mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-27 22:03:31 +01:00
crypto: Refactor (P)RNG functionality into new crypto_rand module.
* ADD new /src/common/crypto_rand.[ch] module. * ADD new /src/common/crypto_util.[ch] module (contains the memwipe() function, since all crypto_* modules need this). * FIXES part of #24658: https://bugs.torproject.org/24658
This commit is contained in:
parent
21c81348a3
commit
fe3aca1491
@ -15,7 +15,7 @@
|
|||||||
#include "address.h"
|
#include "address.h"
|
||||||
#include "compat.h"
|
#include "compat.h"
|
||||||
#include "container.h"
|
#include "container.h"
|
||||||
#include "crypto.h"
|
#include "crypto_rand.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
#include "siphash.h"
|
#include "siphash.h"
|
||||||
|
|
||||||
|
@ -11,7 +11,7 @@
|
|||||||
#define COMPAT_LIBEVENT_PRIVATE
|
#define COMPAT_LIBEVENT_PRIVATE
|
||||||
#include "compat_libevent.h"
|
#include "compat_libevent.h"
|
||||||
|
|
||||||
#include "crypto.h"
|
#include "crypto_rand.h"
|
||||||
|
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
#include "torlog.h"
|
#include "torlog.h"
|
||||||
|
@ -28,8 +28,10 @@
|
|||||||
#include "crypto_curve25519.h"
|
#include "crypto_curve25519.h"
|
||||||
#include "crypto_ed25519.h"
|
#include "crypto_ed25519.h"
|
||||||
#include "crypto_format.h"
|
#include "crypto_format.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "crypto_rsa.h"
|
#include "crypto_rsa.h"
|
||||||
#include "crypto_digest.h"
|
#include "crypto_digest.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
|
|
||||||
DISABLE_GCC_WARNING(redundant-decls)
|
DISABLE_GCC_WARNING(redundant-decls)
|
||||||
|
|
||||||
@ -38,7 +40,6 @@ DISABLE_GCC_WARNING(redundant-decls)
|
|||||||
#include <openssl/pem.h>
|
#include <openssl/pem.h>
|
||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
#include <openssl/engine.h>
|
#include <openssl/engine.h>
|
||||||
#include <openssl/rand.h>
|
|
||||||
#include <openssl/bn.h>
|
#include <openssl/bn.h>
|
||||||
#include <openssl/dh.h>
|
#include <openssl/dh.h>
|
||||||
#include <openssl/conf.h>
|
#include <openssl/conf.h>
|
||||||
@ -60,12 +61,6 @@ ENABLE_GCC_WARNING(redundant-decls)
|
|||||||
#ifdef HAVE_UNISTD_H
|
#ifdef HAVE_UNISTD_H
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
#endif
|
#endif
|
||||||
#ifdef HAVE_FCNTL_H
|
|
||||||
#include <fcntl.h>
|
|
||||||
#endif
|
|
||||||
#ifdef HAVE_SYS_FCNTL_H
|
|
||||||
#include <sys/fcntl.h>
|
|
||||||
#endif
|
|
||||||
#ifdef HAVE_SYS_SYSCALL_H
|
#ifdef HAVE_SYS_SYSCALL_H
|
||||||
#include <sys/syscall.h>
|
#include <sys/syscall.h>
|
||||||
#endif
|
#endif
|
||||||
@ -84,12 +79,6 @@ ENABLE_GCC_WARNING(redundant-decls)
|
|||||||
|
|
||||||
#include "keccak-tiny/keccak-tiny.h"
|
#include "keccak-tiny/keccak-tiny.h"
|
||||||
|
|
||||||
/** Longest recognized */
|
|
||||||
#define MAX_DNS_LABEL_SIZE 63
|
|
||||||
|
|
||||||
/** Largest strong entropy request */
|
|
||||||
#define MAX_STRONGEST_RAND_SIZE 256
|
|
||||||
|
|
||||||
/** A structure to hold the first half (x, g^x) of a Diffie-Hellman handshake
|
/** A structure to hold the first half (x, g^x) of a Diffie-Hellman handshake
|
||||||
* while we're waiting for the second.*/
|
* while we're waiting for the second.*/
|
||||||
struct crypto_dh_t {
|
struct crypto_dh_t {
|
||||||
@ -162,23 +151,6 @@ try_load_engine(const char *path, const char *engine)
|
|||||||
}
|
}
|
||||||
#endif /* !defined(DISABLE_ENGINES) */
|
#endif /* !defined(DISABLE_ENGINES) */
