Make cbt_generate_sample use crypto_rand_double()

Possible workaround for bug 1139, if anybody cares.

src/common/crypto.c

@@ -2065,10 +2065,15 @@ crypto_rand_double(void)
   /* We just use an unsigned int here; we don't really care about getting
    * more than 32 bits of resolution */
   unsigned int uint;
-  do {
-    crypto_rand((char*)&uint, sizeof(uint));
-  } while (uint == UINT_MAX);
-  return ((double)uint) / (double)UINT_MAX;
+  crypto_rand((char*)&uint, sizeof(uint));
+#if SIZEOF_INT == 4
+#define UINT_MAX_AS_DOUBLE 4294967296.0
+#elif SIZEOF_INT == 8
+#define UINT_MAX_AS_DOUBLE 1.8446744073709552e+19
+#else
+#error SIZEOF_INT is neither 4 nor 8
+#endif
+  return ((double)uint) / UINT_MAX_AS_DOUBLE;
 }
 
 /** Generate and return a new random hostname starting with <b>prefix</b>,

src/or/circuitbuild.c

@@ -677,18 +677,20 @@ build_time_t
 circuit_build_times_generate_sample(circuit_build_times_t *cbt,
                                     double q_lo, double q_hi)
 {
-  uint64_t r = crypto_rand_uint64(UINT64_MAX-1);
+  double randval = crypto_rand_double();
   build_time_t ret;
   double u;
 
   /* Generate between [q_lo, q_hi) */
+  /*XXXX This is what nextafter is supposed to be for; we should use it on the
+   * platforms that support it. */
   q_hi -= 1.0/(INT32_MAX);
 
   tor_assert(q_lo >= 0);
   tor_assert(q_hi < 1);
   tor_assert(q_lo < q_hi);
 
-  u = q_lo + ((q_hi-q_lo)*r)/(1.0*UINT64_MAX);
+  u = q_lo + (q_hi-q_lo)*randval;
 
   tor_assert(0 <= u && u < 1.0);
   /* circuit_build_times_calculate_timeout returns <= INT32_MAX */