or.h" #include "config.h" +#include "crypto_util.h" #include "router.h" #include "crypto_pwbox.h" #include "routerkeys.h" diff --git a/src/or/routerlist.c b/src/or/routerlist.c index bc3abb236..8793c64ed 100644 --- a/src/or/routerlist.c +++ b/src/or/routerlist.c @@ -99,6 +99,7 @@ #include "config.h" #include "connection.h" #include "control.h" +#include "crypto_rand.h" #include "directory.h" #include "dirserv.h" #include "dirvote.h" diff --git a/src/or/routerparse.c b/src/or/routerparse.c index 79499f2e6..9967e139f 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -58,6 +58,7 @@ #include "or.h" #include "config.h" #include "circuitstats.h" +#include "crypto_util.h" #include "dirserv.h" #include "dirvote.h" #include "parsecommon.h" diff --git a/src/or/shared_random.c b/src/or/shared_random.c index 13416d6bc..745566877 100644 --- a/src/or/shared_random.c +++ b/src/or/shared_random.c @@ -91,6 +91,8 @@ #include "shared_random.h" #include "config.h" #include "confparse.h" +#include "crypto_rand.h" +#include "crypto_util.h" #include "dirvote.h" #include "networkstatus.h" #include "routerkeys.h" diff --git a/src/or/shared_random_state.c b/src/or/shared_random_state.c index 53782af59..80470e4e9 100644 --- a/src/or/shared_random_state.c +++ b/src/or/shared_random_state.c @@ -14,6 +14,7 @@ #include "shared_random.h" #include "config.h" #include "confparse.h" +#include "crypto_util.h" #include "dirvote.h" #include "networkstatus.h" #include "router.h" diff --git a/src/or/torcert.c b/src/or/torcert.c index 51935ddf7..1c5afd965 100644 --- a/src/or/torcert.c +++ b/src/or/torcert.c @@ -27,7 +27,7 @@ #include "or.h" #include "config.h" -#include "crypto.h" +#include "crypto_util.h" #include "torcert.h" #include "ed25519_cert.h" #include "torlog.h" diff --git a/src/test/bench.c b/src/test/bench.c index 92d7a244f..c99860acc 100644 --- a/src/test/bench.c +++ b/src/test/bench.c @@ -23,6 +23,7 @@ #include "crypto_curve25519.h" #include "onion_ntor.h" #include "crypto_ed25519.h" +#include "crypto_rand.h" #include "consdiff.h" #if defined(HAVE_CLOCK_GETTIME) && defined(CLOCK_PROCESS_CPUTIME_ID) diff --git a/src/test/rend_test_helpers.c b/src/test/rend_test_helpers.c index 095bfecf2..9ac3894b0 100644 --- a/src/test/rend_test_helpers.c +++ b/src/test/rend_test_helpers.c @@ -2,6 +2,7 @@ /* See LICENSE for licensing information */ #include "or.h" +#include "crypto_rand.h" #include "test.h" #include "rendcommon.h" #include "rend_test_helpers.h" diff --git a/src/test/test-memwipe.c b/src/test/test-memwipe.c index 89d946d50..aaaf2e7f6 100644 --- a/src/test/test-memwipe.c +++ b/src/test/test-memwipe.c @@ -7,7 +7,7 @@ #include #include -#include "crypto.h" +#include "crypto_util.h" #include "compat.h" #include "util.h" diff --git a/src/test/test-timers.c b/src/test/test-timers.c index a0b5b535c..a5c3a3b96 100644 --- a/src/test/test-timers.c +++ b/src/test/test-timers.c @@ -11,7 +11,7 @@ #include "compat.h" #include "compat_libevent.h" -#include "crypto.h" +#include "crypto_rand.h" #include "timers.h" #include "util.h" diff --git a/src/test/test.c b/src/test/test.c index db70a24fc..6fe0dc7a3 100644 --- a/src/test/test.c +++ b/src/test/test.c @@ -9,6 +9,7 @@ **/ #include "orconfig.h" +#include "crypto_rand.h" #include #ifdef HAVE_FCNTL_H diff --git a/src/test/test_address_set.c b/src/test/test_address_set.c index df022f539..f7441a649 100644 --- a/src/test/test_address_set.c +++ b/src/test/test_address_set.c @@ -2,6 +2,7 @@ /* See LICENSE for licensing information */ #include "or.h" +#include "crypto_rand.h" #include "address_set.h" #include "microdesc.h" #include "networkstatus.h" diff --git a/src/test/test_buffers.c b/src/test/test_buffers.c index 057d9fa2d..868f6a8ba 100644 --- a/src/test/test_buffers.c +++ b/src/test/test_buffers.c @@ -8,6 +8,7 @@ #include "or.h" #include "buffers.h" #include "buffers_tls.h" +#include "crypto_rand.h" #include "proto_http.h" #include "proto_socks.h" #include "test.h" diff --git a/src/test/test_cell_formats.c b/src/test/test_cell_formats.c index 88cdef383..54d971678 100644 --- a/src/test/test_cell_formats.c +++ b/src/test/test_cell_formats.c @@ -12,6 +12,7 @@ #include "connection_edge.h" #include "connection_or.h" #include "config.h" +#include "crypto_rand.h" #include "onion.h" #include "onion_tap.h" #include "onion_fast.h" diff --git a/src/test/test_channel.c b/src/test/test_channel.c index 812ec6c1a..d2ce94962 100644 --- a/src/test/test_channel.c +++ b/src/test/test_channel.c @@ -12,6 +12,7 @@ #include "circuitmux_ewma.h" /* For var_cell_free */ #include "connection_or.h" +#include "crypto_rand.h" /* For packed_cell stuff */ #define RELAY_PRIVATE #include "relay.h" diff --git a/src/test/test_consdiffmgr.c b/src/test/test_consdiffmgr.c index a9a4b6a98..3b91baca3 100644 --- a/src/test/test_consdiffmgr.c +++ b/src/test/test_consdiffmgr.c @@ -9,6 +9,7 @@ #include "consdiff.h" #include "consdiffmgr.h" #include "cpuworker.h" +#include "crypto_rand.h" #include "networkstatus.h" #include "routerparse.h" #include "workqueue.h" diff --git a/src/test/test_containers.c b/src/test/test_containers.c index c4dba7375..3fc3523af 100644 --- a/src/test/test_containers.c +++ b/src/test/test_containers.c @@ -5,6 +5,7 @@ #include "orconfig.h" #include "or.h" +#include "crypto_rand.h" #include "fp_pair.h" #include "test.h" diff --git a/src/test/test_crypto.c b/src/test/test_crypto.c index c8443fd3b..24eef156b 100644 --- a/src/test/test_crypto.c +++ b/src/test/test_crypto.c @@ -5,7 +5,7 @@ #include "orconfig.h" #define CRYPTO_CURVE25519_PRIVATE -#define CRYPTO_PRIVATE +#define CRYPTO_RAND_PRIVATE #include "or.h" #include "test.h" #include "aes.h" @@ -13,6 +13,7 @@ #include "siphash.h" #include "crypto_curve25519.h" #include "crypto_ed25519.h" +#include "crypto_rand.h" #include "ed25519_vectors.inc" /** Run unit tests for Diffie-Hellman functionality. */ diff --git a/src/test/test_crypto_openssl.c b/src/test/test_crypto_openssl.c index 090cb4242..a01627750 100644 --- a/src/test/test_crypto_openssl.c +++ b/src/test/test_crypto_openssl.c @@ -5,9 +5,9 @@ #include "orconfig.h" -#define CRYPTO_PRIVATE +#define CRYPTO_RAND_PRIVATE -#include "crypto.h" +#include "crypto_rand.h" #include "util.h" #include "util_format.h" #include "compat.h" diff --git a/src/test/test_crypto_slow.c b/src/test/test_crypto_slow.c index 2afb71ff5..0e1f5bd22 100644 --- a/src/test/test_crypto_slow.c +++ b/src/test/test_crypto_slow.c @@ -9,6 +9,7 @@ #include "test.h" #include "crypto_s2k.h" #include "crypto_pwbox.h" +#include "crypto_rand.h" #if defined(HAVE_LIBSCRYPT_H) && defined(HAVE_LIBSCRYPT_SCRYPT) #define HAVE_LIBSCRYPT diff --git a/src/test/test_dir.c b/src/test/test_dir.c index 5fac045b2..7d3b5344b 100644 --- a/src/test/test_dir.c +++ b/src/test/test_dir.c @@ -23,6 +23,7 @@ #include "config.h" #include "control.h" #include "crypto_ed25519.h" +#include "crypto_rand.h" #include "directory.h" #include "dirserv.h" #include "dirvote.h" diff --git a/src/test/test_dos.c b/src/test/test_dos.c index cb9d9e559..8ae967f3a 100644 --- a/src/test/test_dos.c +++ b/src/test/test_dos.c @@ -8,6 +8,7 @@ #include "or.h" #include "dos.h" #include "circuitlist.h" +#include "crypto_rand.h" #include "geoip.h" #include "channel.h" #include "microdesc.h" diff --git a/src/test/test_entrynodes.c b/src/test/test_entrynodes.c index 92a860360..85490d6bd 100644 --- a/src/test/test_entrynodes.c +++ b/src/test/test_entrynodes.c @@ -16,6 +16,7 @@ #include "circuitlist.h" #include "config.h" #include "confparse.h" +#include "crypto_rand.h" #include "directory.h" #include "entrynodes.h" #include "nodelist.h" diff --git a/src/test/test_extorport.c b/src/test/test_extorport.c index cadef257f..e05342cb8 100644 --- a/src/test/test_extorport.c +++ b/src/test/test_extorport.c @@ -10,6 +10,7 @@ #include "connection_or.h" #include "config.h" #include "control.h" +#include "crypto_rand.h" #include "ext_orport.h" #include "main.h" #include "test.h" diff --git a/src/test/test_helpers.c b/src/test/test_helpers.c index ab453d3bd..42e911431 100644 --- a/src/test/test_helpers.c +++ b/src/test/test_helpers.c @@ -18,6 +18,7 @@ #include "config.h" #include "confparse.h" #include "connection.h" +#include "crypto_rand.h" #include "main.h" #include "nodelist.h" #include "relay.h" diff --git a/src/test/test_hs_cell.c b/src/test/test_hs_cell.c index 1b3c788a6..5c5236b39 100644 --- a/src/test/test_hs_cell.c +++ b/src/test/test_hs_cell.c @@ -14,6 +14,7 @@ #include "log_test_helpers.h" #include "crypto_ed25519.h" +#include "crypto_rand.h" #include "hs_cell.h" #include "hs_intropoint.h" #include "hs_service.h" diff --git a/src/test/test_hs_common.c b/src/test/test_hs_common.c index 8c273c963..e5661ac86 100644 --- a/src/test/test_hs_common.c +++ b/src/test/test_hs_common.c @@ -17,6 +17,7 @@ #include "hs_test_helpers.h" #include "connection_edge.h" +#include "crypto_rand.h" #include "hs_common.h" #include "hs_client.h" #include "hs_service.h" diff --git a/src/test/test_hs_descriptor.c b/src/test/test_hs_descriptor.c index 388b85f97..988f77f2f 100644 --- a/src/test/test_hs_descriptor.c +++ b/src/test/test_hs_descriptor.c @@ -10,6 +10,7 @@ #include "crypto_ed25519.h" #include "crypto_digest.h" +#include "crypto_rand.h" #include "ed25519_cert.h" #include "or.h" #include "hs_descriptor.h" diff --git a/src/test/test_hs_intropoint.c b/src/test/test_hs_intropoint.c index fe3236c33..4253c9a38 100644 --- a/src/test/test_hs_intropoint.c +++ b/src/test/test_hs_intropoint.c @@ -13,7 +13,7 @@ #include "test.h" #include "log_test_helpers.h" -#include "crypto.h" +#include "crypto_rand.h" #include "or.h" #include "circuitlist.h" diff --git a/src/test/test_hs_service.c b/src/test/test_hs_service.c index de74fdb30..cad12481c 100644 --- a/src/test/test_hs_service.c +++ b/src/test/test_hs_service.c @@ -33,7 +33,7 @@ #include "circuitbuild.h" #include "circuitlist.h" #include "circuituse.h" -#include "crypto.h" +#include "crypto_rand.h" #include "dirvote.h" #include "networkstatus.h" #include "nodelist.h" diff --git a/src/test/test_nodelist.c b/src/test/test_nodelist.c index a873003d7..9499fd038 100644 --- a/src/test/test_nodelist.c +++ b/src/test/test_nodelist.c @@ -7,6 +7,7 @@ **/ #include "or.h" +#include "crypto_rand.h" #include "networkstatus.h" #include "nodelist.h" #include "torcert.h" diff --git a/src/test/test_oom.c b/src/test/test_oom.c index c172fe60c..abf889645 100644 --- a/src/test/test_oom.c +++ b/src/test/test_oom.c @@ -13,6 +13,7 @@ #include "compat_libevent.h" #include "connection.h" #include "config.h" +#include "crypto_rand.h" #include "relay.h" #include "test.h" #include "test_helpers.h" diff --git a/src/test/test_routerlist.c b/src/test/test_routerlist.c index c19d66ef9..e56a868e0 100644 --- a/src/test/test_routerlist.c +++ b/src/test/test_routerlist.c @@ -18,6 +18,7 @@ #include "connection.h" #include "container.h" #include "control.h" +#include "crypto_rand.h" #include "directory.h" #include "dirvote.h" #include "entrynodes.h" diff --git a/src/test/test_shared_random.c b/src/test/test_shared_random.c index 4fe9ee45f..7928518ef 100644 --- a/src/test/test_shared_random.c +++ b/src/test/test_shared_random.c @@ -9,6 +9,7 @@ #include "or.h" #include "test.h" #include "config.h" +#include "crypto_rand.h" #include "dirvote.h" #include "shared_random.h" #include "shared_random_state.h" diff --git a/src/test/test_storagedir.c b/src/test/test_storagedir.c index a27074c21..26606f9b6 100644 --- a/src/test/test_storagedir.c +++ b/src/test/test_storagedir.c @@ -2,6 +2,7 @@ /* See LICENSE for licensing information */ #include "or.h" +#include "crypto_rand.h" #include "storagedir.h" #include "test.h" diff --git a/src/test/test_util.c b/src/test/test_util.c index ce8567d9a..e3a9eca2d 100644 --- a/src/test/test_util.c +++ b/src/test/test_util.c @@ -12,6 +12,7 @@ #include "buffers.h" #include "config.h" #include "control.h" +#include "crypto_rand.h" #include "test.h" #include "memarea.h" #include "util_process.h" diff --git a/src/test/test_util_format.c b/src/test/test_util_format.c index 683d5fdac..10645fe11 100644 --- a/src/test/test_util_format.c +++ b/src/test/test_util_format.c @@ -6,6 +6,7 @@ #include "test.h" +#include "crypto_rand.h" #define UTIL_FORMAT_PRIVATE #include "util_format.h" diff --git a/src/test/test_workqueue.c b/src/test/test_workqueue.c index 2b0317371..972b655c1 100644 --- a/src/test/test_workqueue.c +++ b/src/test/test_workqueue.c @@ -7,8 +7,8 @@ #include "compat_threads.h" #include "onion.h" #include "workqueue.h" -#include "crypto.h" #include "crypto_curve25519.h" +#include "crypto_rand.h" #include "compat_libevent.h" #include diff --git a/src/test/testing_common.c b/src/test/testing_common.c index b9b36d96d..3e3b5a43f 100644 --- a/src/test/testing_common.c +++ b/src/test/testing_common.c @@ -12,6 +12,7 @@ #include "or.h" #include "control.h" #include "config.h" +#include "crypto_rand.h" #include "rephist.h" #include "backtrace.h" #include "test.h" diff --git a/src/test/testing_rsakeys.c b/src/test/testing_rsakeys.c index 7a24c0ed1..94d3db328 100644 --- a/src/test/testing_rsakeys.c +++ b/src/test/testing_rsakeys.c @@ -3,6 +3,7 @@ * Copyright (c) 2007-2017, The Tor Project, Inc. */ /* See LICENSE for licensing information */ +#include "crypto_rand.h" #include "orconfig.h" #include "or.h" #include "test.h" diff --git a/src/tools/tor-gencert.c b/src/tools/tor-gencert.c index 639a6fbc2..aafefdad7 100644 --- a/src/tools/tor-gencert.c +++ b/src/tools/tor-gencert.c @@ -40,6 +40,8 @@ ENABLE_GCC_WARNING(redundant-decls) #include "torlog.h" #include "crypto.h" #include "crypto_digest.h" +#include "crypto_rand.h" +#include "crypto_util.h" #include "address.h" #include "util_format.h" diff --git a/src/trunnel/trunnel-local.h b/src/trunnel/trunnel-local.h index b7c2ab98e..8aa6d0dda 100644 --- a/src/trunnel/trunnel-local.h +++ b/src/trunnel/trunnel-local.h @@ -4,7 +4,7 @@ #include "util.h" #include "compat.h" -#include "crypto.h" +#include "crypto_util.h" #define trunnel_malloc tor_malloc #define trunnel_calloc tor_calloc From 64e6551b8bb934335251c6965355660ec26e712d Mon Sep 17 00:00:00 2001 From: Isis Lovecruft Date: Fri, 6 Apr 2018 21:37:40 +0000 Subject: [PATCH 2/9] crypto: Remove unnecessary includes from src/common/crypto.