|
||||||
|
|
||||||
/** Make sure that openssl is using its default PRNG. Return 1 if we had to
|
|
||||||
* adjust it; 0 otherwise. */
|
|
||||||
STATIC int
|
|
||||||
crypto_force_rand_ssleay(void)
|
|
||||||
{
|
|
||||||
RAND_METHOD *default_method;
|
|
||||||
default_method = RAND_OpenSSL();
|
|
||||||
if (RAND_get_rand_method() != default_method) {
|
|
||||||
log_notice(LD_CRYPTO, "It appears that one of our engines has provided "
|
|
||||||
"a replacement the OpenSSL RNG. Resetting it to the default "
|
|
||||||
"implementation.");
|
|
||||||
RAND_set_rand_method(default_method);
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int have_seeded_siphash = 0;
|
static int have_seeded_siphash = 0;
|
||||||
|
|
||||||
/** Set up the siphash key if we haven't already done so. */
|
/** Set up the siphash key if we haven't already done so. */
|
||||||
@ -1083,576 +1055,6 @@ crypto_dh_free_(crypto_dh_t *dh)
|
|||||||
tor_free(dh);
|
tor_free(dh);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* random numbers */
|
|
||||||
|
|
||||||
/** How many bytes of entropy we add at once.
|
|
||||||
*
|
|
||||||
* This is how much entropy OpenSSL likes to add right now, so maybe it will
|
|
||||||
* work for us too. */
|
|
||||||
#define ADD_ENTROPY 32
|
|
||||||
|
|
||||||
/** Set the seed of the weak RNG to a random value. */
|
|
||||||
void
|
|
||||||
crypto_seed_weak_rng(tor_weak_rng_t *rng)
|
|
||||||
{
|
|
||||||
unsigned seed;
|
|
||||||
crypto_rand((void*)&seed, sizeof(seed));
|
|
||||||
tor_init_weak_random(rng, seed);
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef TOR_UNIT_TESTS
|
|
||||||
int break_strongest_rng_syscall = 0;
|
|
||||||
int break_strongest_rng_fallback = 0;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
|
|
||||||
* via system calls, storing it into <b>out</b>. Return 0 on success, -1 on
|
|
||||||
* failure. A maximum request size of 256 bytes is imposed.
|
|
||||||
*/
|
|
||||||
static int
|
|
||||||
crypto_strongest_rand_syscall(uint8_t *out, size_t out_len)
|
|
||||||
{
|
|
||||||
tor_assert(out_len <= MAX_STRONGEST_RAND_SIZE);
|
|
||||||
|
|
||||||
/* We only log at notice-level here because in the case that this function
|
|
||||||
* fails the crypto_strongest_rand_raw() caller will log with a warning-level
|
|
||||||
* message and let crypto_strongest_rand() error out and finally terminating
|
|
||||||
* Tor with an assertion error.
|
|
||||||
*/
|
|
||||||
|
|
||||||
#ifdef TOR_UNIT_TESTS
|
|
||||||
if (break_strongest_rng_syscall)
|
|
||||||
return -1;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(_WIN32)
|
|
||||||
static int provider_set = 0;
|
|
||||||
static HCRYPTPROV provider;
|
|
||||||
|
|
||||||
if (!provider_set) {
|
|
||||||
if (!CryptAcquireContext(&provider, NULL, NULL, PROV_RSA_FULL,
|
|
||||||
CRYPT_VERIFYCONTEXT)) {
|
|
||||||
log_notice(LD_CRYPTO, "Unable to set Windows CryptoAPI provider [1].");
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
provider_set = 1;
|
|
||||||
}
|
|
||||||
if (!CryptGenRandom(provider, out_len, out)) {
|
|
||||||
log_notice(LD_CRYPTO, "Unable get entropy from the Windows CryptoAPI.");
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
#elif defined(__linux__) && defined(SYS_getrandom)
|
|
||||||
static int getrandom_works = 1; /* Be optimistic about our chances... */
|
|
||||||
|
|
||||||
/* getrandom() isn't as straightforward as getentropy(), and has
|
|
||||||
* no glibc wrapper.
|
|
||||||
*
|
|
||||||
* As far as I can tell from getrandom(2) and the source code, the
|
|
||||||
* requests we issue will always succeed (though it will block on the
|
|
||||||
* call if /dev/urandom isn't seeded yet), since we are NOT specifying
|
|
||||||
* GRND_NONBLOCK and the request is <= 256 bytes.
|
|
||||||
*
|
|
||||||
* The manpage is unclear on what happens if a signal interrupts the call
|
|
||||||
* while the request is blocked due to lack of entropy....
|
|
||||||
*
|
|
||||||
* We optimistically assume that getrandom() is available and functional
|
|
||||||
* because it is the way of the future, and 2 branch mispredicts pale in
|
|
||||||
* comparison to the overheads involved with failing to open
|
|
||||||
* /dev/srandom followed by opening and reading from /dev/urandom.
|
|
||||||
*/
|
|
||||||
if (PREDICT_LIKELY(getrandom_works)) {
|
|
||||||
long ret;
|
|
||||||
/* A flag of '0' here means to read from '/dev/urandom', and to
|
|
||||||
* block if insufficient entropy is available to service the
|
|
||||||
* request.
|
|
||||||
*/
|
|
||||||
const unsigned int flags = 0;
|
|
||||||
do {
|
|
||||||
ret = syscall(SYS_getrandom, out, out_len, flags);
|
|
||||||
} while (ret == -1 && ((errno == EINTR) ||(errno == EAGAIN)));
|
|
||||||
|
|
||||||
if (PREDICT_UNLIKELY(ret == -1)) {
|
|
||||||
/* LCOV_EXCL_START we can't actually make the syscall fail in testing. */
|
|
||||||
tor_assert(errno != EAGAIN);
|
|
||||||
tor_assert(errno != EINTR);
|
|
||||||
|
|
||||||
/* Useful log message for errno. */
|
|
||||||
if (errno == ENOSYS) {
|
|
||||||
log_notice(LD_CRYPTO, "Can't get entropy from getrandom()."
|
|
||||||
" You are running a version of Tor built to support"
|
|
||||||
" getrandom(), but the kernel doesn't implement this"
|
|
||||||
" function--probably because it is too old?"
|
|
||||||
" Trying fallback method instead.");
|
|
||||||
} else {
|
|
||||||
log_notice(LD_CRYPTO, "Can't get entropy from getrandom(): %s."
|
|
||||||
" Trying fallback method instead.",
|
|
||||||
strerror(errno));
|
|
||||||
}
|
|
||||||
|
|
||||||
getrandom_works = 0; /* Don't bother trying again. */
|
|
||||||
return -1;
|
|
||||||
/* LCOV_EXCL_STOP */
|
|
||||||
}
|
|
||||||
|
|
||||||
tor_assert(ret == (long)out_len);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
return -1; /* getrandom() previously failed unexpectedly. */
|
|
||||||
#elif defined(HAVE_GETENTROPY)
|
|
||||||
/* getentropy() is what Linux's getrandom() wants to be when it grows up.
|
|
||||||
* the only gotcha is that requests are limited to 256 bytes.
|
|
||||||
*/
|
|
||||||
return getentropy(out, out_len);
|
|
||||||
#else
|
|
||||||
(void) out;
|
|
||||||
#endif /* defined(_WIN32) || ... */
|
|
||||||
|
|
||||||
/* This platform doesn't have a supported syscall based random. */
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
|
|
||||||
* via the per-platform fallback mechanism, storing it into <b>out</b>.
|
|
||||||
* Return 0 on success, -1 on failure. A maximum request size of 256 bytes
|
|
||||||
* is imposed.