[ch] * FIXES part of #24658: https://bugs.torproject.org/24658 --- src/common/crypto.c | 3 --- src/common/crypto.h | 3 --- 2 files changed, 6 deletions(-) diff --git a/src/common/crypto.c b/src/common/crypto.c index 8d5897e49..9c40243f8 100644 --- a/src/common/crypto.c +++ b/src/common/crypto.c @@ -36,14 +36,11 @@ DISABLE_GCC_WARNING(redundant-decls) #include -#include -#include #include #include #include #include #include -#include ENABLE_GCC_WARNING(redundant-decls) diff --git a/src/common/crypto.h b/src/common/crypto.h index 61a2952d2..dcec90314 100644 --- a/src/common/crypto.h +++ b/src/common/crypto.h @@ -17,13 +17,10 @@ #include #include "torint.h" -#include "testsupport.h" #include "compat.h" #include "util.h" #include "crypto_rsa.h" -#include "keccak-tiny/keccak-tiny.h" - /** Length of our symmetric cipher's keys of 128-bit. */ #define CIPHER_KEY_LEN 16 /** Length of our symmetric cipher's IV of 128-bit. */ From 88190026b3286b32ac22c1bbd999b7f1de2aa79f Mon Sep 17 00:00:00 2001 From: Isis Lovecruft Date: Fri, 6 Apr 2018 21:40:17 +0000 Subject: [PATCH 3/9] crypto: Alphabetise some #includes in /src/common/crypto*. * FIXES part of #24658: https://bugs.torproject.org/24658 --- src/common/crypto.c | 4 ++-- src/common/crypto_curve25519.c | 2 +- src/common/crypto_ed25519.c | 3 +-- src/common/crypto_format.c | 2 +- src/common/crypto_pwbox.c | 4 ++-- src/common/crypto_rsa.c | 6 +++--- src/common/crypto_s2k.c | 6 +++--- src/common/include.am | 6 +++--- 8 files changed, 16 insertions(+), 17 deletions(-) diff --git a/src/common/crypto.c b/src/common/crypto.c index 9c40243f8..ae7b519f9 100644 --- a/src/common/crypto.c +++ b/src/common/crypto.c @@ -23,14 +23,14 @@ #endif /* defined(_WIN32) */ #define CRYPTO_PRIVATE -#include "crypto.h" #include "compat_openssl.h" +#include "crypto.h" #include "crypto_curve25519.h" +#include "crypto_digest.h" #include "crypto_ed25519.h" #include "crypto_format.h" #include "crypto_rand.h" #include "crypto_rsa.h" -#include "crypto_digest.h" #include "crypto_util.h" DISABLE_GCC_WARNING(redundant-decls) diff --git a/src/common/crypto_curve25519.c b/src/common/crypto_curve25519.c index 0719c2f85..becd70669 100644 --- a/src/common/crypto_curve25519.c +++ b/src/common/crypto_curve25519.c @@ -23,8 +23,8 @@ #include "container.h" #include "crypto.h" #include "crypto_curve25519.h" -#include "crypto_format.h" #include "crypto_digest.h" +#include "crypto_format.h" #include "crypto_rand.h" #include "crypto_util.h" #include "util.h" diff --git a/src/common/crypto_ed25519.c b/src/common/crypto_ed25519.c index baddb77dd..25e0cd034 100644 --- a/src/common/crypto_ed25519.c +++ b/src/common/crypto_ed25519.c @@ -22,9 +22,8 @@ #endif #include "crypto.h" - -#include "crypto_digest.h" #include "crypto_curve25519.h" +#include "crypto_digest.h" #include "crypto_ed25519.h" #include "crypto_format.h" #include "crypto_rand.h" diff --git a/src/common/crypto_format.c b/src/common/crypto_format.c index c0cade2f5..a76203207 100644 --- a/src/common/crypto_format.c +++ b/src/common/crypto_format.c @@ -17,9 +17,9 @@ #include "container.h" #include "crypto.h" #include "crypto_curve25519.h" +#include "crypto_digest.h" #include "crypto_ed25519.h" #include "crypto_format.h" -#include "crypto_digest.h" #include "crypto_util.h" #include "util.h" #include "util_format.h" diff --git a/src/common/crypto_pwbox.c b/src/common/crypto_pwbox.c index e49ca226e..c2bd1d26c 100644 --- a/src/common/crypto_pwbox.c +++ b/src/common/crypto_pwbox.c @@ -9,10 +9,10 @@ */ #include "crypto.h" -#include "crypto_s2k.h" -#include "crypto_pwbox.h" #include "crypto_digest.h" +#include "crypto_pwbox.h" #include "crypto_rand.h" +#include "crypto_s2k.h" #include "crypto_util.h" #include "di_ops.h" #include "util.h" diff --git a/src/common/crypto_rsa.c b/src/common/crypto_rsa.c index 0e006b0eb..0a88b0e77 100644 --- a/src/common/crypto_rsa.c +++ b/src/common/crypto_rsa.c @@ -9,13 +9,13 @@ * \brief Block of functions related with RSA utilities and operations. **/ -#include "crypto_rsa.h" #include "crypto.h" -#include "compat_openssl.h" #include "crypto_curve25519.h" -#include "crypto_format.h" #include "crypto_digest.h" +#include "crypto_format.h" +#include "compat_openssl.h" #include "crypto_rand.h" +#include "crypto_rsa.h" #include "crypto_util.h" DISABLE_GCC_WARNING(redundant-decls) diff --git a/src/common/crypto_s2k.c b/src/common/crypto_s2k.c index 7d7f475b6..8543760ec 100644 --- a/src/common/crypto_s2k.c +++ b/src/common/crypto_s2k.c @@ -12,13 +12,13 @@ #define CRYPTO_S2K_PRIVATE -#include "crypto.h" -#include "util.h" #include "compat.h" -#include "crypto_s2k.h" +#include "crypto.h" #include "crypto_digest.h" #include "crypto_rand.h" +#include "crypto_s2k.h" #include "crypto_util.h" +#include "util.h" #include diff --git a/src/common/include.am b/src/common/include.am index f0cbd0e1d..81ae8fc27 100644 --- a/src/common/include.am +++ b/src/common/include.am @@ -115,12 +115,12 @@ LIBOR_CRYPTO_A_SRC = \ src/common/compress_zstd.c \ src/common/crypto.c \ src/common/crypto_digest.c \ - src/common/crypto_rsa.c \ + src/common/crypto_format.c \ src/common/crypto_openssl_mgt.c \ src/common/crypto_pwbox.c \ src/common/crypto_rand.c \ + src/common/crypto_rsa.c \ src/common/crypto_s2k.c \ - src/common/crypto_format.c \ src/common/crypto_util.c \ src/common/tortls.c \ src/common/crypto_curve25519.c \ @@ -173,9 +173,9 @@ COMMONHEADERS = \ src/common/crypto_ed25519.h \ src/common/crypto_format.h \ src/common/crypto_openssl_mgt.h \ - src/common/crypto_rsa.h \ src/common/crypto_pwbox.h \ src/common/crypto_rand.h \ + src/common/crypto_rsa.h \ src/common/crypto_s2k.h \ src/common/crypto_util.h \ src/common/di_ops.h \ From e32fc0806d07b0ff83978132c56f7cbd1a2ad2ce Mon Sep 17 00:00:00 2001 From: Isis Lovecruft Date: Fri, 6 Apr 2018 21:42:15 +0000 Subject: [PATCH 4/9] refactor: Alphabetise some includes in /src/or/*. --- src/or/addressmap.c | 2 +- src/or/ext_orport.c | 2 +- src/or/hs_client.c | 30 +++++++++++++++--------------- src/or/rendclient.c | 4 ++-- src/or/rendcommon.c | 6 +++--- src/or/routerparse.c | 16 ++++++++-------- 6 files changed, 30 insertions(+), 30 deletions(-) diff --git a/src/or/addressmap.c b/src/or/addressmap.c index f691ef9aa..3cd153307 100644 --- a/src/or/addressmap.c +++ b/src/or/addressmap.c @@ -23,8 +23,8 @@ #include "control.h" #include "crypto_rand.h" #include "dns.h" -#include "routerset.h" #include "nodelist.h" +#include "routerset.h" /** A client-side struct to remember requests to rewrite addresses * to new addresses. These structs are stored in the hash table diff --git a/src/or/ext_orport.c b/src/or/ext_orport.c index 8fff0f955..b842442ca 100644 --- a/src/or/ext_orport.c +++ b/src/or/ext_orport.c @@ -20,11 +20,11 @@ #include "or.h" #include "connection.h" #include "connection_or.h" -#include "ext_orport.h" #include "control.h" #include "config.h" #include "crypto_rand.h" #include "crypto_util.h" +#include "ext_orport.h" #include "main.h" #include "proto_ext_or.h" #include "util.h" diff --git a/src/or/hs_client.c b/src/or/hs_client.c index f07426052..26e8785d9 100644 --- a/src/or/hs_client.c +++ b/src/or/hs_client.c @@ -9,31 +9,31 @@ #define HS_CLIENT_PRIVATE #include "or.h" -#include "hs_circuit.h" -#include "hs_ident.h" +#include "circpathbias.h" +#include "circuitbuild.h" +#include "circuitlist.h" +#include "circuituse.h" +#include "config.h" +#include "connection.h" #include "connection_edge.h" #include "container.h" #include "crypto_rand.h" #include "crypto_util.h" -#include "rendclient.h" -#include "hs_descriptor.h" +#include "directory.h" #include "hs_cache.h" #include "hs_cell.h" -#include "config.h" -#include "directory.h" +#include "hs_circuit.h" #include "hs_client.h" #include "hs_control.h" +#include "hs_descriptor.h" +#include "hs_ident.h" +#include "hs_ntor.h" +#include "networkstatus.h" +#include "nodelist.h" +#include "reasons.h" +#include "rendclient.h" #include "router.h" #include "routerset.h" -#include "circuitlist.h" -#include "circuituse.h" -#include "connection.h" -#include "nodelist.h" -#include "circpathbias.h" -#include "hs_ntor.h" -#include "circuitbuild.h" -#include "networkstatus.h" -#include "reasons.h" /* Return a human-readable string for the client fetch status code. */ static const char * diff --git a/src/or/rendclient.c b/src/or/rendclient.c index 61dde8869..7ef12a4fa 100644 --- a/src/or/rendclient.c +++ b/src/or/rendclient.c @@ -15,12 +15,13 @@ #include "config.h" #include "connection.h" #include "connection_edge.h" +#include "control.h" #include "crypto_rand.h" #include "crypto_util.h" #include "directory.h" -#include "hs_common.h" #include "hs_circuit.h" #include "hs_client.h" +#include "hs_common.h" #include "main.h" #include "networkstatus.h" #include "nodelist.h" @@ -31,7 +32,6 @@ #include "router.h" #include "routerlist.h" #include "routerset.h" -#include "control.h" static extend_info_t *rend_client_get_random_intro_impl( const rend_cache_entry_t *rend_query, diff --git a/src/or/rendcommon.c b/src/or/rendcommon.c index 50ca04838..3a7dfe28f 100644 --- a/src/or/rendcommon.c +++ b/src/or/rendcommon.c @@ -16,18 +16,18 @@ #include "control.h" #include "crypto_rand.h" #include "crypto_util.h" +#include "hs_client.h" #include "hs_common.h" +#include "hs_intropoint.h" +#include "networkstatus.h" #include "rendclient.h" #include "rendcommon.h" #include "rendmid.h" -#include "hs_intropoint.h" -#include "hs_client.h" #include "rendservice.h" #include "rephist.h" #include "router.h" #include "routerlist.h" #include "routerparse.h" -#include "networkstatus.h" /** Return 0 if one and two are the same service ids, else -1 or 1 */ int diff --git a/src/or/routerparse.c b/src/or/routerparse.c index 9967e139f..b00b1c636 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -56,27 +56,27 @@ #define ROUTERPARSE_PRIVATE #include "or.h" -#include "config.h" #include "circuitstats.h" +#include "config.h" #include "crypto_util.h" #include "dirserv.h" #include "dirvote.h" +#include "entrynodes.h" +#include "memarea.h" +#include "microdesc.h" +#include "networkstatus.h" #include "parsecommon.h" #include "policies.h" #include "protover.h" #include "rendcommon.h" -#include "router.h" -#include "routerlist.h" -#include "memarea.h" -#include "microdesc.h" -#include "networkstatus.h" #include "rephist.h" +#include "router.h" #include "routerkeys.h" +#include "routerlist.h" #include "routerparse.h" -#include "entrynodes.h" -#include "torcert.h" #include "sandbox.h" #include "shared_random.h" +#include "torcert.h" #undef log #include From 809f6fae848f53d2096bef1b2e99bcc929872e2a Mon Sep 17 00:00:00 2001 From: Isis Lovecruft Date: Fri, 6 Apr 2018 22:04:50 +0000 Subject: [PATCH 5/9] refactor: Remove unnecessary `#include "crypto.h"` throughout codebase. * FIXES part of #24658: https://bugs.torproject.org/24658 --- src/common/aes.c | 1 - src/common/crypto_curve25519.c | 1 - src/common/crypto_ed25519.c | 1 - src/common/crypto_format.c | 1 - src/ext/ed25519/ref10/randombytes.h | 2 +- src/or/hs_cache.h | 1 - src/or/hs_circuit.h | 1 - src/or/hs_ident.h | 1 - src/test/test_dir_common.c | 1 - 9 files changed, 1 insertion(+), 9 deletions(-) diff --git a/src/common/aes.c b/src/common/aes.c index 5d0841dfa..6033bbe1f 100644 --- a/src/common/aes.c +++ b/src/common/aes.c @@ -17,7 +17,6 @@ #endif #include -#include "crypto.h" #include "crypto_openssl_mgt.h" #if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,0) diff --git a/src/common/crypto_curve25519.c b/src/common/crypto_curve25519.c index becd70669..996d94c6e 100644 --- a/src/common/crypto_curve25519.c +++ b/src/common/crypto_curve25519.c @@ -21,7 +21,6 @@ #include #endif #include "container.h" -#include "crypto.h" #include "crypto_curve25519.h" #include "crypto_digest.h" #include "crypto_format.h" diff --git a/src/common/crypto_ed25519.c b/src/common/crypto_ed25519.c index 25e0cd034..9c13e3bdf 100644 --- a/src/common/crypto_ed25519.c +++ b/src/common/crypto_ed25519.c @@ -21,7 +21,6 @@ #include #endif -#include "crypto.h" #include "crypto_curve25519.h" #include "crypto_digest.h" #include "crypto_ed25519.h" diff --git a/src/common/crypto_format.c b/src/common/crypto_format.c index a76203207..460e85bac 100644 --- a/src/common/crypto_format.c +++ b/src/common/crypto_format.c @@ -15,7 +15,6 @@ #include #endif #include "container.h" -#include "crypto.h" #include "crypto_curve25519.h" #include "crypto_digest.h" #include "crypto_ed25519.h" diff --git a/src/ext/ed25519/ref10/randombytes.h b/src/ext/ed25519/ref10/randombytes.h index 8bf31631f..a21dde854 100644 --- a/src/ext/ed25519/ref10/randombytes.h +++ b/src/ext/ed25519/ref10/randombytes.h @@ -1,4 +1,4 @@ /* Added for Tor. */ -#include "crypto.h" +#include "crypto_rand.h" #define randombytes(b, n) \ (crypto_strongest_rand((b), (n)), 0) diff --git a/src/or/hs_cache.h b/src/or/hs_cache.h index a141634cc..0d0085ffd 100644 --- a/src/or/hs_cache.h +++ b/src/or/hs_cache.h @@ -11,7 +11,6 @@ #include -#include "crypto.h" #include "crypto_ed25519.h" #include "hs_common.h" #include "hs_descriptor.h" diff --git a/src/or/hs_circuit.h b/src/or/hs_circuit.h index 2f5beaa16..f69137e1d 100644 --- a/src/or/hs_circuit.h +++ b/src/or/hs_circuit.h @@ -10,7 +10,6 @@ #define TOR_HS_CIRCUIT_H #include "or.h" -#include "crypto.h" #include "crypto_ed25519.h" #include "hs_service.h" diff --git a/src/or/hs_ident.h b/src/or/hs_ident.h index 91ec389aa..8f9da30c3 100644 --- a/src/or/hs_ident.h +++ b/src/or/hs_ident.h @@ -21,7 +21,6 @@ #ifndef TOR_HS_IDENT_H #define TOR_HS_IDENT_H -#include "crypto.h" #include "crypto_ed25519.h" #include "hs_common.h" diff --git a/src/test/test_dir_common.c b/src/test/test_dir_common.c index fdf43533a..a353ddb79 100644 --- a/src/test/test_dir_common.c +++ b/src/test/test_dir_common.c @@ -5,7 +5,6 @@ #include "orconfig.h" #define DIRVOTE_PRIVATE -#include "crypto.h" #include "test.h" #include "container.h" #include "or.h" From f17ace1460f0de50f32d28e8086fe11032d8cb3f Mon Sep 17 00:00:00 2001 From: Isis Lovecruft Date: Wed, 18 Apr 2018 19:16:32 +0000 Subject: [PATCH 6/9] crypto: Move declaration of crypto_init_siphash_key() into crypto.h. On second thought, this is a global initialisation function and doesn't conceptually have much to do with getting/using randomnesses. --- src/common/crypto.h | 1 + src/common/crypto_rand.h | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/src/common/crypto.h b/src/common/crypto.h index dcec90314..c77355731 100644 --- a/src/common/crypto.h +++ b/src/common/crypto.h @@ -38,6 +38,7 @@ typedef struct aes_cnt_cipher crypto_cipher_t; typedef struct crypto_dh_t crypto_dh_t; /* global state */ +int crypto_init_siphash_key(void); int crypto_early_init(void) ATTR_WUR; int crypto_global_init(int hardwareAccel, const char *accelName, diff --git a/src/common/crypto_rand.h b/src/common/crypto_rand.h index c78195633..4eac94f57 100644 --- a/src/common/crypto_rand.h +++ b/src/common/crypto_rand.h @@ -29,7 +29,6 @@ uint64_t crypto_rand_uint64(uint64_t max); double crypto_rand_double(void); struct tor_weak_rng_t; void crypto_seed_weak_rng(struct tor_weak_rng_t *rng); -int crypto_init_siphash_key(void); char *crypto_random_hostname(int min_rand_len, int max_rand_len, const char *prefix, const