|
|
||||||
*/
|
|
||||||
static int
|
|
||||||
crypto_strongest_rand_fallback(uint8_t *out, size_t out_len)
|
|
||||||
{
|
|
||||||
#ifdef TOR_UNIT_TESTS
|
|
||||||
if (break_strongest_rng_fallback)
|
|
||||||
return -1;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifdef _WIN32
|
|
||||||
/* Windows exclusively uses crypto_strongest_rand_syscall(). */
|
|
||||||
(void)out;
|
|
||||||
(void)out_len;
|
|
||||||
return -1;
|
|
||||||
#else /* !(defined(_WIN32)) */
|
|
||||||
static const char *filenames[] = {
|
|
||||||
"/dev/srandom", "/dev/urandom", "/dev/random", NULL
|
|
||||||
};
|
|
||||||
int fd, i;
|
|
||||||
size_t n;
|
|
||||||
|
|
||||||
for (i = 0; filenames[i]; ++i) {
|
|
||||||
log_debug(LD_FS, "Considering %s as entropy source", filenames[i]);
|
|
||||||
fd = open(sandbox_intern_string(filenames[i]), O_RDONLY, 0);
|
|
||||||
if (fd<0) continue;
|
|
||||||
log_info(LD_CRYPTO, "Reading entropy from \"%s\"", filenames[i]);
|
|
||||||
n = read_all(fd, (char*)out, out_len, 0);
|
|
||||||
close(fd);
|
|
||||||
if (n != out_len) {
|
|
||||||
/* LCOV_EXCL_START
|
|
||||||
* We can't make /dev/foorandom actually fail. */
|
|
||||||
log_notice(LD_CRYPTO,
|
|
||||||
"Error reading from entropy source %s (read only %lu bytes).",
|
|
||||||
filenames[i],
|
|
||||||
(unsigned long)n);
|
|
||||||
return -1;
|
|
||||||
/* LCOV_EXCL_STOP */
|
|
||||||
}
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
return -1;
|
|
||||||
#endif /* defined(_WIN32) */
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
|
|
||||||
* storing it into <b>out</b>. Return 0 on success, -1 on failure. A maximum
|
|
||||||
* request size of 256 bytes is imposed.
|
|
||||||
*/
|
|
||||||
STATIC int
|
|
||||||
crypto_strongest_rand_raw(uint8_t *out, size_t out_len)
|
|
||||||
{
|
|
||||||
static const size_t sanity_min_size = 16;
|
|
||||||
static const int max_attempts = 3;
|
|
||||||
tor_assert(out_len <= MAX_STRONGEST_RAND_SIZE);
|
|
||||||
|
|
||||||
/* For buffers >= 16 bytes (128 bits), we sanity check the output by
|
|
||||||
* zero filling the buffer and ensuring that it actually was at least
|
|
||||||
* partially modified.
|
|
||||||
*
|
|
||||||
* Checking that any individual byte is non-zero seems like it would
|
|
||||||
* fail too often (p = out_len * 1/256) for comfort, but this is an
|
|
||||||
* "adjust according to taste" sort of check.
|
|
||||||
*/
|
|
||||||
memwipe(out, 0, out_len);
|
|
||||||
for (int i = 0; i < max_attempts; i++) {
|
|
||||||
/* Try to use the syscall/OS favored mechanism to get strong entropy. */
|
|
||||||
if (crypto_strongest_rand_syscall(out, out_len) != 0) {
|
|
||||||
/* Try to use the less-favored mechanism to get strong entropy. */
|
|
||||||
if (crypto_strongest_rand_fallback(out, out_len) != 0) {
|
|
||||||
/* Welp, we tried. Hopefully the calling code terminates the process
|
|
||||||
* since we're basically boned without good entropy.
|
|
||||||
*/
|
|
||||||
log_warn(LD_CRYPTO,
|
|
||||||
"Cannot get strong entropy: no entropy source found.");
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if ((out_len < sanity_min_size) || !tor_mem_is_zero((char*)out, out_len))
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* LCOV_EXCL_START
|
|
||||||
*
|
|
||||||
* We tried max_attempts times to fill a buffer >= 128 bits long,
|
|
||||||
* and each time it returned all '0's. Either the system entropy
|
|
||||||
* source is busted, or the user should go out and buy a ticket to
|
|
||||||
* every lottery on the planet.
|
|
||||||
*/
|
|
||||||
log_warn(LD_CRYPTO, "Strong OS entropy returned all zero buffer.");
|
|
||||||
|
|
||||||
return -1;
|
|
||||||
/* LCOV_EXCL_STOP */
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
|
|
||||||
* storing it into <b>out</b>.
|
|
||||||
*/
|
|
||||||
void
|
|
||||||
crypto_strongest_rand(uint8_t *out, size_t out_len)
|
|
||||||
{
|
|
||||||
#define DLEN SHA512_DIGEST_LENGTH
|
|
||||||
/* We're going to hash DLEN bytes from the system RNG together with some
|
|
||||||
* bytes from the openssl PRNG, in order to yield DLEN bytes.