char *suffix); From 49639b282602c5389e30f906f535c29ddaa62308 Mon Sep 17 00:00:00 2001 From: Isis Lovecruft Date: Tue, 10 Apr 2018 19:05:42 +0000 Subject: [PATCH 7/9] rust: Expose our (P)RNGs in Rust and provide safe wrappers. * FIXES #24660: https://bugs.torproject.org/24660 --- src/rust/Cargo.lock | 18 +++ src/rust/Cargo.toml | 4 +- src/rust/external/crypto_rand.rs | 95 ++++++++++++++++ src/rust/external/lib.rs | 4 +- src/rust/rand/Cargo.toml | 24 ++++ src/rust/rand/lib.rs | 15 +++ src/rust/rand/prng.rs | 184 +++++++++++++++++++++++++++++++ src/rust/rand/rng.rs | 94 ++++++++++++++++ 8 files changed, 436 insertions(+), 2 deletions(-) create mode 100644 src/rust/external/crypto_rand.rs create mode 100644 src/rust/rand/Cargo.toml create mode 100644 src/rust/rand/lib.rs create mode 100644 src/rust/rand/prng.rs create mode 100644 src/rust/rand/rng.rs diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 91c0502c6..714e29edc 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -22,6 +22,23 @@ dependencies = [ "tor_util 0.0.1", ] +[[package]] +name = "rand" +version = "0.0.1" +dependencies = [ + "external 0.0.1", + "libc 0.2.39 (registry+https://github.com/rust-lang/crates.io-index)", + "rand_core 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)", + "tor_allocate 0.0.1", + "tor_log 0.1.0", + "tor_util 0.0.1", +] + +[[package]] +name = "rand_core" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" + [[package]] name = "smartlist" version = "0.0.1" @@ -63,3 +80,4 @@ dependencies = [ [metadata] "checksum libc 0.2.39 (registry+https://github.com/rust-lang/crates.io-index)" = "f54263ad99207254cf58b5f701ecb432c717445ea2ee8af387334bdd1a03fdff" +"checksum rand_core 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "0224284424a4b818387b58d59336c288f99b48f69681aa60cc681fe038bbca5d" diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 4ae8033eb..d47cd6422 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -1,6 +1,8 @@ [workspace] members = ["tor_util", "protover", "smartlist", "external", "tor_allocate", -"tor_rust", "tor_log"] +"tor_rust", "tor_log", + "rand", +] [profile.release] debug = true diff --git a/src/rust/external/crypto_rand.rs b/src/rust/external/crypto_rand.rs new file mode 100644 index 000000000..19b9ab281 --- /dev/null +++ b/src/rust/external/crypto_rand.rs @@ -0,0 +1,95 @@ +// Copyright (c) 2018, The Tor Project, Inc. +// Copyright (c) 2018, isis agora lovecruft +// See LICENSE for licensing information + +//! Bindings to external (P)RNG interfaces and utilities in +//! src/common/crypto_rand.[ch]. +//! +//! We wrap our C implementations in src/common/crypto_rand.[ch] here in order +//! to provide wrappers with native Rust types, and then provide more Rusty +//! types and and trait implementations in src/rust/crypto/rand/. + +use std::time::Duration; + +use libc::c_char; +use libc::c_double; +use libc::c_int; +use libc::c_uint; +use libc::c_void; +use libc::size_t; +use libc::time_t; +use libc::uint8_t; +use libc::uint64_t; + +extern "C" { + fn crypto_seed_rng() -> c_int; + fn crypto_strongest_rand(out: *mut uint8_t, out_len: size_t); + fn crypto_rand_time_range(min: time_t, max: time_t) -> time_t; + fn crypto_rand_double() -> c_double; + // fn crypto_random_hostname(min_rand_len: c_int, max_rand_len: c_int, + // prefix: *const c_char, suffix: *const c_char) -> *mut c_char; +} + +/// Seed OpenSSL's random number generator with bytes from the operating +/// system. +/// +/// # Returns +/// +/// `true` on success; `false` on failure. +pub fn c_tor_crypto_seed_rng() -> bool { + let ret: c_int; + + unsafe { + ret = crypto_seed_rng(); + } + match ret { + 0 => return true, + _ => return false, + } +} + +/// Fill the bytes of `dest` with strong random data. +pub fn c_tor_crypto_strongest_rand(dest: &mut [u8]) { + // We'll let the C side panic if the len is larger than + // MAX_STRONGEST_RAND_SIZE, rather than potentially panicking here. A + // paranoid caller should assert on the length of dest *before* calling this + // function. + unsafe { + crypto_strongest_rand(dest.as_mut_ptr(), dest.len() as size_t); + } +} + +/// Get a random time, in seconds since the Unix Epoch. +/// +/// # Returns +/// +/// A `std::time::Duration` of seconds since the Unix Epoch. +pub fn c_tor_crypto_rand_time_range(min: &Duration, max: &Duration) -> Duration { + let ret: time_t; + + unsafe { + ret = crypto_rand_time_range(min.as_secs() as time_t, max.as_secs() as time_t); + } + + Duration::from_secs(ret as u64) +} + +/// Return a pseudorandom 64-bit float, chosen uniformly from the range [0.0, 1.0). +pub fn c_tor_crypto_rand_double() -> f64 { + unsafe { + crypto_rand_double() + } +} + +#[cfg(test)] +mod test { + use super::*; + + #[test] + fn test_layout_tor_weak_rng_t() { + assert_eq!(::std::mem::size_of::(), 0usize, + concat!("Size of: ", stringify!(tor_weak_rng_t))); + assert_eq!(::std::mem::align_of::(), 1usize, + concat!("Alignment of ", stringify!(tor_weak_rng_t))); + } +} diff --git a/src/rust/external/lib.rs b/src/rust/external/lib.rs index 0af0d6452..5fd74cf4c 100644 --- a/src/rust/external/lib.rs +++ b/src/rust/external/lib.rs @@ -1,4 +1,4 @@ -//! Copyright (c) 2016-2017, The Tor Project, Inc. */ +//! Copyright (c) 2016-2018, The Tor Project, Inc. */ //! See LICENSE for licensing information */ //! Interface for external calls to tor C ABI @@ -9,6 +9,8 @@ extern crate libc; +mod crypto_rand; mod external; +pub use crypto_rand::*; pub use external::*; diff --git a/src/rust/rand/Cargo.toml b/src/rust/rand/Cargo.toml new file mode 100644 index 000000000..cab71afa7 --- /dev/null +++ b/src/rust/rand/Cargo.toml @@ -0,0 +1,24 @@ +# TODO: Note that this package should be merged into the "crypto" crate after #24659 is merged. + +[package] +authors = ["The Tor Project"] +version = "0.0.1" +name = "rand" +publish = false + +[features] +testing = ["tor_log/testing"] + +[dependencies] +libc = "=0.2.39" +rand_core = "=0.1.0" + +external = { path = "../external" } +tor_allocate = { path = "../tor_allocate" } +tor_log = { path = "../tor_log" } +tor_util = { path = "../tor_util" } + +[lib] +name = "rand" +path = "lib.rs" +crate_type = ["rlib", "staticlib"] diff --git a/src/rust/rand/lib.rs b/src/rust/rand/lib.rs new file mode 100644 index 000000000..ee034cf1f --- /dev/null +++ b/src/rust/rand/lib.rs @@ -0,0 +1,15 @@ +// Copyright (c) 2018, The Tor Project, Inc. +// Copyright (c) 2018, isis agora lovecruft +// See LICENSE for licensing information + +// External dependencies +extern crate rand_core; + +// Internal dependencies +extern crate external; +#[cfg(not(test))] +#[macro_use] +extern crate tor_log; + +pub mod rng; +pub mod prng; diff --git a/src/rust/rand/prng.rs b/src/rust/rand/prng.rs new file mode 100644 index 000000000..ed3f5161e --- /dev/null +++ b/src/rust/rand/prng.rs @@ -0,0 +1,184 @@ +// Copyright (c) 2018, The Tor Project, Inc. +// Copyright (c) 2018, isis agora lovecruft +// See LICENSE for licensing information + +//! Wrappers for Tor's pseudo-random number generator to provide implementations +//! of `rand_core` traits. + +use rand_core::impls; +#[cfg(test)] use rand_core::CryptoRng; +use rand_core::Error; +use rand_core::RngCore; +use rand_core::SeedableRng; + +/// A cryptographically-/insecure/ psuedo-random number generator based +/// on a mixed congruential generator. +/// +/// Specifically the PRNG state, `X`, is mutated by the following +/// discontinuous linear equation: +/// +/// ```text +/// X_{i} = (a X_{i-1} + b) mod n +/// ``` +/// +/// where, in our case, we reuse the same parameters as OpenBSD and glibc, +/// `a=1103515245`, `b=12345`, and `n=2147483647`, which should produce a +/// maximal period over the range `0..u32::MAX`. +/// +/// # Note +/// +/// We reimplement the C here, rather than wrapping it, as it's one line of +/// pure-Rust code (meaning it can also trivially be used in Rust tests without +/// running into potential linker issues), as opposed to a few lines of `unsafe` +/// calls to C. +/// +/// # Warning +/// +/// This should hopefully go without saying, but this PRNG is completely +/// insecure and should never be used for anything an adversary should be unable +/// to predict. +// +// C_RUST_COUPLED: `tor_weak_rng_t` /src/common/util.c +pub struct TorInsecurePrng { + state: u32, +} + +impl SeedableRng for TorInsecurePrng { + type Seed = [u8; 4]; + + /// Create a new PRNG from a random 32-bit seed. + // + // C_RUST_COUPLED: `tor_init_weak_random()` /src/common/util.c + fn from_seed(seed: Self::Seed) -> Self { + let mut combined: u32 = seed[0].to_le() as u32; + + // Rather than using std::mem::transmute, we'll just bitwise-OR them + // into each other. + combined = (seed[1].to_le() as u32) << 8 | combined; + combined = (seed[2].to_le() as u32) << 16 | combined; + combined = (seed[2].to_le() as u32) << 24 | combined; + + TorInsecurePrng{ state: (combined & 0x7fffffff).to_le() } + } +} + +impl TorInsecurePrng { + /// This is the equivalent function to `tor_weak_random()`. + // + // C_RUST_COUPLED: `tor_weak_random()` /src/common/util.c + pub fn next_i32(&mut self) -> i32 { + // The C code appears to purposefully overflow the 32-bit state integer. + self.state = (self.state.wrapping_mul(1103515245).wrapping_add(12345) & 0x7fffffff).to_le(); + self.state as i32 + } +} + + +impl RngCore for TorInsecurePrng { + // C_RUST_COUPLED: `tor_weak_random()` /src/common/util.c + fn next_u32(&mut self) -> u32 { + let x: u32 = self.next_i32() as u32; + let y: u32 = self.next_i32() as u32; + + // We have to add two samples together due to modding 0x7fffffff + x + y + } + + fn next_u64(&mut self) -> u64 { + impls::next_u64_via_u32(self) + } + + fn fill_bytes(&mut self, dest: &mut [u8]) { + impls::fill_bytes_via_u32(self, dest); + } + + fn try_fill_bytes(&mut self, dest: &mut [u8]) -> Result<(), Error> { + Ok(self.fill_bytes(dest)) + } +} + +/// If we're running tests, it's fine to pretend this PRNG is cryptographically +/// secure. (This allows us to test which require an implementation of +/// `CryptoRng` without actually initialising all the OpenSSL C code.) +#[cfg(test)] +impl CryptoRng for TorInsecurePrng {} + +#[cfg(test)] +mod test { + use super::*; + + #[test] + fn next_u32_shouldnt_return_same_number_twice_in_a_row() { + // This test will fail 1 out of 2^{64} times (5.42 e-20), but the + // probability of a particle radiating off a star and hitting your RAM + // is roughly 1.4 e-15 per byte of RAM per second, so if this fails, + // blame ~~Cosmic Rays~~ and not anyone named isis. + let mut prng: TorInsecurePrng = TorInsecurePrng::from_seed([0xDE, 0xAD, 0x15, 0x15]); + + let one: u32 = prng.next_u32(); + let two: u32 = prng.next_u32(); + + assert!(one != two); + } + + #[test] + fn next_u32_should_have_uniform_distribution_average() { + let mut prng: TorInsecurePrng = TorInsecurePrng::from_seed([0xDE, 0xAD, 0x15, 0x15]); + let mut accumulator: Vec = Vec::new(); + let n: u64 = 10_000; + + for _ in 0 .. n as usize { + accumulator.push(prng.next_u32()); + } + let total: u64 = accumulator.iter().fold(0, |acc,&x| acc + (x as u64)); + let average = total / n; + println!("average is {:?}", average); + + assert!(average <= 0x7fffffff + 0xf00000); + assert!(average >= 0x7fffffff - 0xf00000); + } + + #[test] + fn next_u32_shouldnt_have_bit_bias() { + // Since the modulus in the mixed congruential generator isn't a power + // of two, the bits should not have any statistical bias. + let mut prng: TorInsecurePrng = TorInsecurePrng::from_seed([0xDE, 0xAD, 0x15, 0x15]); + let mut accumulator: Vec = Vec::new(); + let n: u64 = 10_000; + + for _ in 0 .. n as usize { + accumulator.push(prng.next_u32().count_ones()); + } + let total: u64 = accumulator.iter().fold(0, |acc,&x| acc + (x as u64)); + let average = total / n; + println!("average is {:?}", average); + + assert!(average == 16); + } + + #[test] + fn next_u64_shouldnt_return_same_number_twice_in_a_row() { + // This test will fail 1 out of 2^{128} times (2.94 e-39), but the + // probability of a particle radiating off a star and hitting your RAM + // is roughly 1.4 e-15 per byte of RAM per second, so if this fails, + // blame ~~Cosmic Rays~~ and not anyone named isis. + let mut prng: TorInsecurePrng = TorInsecurePrng::from_seed([0xDE, 0xAD, 0x15, 0x15]); + + let one: u64 = prng.next_u64(); + let two: u64 = prng.next_u64(); + + assert!(one != two); + } + + #[test] + fn fill_bytes_shouldnt_leave_all_zeroes() { + // Again, 1 in 256^8 (5.42 e-20) chances this fails. + // ~~Cosmic Rays~~, I tell you. + let mut prng: TorInsecurePrng = TorInsecurePrng::from_seed([0xDE, 0xAD, 0x15, 0x15]); + let mut bytes: [u8; 8] = [0u8; 8]; + + prng.fill_bytes(&mut bytes); + + assert!(bytes != [0u8; 8]); + } +} diff --git a/src/rust/rand/rng.rs b/src/rust/rand/rng.rs new file mode 100644 index 000000000..a334f5f09 --- /dev/null +++ b/src/rust/rand/rng.rs @@ -0,0 +1,94 @@ +// Copyright (c) 2018, The Tor Project, Inc. +// Copyright (c) 2018, isis agora lovecruft +// See LICENSE for licensing information + +//! Wrappers for Tor's random number generator to provide implementations of +//! `rand_core` traits. + +// This is the real implementation, in use in production, which calls into our C +// wrappers in /src/common/crypto_rand.c, which call into OpenSSL, system +// libraries, and make syscalls. +#[cfg(not(test))] +mod internal { + use std::u64; + + use rand_core::CryptoRng; + use rand_core::Error; + use rand_core::RngCore; + use rand_core::impls::next_u32_via_fill; + use rand_core::impls::next_u64_via_fill; + + use external::c_tor_crypto_strongest_rand; + use external::c_tor_crypto_seed_rng; + + use tor_log::LogDomain; + use tor_log::LogSeverity; + + /// Largest strong entropy request permitted. + // + // C_RUST_COUPLED: `MAX_STRONGEST_RAND_SIZE` /src/common/crypto_rand.c + const MAX_STRONGEST_RAND_SIZE: usize = 256; + + /// A wrapper around OpenSSL's RNG. + pub struct TorRng { + // This private, zero-length field forces the struct to be treated the + // same as its opaque C couterpart. + _unused: [u8; 0], + } + + /// Mark `TorRng` as being suitable for cryptographic purposes. + impl CryptoRng for TorRng {} + + impl TorRng { + // C_RUST_COUPLED: `crypto_seed_rng()` /src/common/crypto_rand.c + #[allow(dead_code)] + fn new() -> Self { + if !c_tor_crypto_seed_rng() { + tor_log_msg!(LogSeverity::Warn, LogDomain::General, + "TorRng::from_seed()", + "The RNG could not be seeded!"); + } + // XXX also log success at info level —isis + TorRng{ _unused: [0u8; 0] } + } + } + + impl RngCore for TorRng { + // C_RUST_COUPLED: `crypto_strongest_rand()` /src/common/crypto_rand.c + fn next_u32(&mut self) -> u32 { + next_u32_via_fill(self) + } + + // C_RUST_COUPLED: `crypto_strongest_rand()` /src/common/crypto_rand.c + fn next_u64(&mut self) -> u64 { + next_u64_via_fill(self) + } + + // C_RUST_COUPLED: `crypto_strongest_rand()` /src/common/crypto_rand.c + fn fill_bytes(&mut self, dest: &mut [u8]) { + debug_assert!(dest.len() <= MAX_STRONGEST_RAND_SIZE); + + c_tor_crypto_strongest_rand(dest); + } + + // C_RUST_COUPLED: `crypto_strongest_rand()` /src/common/crypto_rand.c + fn try_fill_bytes(&mut self, dest: &mut [u8]) -> Result<(), Error> { + Ok(self.fill_bytes(dest)) + } + } +} + +// For testing, we expose the pure-Rust implementation of a +// cryptographically-insecure PRNG which mirrors the implementation of +// `tor_weak_rng_t` in C. +#[cfg(test)] +mod internal { + use prng::TorInsecurePrng; + + pub type TorRng = TorInsecurePrng; +} + +// Finally, expose the public functionality of whichever appropriate internal +// module. +pub use self::internal::*; + From b5013e841cf1501014ab23e14a4083c105e0d092 Mon Sep 17 00:00:00 2001 From: Isis Lovecruft Date: Wed, 18 Apr 2018 20:17:53 +0000 Subject: [PATCH 8/9] rust: Remove mirrored PRNG implementation. Once we need a PRNG, we'll likely want to change the dev-dependency on the rand crate to be a real dependency, and use rand::SmallRng as our PRNG. --- src/rust/Cargo.lock | 12 +++ src/rust/rand/Cargo.toml | 3 + src/rust/rand/lib.rs | 3 +- src/rust/rand/prng.rs | 184 --------------------------------------- src/rust/rand/rng.rs | 8 +- 5 files changed, 19 insertions(+), 191 deletions(-) delete mode 100644 src/rust/rand/prng.rs diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 714e29edc..1480cf796 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -28,12 +28,24 @@ version = "0.0.1" dependencies = [ "external 0.0.1", "libc 0.2.39 (registry+https://github.com/rust-lang/crates.io-index)", + "rand 0.5.0-pre.0", "rand_core 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)", "tor_allocate 0.0.1", "tor_log 0.1.0", "tor_util 0.0.1", ] +[[package]] +name = "rand" +version = "0.5.0-pre.0" +dependencies = [ + "rand_core 0.1.0", +] + +[[package]] +name = "rand_core" +version = "0.1.0" + [[package]] name = "rand_core" version = "0.1.0" diff --git a/src/rust/rand/Cargo.toml b/src/rust/rand/Cargo.toml index cab71afa7..1b73563c8 100644 --- a/src/rust/rand/Cargo.toml +++ b/src/rust/rand/Cargo.toml @@ -18,6 +18,9 @@ tor_allocate = { path = "../tor_allocate" } tor_log = { path = "../tor_log" } tor_util = { path = "../tor_util" } +[dev-dependencies] +rand = { version = "=0.5.0-pre.0", default-features = false, path = "../../ext/rust/vendor/rand-8c5b0ac51d" } + [lib] name = "rand" path = "lib.rs" diff --git a/src/rust/rand/lib.rs b/src/rust/rand/lib.rs index ee034cf1f..6b3058ad5 100644 --- a/src/rust/rand/lib.rs +++ b/src/rust/rand/lib.rs @@ -3,6 +3,8 @@ // See LICENSE for licensing information // External dependencies +#[cfg(test)] +extern crate rand; extern crate rand_core; // Internal dependencies @@ -12,4 +14,3 @@ extern crate external; extern crate tor_log; pub mod rng; -pub mod prng; diff --git a/src/rust/rand/prng.rs b/src/rust/rand/prng.rs deleted file mode 100644 index ed3f5161e..000000000 --- a/src/rust/rand/prng.rs +++ /dev/null @@ -1,184 +0,0 @@ -// Copyright (c) 2018, The Tor Project, Inc. -// Copyright (c) 2018, isis agora lovecruft -// See LICENSE for licensing information - -//! Wrappers for Tor's pseudo-random number generator to provide implementations -//! of `rand_core` traits. - -use rand_core::impls; -#[cfg(test)] use rand_core::CryptoRng; -use rand_core::Error; -use rand_core::RngCore; -use rand_core::SeedableRng; - -/// A cryptographically-/insecure/ psuedo-random number generator based -/// on a mixed congruential generator. -/// -/// Specifically the PRNG state, `X`, is mutated by the following -/// discontinuous linear equation: -/// -/// ```text -/// X_{i} = (a X_{i-1} + b) mod n -/// ``` -/// -/// where, in our case, we reuse the same parameters as OpenBSD and glibc, -/// `a=1103515245`, `b=12345`, and `n=2147483647`, which should produce a -/// maximal period over the range `0..u32::MAX`. -/// -/// # Note -/// -/// We reimplement the C here, rather than wrapping it, as it's one line of -/// pure-Rust code (meaning it can also trivially be used in Rust tests without -/// running into potential linker issues), as opposed to a few lines of `unsafe` -/// calls to C. -/// -/// # Warning -/// -/// This should hopefully go without saying, but this PRNG is completely -/// insecure and should never be used for anything an adversary should be unable -/// to predict. -// -// C_RUST_COUPLED: `tor_weak_rng_t` /src/common/util.c -pub struct TorInsecurePrng { - state: u32, -} - -impl SeedableRng for TorInsecurePrng { - type Seed = [u8; 4]; - - /// Create a new PRNG from a random 32-bit seed. - // - // C_RUST_COUPLED: `tor_init_weak_random()` /src/common/util.c - fn from_seed(seed: Self::Seed) -> Self { - let mut combined: u32 = seed[0].to_le() as u32; - - // Rather than using std::mem::transmute, we'll just bitwise-OR them - // into each other. - combined = (seed[1].to_le() as u32) << 8 | combined; - combined = (seed[2].to_le() as u32) << 16 | combined; - combined = (seed[2].to_le() as u32) << 24 | combined; - - TorInsecurePrng{ state: (combined & 0x7fffffff).to_le() } - } -} - -impl TorInsecurePrng { - /// This is the equivalent function to `tor_weak_random()`. - // - // C_RUST_COUPLED: `tor_weak_random()` /src/common/util.c - pub fn next_i32(&mut self) -> i32 { - // The C code appears to purposefully overflow the 32-bit state integer. - self.state = (self.state.wrapping_mul(1103515245).wrapping_add(12345) & 0x7fffffff).to_le(); - self.state as i32 - } -} - - -impl RngCore for TorInsecurePrng { - // C_RUST_COUPLED: `tor_weak_random()` /src/common/util.c - fn next_u32(&mut self) -> u32 { - let x: u32 = self.next_i32() as u32; - let y: u32 = self.next_i32() as u32; - - // We have to add two samples together due to modding 0x7fffffff - x + y - } - - fn next_u64(&mut self) -> u64 { - impls::next_u64_via_u32(self) - } - - fn fill_bytes(&mut self, dest: &mut [u8]) { - impls::fill_bytes_via_u32(self, dest); - } - - fn try_fill_bytes(&mut self, dest: &mut [u8]) -> Result<(), Error> { - Ok(self.fill_bytes(dest)) - } -} - -/// If we're running tests, it's fine to pretend this PRNG is cryptographically -/// secure. (This allows us to test which require an implementation of -/// `CryptoRng` without actually initialising all the OpenSSL C code.) -#[cfg(test)] -impl CryptoRng for TorInsecurePrng {} - -#[cfg(test)] -mod test { - use super::*; - - #[test] - fn next_u32_shouldnt_return_same_number_twice_in_a_row() { - // This test will fail 1 out of 2^{64} times (5.42 e-20), but the - // probability of a particle radiating off a star and hitting your RAM - // is roughly 1.4 e-15 per byte of RAM per second, so if this fails, - // blame ~~Cosmic Rays~~ and not anyone named isis. - let mut prng: TorInsecurePrng = TorInsecurePrng::from_seed([0xDE, 0xAD, 0x15, 0x15]); - - let one: u32 = prng.next_u32(); - let two: u32 = prng.next_u32(); - - assert!(one != two); - } - - #[test] - fn next_u32_should_have_uniform_distribution_average() { - let mut prng: TorInsecurePrng = TorInsecurePrng::from_seed([0xDE, 0xAD, 0x15, 0x15]); - let mut accumulator: Vec = Vec::new(); - let n: u64 = 10_000; - - for _ in 0 .. n as usize { - accumulator.push(prng.next_u32()); - } - let total: u64 = accumulator.iter().fold(0, |acc,&x| acc + (x as u64)); - let average = total / n; - println!("average is {:?}", average); - - assert!(average <= 0x7fffffff + 0xf00000); - assert!(average >= 0x7fffffff - 0xf00000); - } - - #[test] - fn next_u32_shouldnt_have_bit_bias() { - // Since the modulus in the mixed congruential generator isn't a power - // of two, the bits should not have any statistical bias. - let mut prng: TorInsecurePrng = TorInsecurePrng::from_seed([0xDE, 0xAD, 0x15, 0x15]); - let mut accumulator: Vec = Vec::new(); - let n: u64 = 10_000; - - for _ in 0 .. n as usize { - accumulator.push(prng.next_u32().count_ones()); - } - let total: u64 = accumulator.iter().fold(0, |acc,&x| acc + (x as u64)); - let average = total / n; - println!("average is {:?}", average); - - assert!(average == 16); - } - - #[test] - fn next_u64_shouldnt_return_same_number_twice_in_a_row() { - // This test will fail 1 out of 2^{128} times (2.94 e-39), but the - // probability of a particle radiating off a star and hitting your RAM - // is roughly 1.4 e-15 per byte of RAM per second, so if this fails, - // blame ~~Cosmic Rays~~ and not anyone named isis. - let mut prng: TorInsecurePrng = TorInsecurePrng::from_seed([0xDE, 0xAD, 0x15, 0x15]); - - let one: u64 = prng.next_u64(); - let two: u64 = prng.next_u64(); - - assert!(one != two); - } - - #[test] - fn fill_bytes_shouldnt_leave_all_zeroes() { - // Again, 1 in 256^8 (5.42 e-20) chances this fails. - // ~~Cosmic Rays~~, I tell you. - let mut prng: TorInsecurePrng = TorInsecurePrng::from_seed([0xDE, 0xAD, 0x15, 0x15]); - let mut bytes: [u8; 8] = [0u8; 8]; - - prng.fill_bytes(&mut bytes); - - assert!(bytes != [0u8; 8]); - } -} diff --git a/src/rust/rand/rng.rs b/src/rust/rand/rng.rs index a334f5f09..ea234492e 100644 --- a/src/rust/rand/rng.rs +++ b/src/rust/rand/rng.rs @@ -78,14 +78,10 @@ mod internal { } } -// For testing, we expose the pure-Rust implementation of a -// cryptographically-insecure PRNG which mirrors the implementation of -// `tor_weak_rng_t` in C. +// For testing, we expose a pure-Rust implementation. #[cfg(test)] mod internal { - use prng::TorInsecurePrng; - - pub type TorRng = TorInsecurePrng; + pub use rand::EntropyRng as TorRng; } // Finally, expose the public functionality of whichever appropriate internal From 94dcd38a1430061a0bb630ad680a41a78262a55c Mon Sep 17 00:00:00 2001 From: Isis Lovecruft Date: Wed, 2 May 2018 22:12:38 +0000 Subject: [PATCH 9/9] rust: Expose crypto_rand() as an impl of rand_core::RngCore. --- src/rust/external/crypto_rand.rs | 30 +++++++----------- src/rust/rand/rng.rs | 54 ++++++++++++++++++++++++++++++-- 2 files changed, 63 insertions(+), 21 deletions(-) diff --git a/src/rust/external/crypto_rand.rs b/src/rust/external/crypto_rand.rs index 19b9ab281..af1ade016 100644 --- a/src/rust/external/crypto_rand.rs +++ b/src/rust/external/crypto_rand.rs @@ -11,23 +11,18 @@ use std::time::Duration; -use libc::c_char; use libc::c_double; use libc::c_int; -use libc::c_uint; -use libc::c_void; use libc::size_t; use libc::time_t; use libc::uint8_t; -use libc::uint64_t; extern "C" { fn crypto_seed_rng() -> c_int; + fn crypto_rand(out: *mut uint8_t, out_len: size_t); fn crypto_strongest_rand(out: *mut uint8_t, out_len: size_t); fn crypto_rand_time_range(min: time_t, max: time_t) -> time_t; fn crypto_rand_double() -> c_double; - // fn crypto_random_hostname(min_rand_len: c_int, max_rand_len: c_int, - // prefix: *const c_char, suffix: *const c_char) -> *mut c_char; } /// Seed OpenSSL's random number generator with bytes from the operating @@ -48,7 +43,16 @@ pub fn c_tor_crypto_seed_rng() -> bool { } } -/// Fill the bytes of `dest` with strong random data. +/// Fill the bytes of `dest` with random data. +pub fn c_tor_crypto_rand(dest: &mut [u8]) { + unsafe { + crypto_rand(dest.as_mut_ptr(), dest.len() as size_t); + } +} + +/// Fill the bytes of `dest` with "strong" random data by hashing +/// together randomness obtained from OpenSSL's RNG and the operating +/// system. pub fn c_tor_crypto_strongest_rand(dest: &mut [u8]) { // We'll let the C side panic if the len is larger than // MAX_STRONGEST_RAND_SIZE, rather than potentially panicking here. A @@ -81,15 +85,3 @@ pub fn c_tor_crypto_rand_double() -> f64 { } } -#[cfg(test)] -mod test { - use super::*; - - #[test] - fn test_layout_tor_weak_rng_t() { - assert_eq!(::std::mem::size_of::(), 0usize, - concat!("Size of: ", stringify!(tor_weak_rng_t))); - assert_eq!(::std::mem::align_of::(), 1usize, - concat!("Alignment of ", stringify!(tor_weak_rng_t))); - } -} diff --git a/src/rust/rand/rng.rs b/src/rust/rand/rng.rs index ea234492e..cfd96c961 100644 --- a/src/rust/rand/rng.rs +++ b/src/rust/rand/rng.rs @@ -2,7 +2,7 @@ // Copyright (c) 2018, isis agora lovecruft // See LICENSE for licensing information -//! Wrappers for Tor's random number generator to provide implementations of +//! Wrappers for Tor's random number generators to provide implementations of //! `rand_core` traits. // This is the real implementation, in use in production, which calls into our C @@ -18,6 +18,7 @@ mod internal { use rand_core::impls::next_u32_via_fill; use rand_core::impls::next_u64_via_fill; + use external::c_tor_crypto_rand; use external::c_tor_crypto_strongest_rand; use external::c_tor_crypto_seed_rng; @@ -64,6 +65,53 @@ mod internal { next_u64_via_fill(self) } + // C_RUST_COUPLED: `crypto_strongest_rand()` /src/common/crypto_rand.c + fn fill_bytes(&mut self, dest: &mut [u8]) { + c_tor_crypto_rand(dest); + } + + // C_RUST_COUPLED: `crypto_strongest_rand()` /src/common/crypto_rand.c + fn try_fill_bytes(&mut self, dest: &mut [u8]) -> Result<(), Error> { + Ok(self.fill_bytes(dest)) + } + } + + /// A CSPRNG which hashes together randomness from OpenSSL's RNG and entropy + /// obtained from the operating system. + pub struct TorStrongestRng { + // This private, zero-length field forces the struct to be treated the + // same as its opaque C couterpart. + _unused: [u8; 0], + } + + /// Mark `TorRng` as being suitable for cryptographic purposes. + impl CryptoRng for TorStrongestRng {} + + impl TorStrongestRng { + // C_RUST_COUPLED: `crypto_seed_rng()` /src/common/crypto_rand.c + #[allow(dead_code)] + fn new() -> Self { + if !c_tor_crypto_seed_rng() { + tor_log_msg!(LogSeverity::Warn, LogDomain::General, + "TorStrongestRng::from_seed()", + "The RNG could not be seeded!"); + } + // XXX also log success at info level —isis + TorStrongestRng{ _unused: [0u8; 0] } + } + } + + impl RngCore for TorStrongestRng { + // C_RUST_COUPLED: `crypto_strongest_rand()` /src/common/crypto_rand.c + fn next_u32(&mut self) -> u32 { + next_u32_via_fill(self) + } + + // C_RUST_COUPLED: `crypto_strongest_rand()` /src/common/crypto_rand.c + fn next_u64(&mut self) -> u64 { + next_u64_via_fill(self) + } + // C_RUST_COUPLED: `crypto_strongest_rand()` /src/common/crypto_rand.c fn fill_bytes(&mut self, dest: &mut [u8]) { debug_assert!(dest.len() <= MAX_STRONGEST_RAND_SIZE); @@ -81,7 +129,9 @@ mod internal { // For testing, we expose a pure-Rust implementation. #[cfg(test)] mod internal { - pub use rand::EntropyRng as TorRng; + // It doesn't matter if we pretend ChaCha is a CSPRNG in tests. + pub use rand::ChaChaRng as TorRng; + pub use rand::ChaChaRng as TorStrongestRng; } // Finally, expose the public functionality of whichever appropriate internal