|
|
||||||
*/
|
|
||||||
uint8_t inp[DLEN*2];
|
|
||||||
uint8_t tmp[DLEN];
|
|
||||||
tor_assert(out);
|
|
||||||
while (out_len) {
|
|
||||||
crypto_rand((char*) inp, DLEN);
|
|
||||||
if (crypto_strongest_rand_raw(inp+DLEN, DLEN) < 0) {
|
|
||||||
// LCOV_EXCL_START
|
|
||||||
log_err(LD_CRYPTO, "Failed to load strong entropy when generating an "
|
|
||||||
"important key. Exiting.");
|
|
||||||
/* Die with an assertion so we get a stack trace. */
|
|
||||||
tor_assert(0);
|
|
||||||
// LCOV_EXCL_STOP
|
|
||||||
}
|
|
||||||
if (out_len >= DLEN) {
|
|
||||||
SHA512(inp, sizeof(inp), out);
|
|
||||||
out += DLEN;
|
|
||||||
out_len -= DLEN;
|
|
||||||
} else {
|
|
||||||
SHA512(inp, sizeof(inp), tmp);
|
|
||||||
memcpy(out, tmp, out_len);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
memwipe(tmp, 0, sizeof(tmp));
|
|
||||||
memwipe(inp, 0, sizeof(inp));
|
|
||||||
#undef DLEN
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Seed OpenSSL's random number generator with bytes from the operating
|
|
||||||
* system. Return 0 on success, -1 on failure.
|
|
||||||
*/
|
|
||||||
int
|
|
||||||
crypto_seed_rng(void)
|
|
||||||
{
|
|
||||||
int rand_poll_ok = 0, load_entropy_ok = 0;
|
|
||||||
uint8_t buf[ADD_ENTROPY];
|
|
||||||
|
|
||||||
/* OpenSSL has a RAND_poll function that knows about more kinds of
|
|
||||||
* entropy than we do. We'll try calling that, *and* calling our own entropy
|
|
||||||
* functions. If one succeeds, we'll accept the RNG as seeded. */
|
|
||||||
rand_poll_ok = RAND_poll();
|
|
||||||
if (rand_poll_ok == 0)
|
|
||||||
log_warn(LD_CRYPTO, "RAND_poll() failed."); // LCOV_EXCL_LINE
|
|
||||||
|
|
||||||
load_entropy_ok = !crypto_strongest_rand_raw(buf, sizeof(buf));
|
|
||||||
if (load_entropy_ok) {
|
|
||||||
RAND_seed(buf, sizeof(buf));
|
|
||||||
}
|
|
||||||
|
|
||||||
memwipe(buf, 0, sizeof(buf));
|
|
||||||
|
|
||||||
if ((rand_poll_ok || load_entropy_ok) && RAND_status() == 1)
|
|
||||||
return 0;
|
|
||||||
else
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Write <b>n</b> bytes of strong random data to <b>to</b>. Supports mocking
|
|
||||||
* for unit tests.
|
|
||||||
*
|
|
||||||
* This function is not allowed to fail; if it would fail to generate strong
|
|
||||||
* entropy, it must terminate the process instead.
|
|
||||||
*/
|
|
||||||
MOCK_IMPL(void,
|
|
||||||
crypto_rand, (char *to, size_t n))
|
|
||||||
{
|
|
||||||
crypto_rand_unmocked(to, n);
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Write <b>n</b> bytes of strong random data to <b>to</b>. Most callers
|
|
||||||
* will want crypto_rand instead.
|
|
||||||
*
|
|
||||||
* This function is not allowed to fail; if it would fail to generate strong
|
|
||||||
* entropy, it must terminate the process instead.
|
|
||||||
*/
|
|
||||||
void
|
|
||||||
crypto_rand_unmocked(char *to, size_t n)
|
|
||||||
{
|
|
||||||
int r;
|
|
||||||
if (n == 0)
|
|
||||||
return;
|
|
||||||
|
|
||||||
tor_assert(n < INT_MAX);
|
|
||||||
tor_assert(to);
|
|
||||||
r = RAND_bytes((unsigned char*)to, (int)n);
|
|
||||||
/* We consider a PRNG failure non-survivable. Let's assert so that we get a
|
|
||||||
* stack trace about where it happened.
|
|
||||||
*/
|
|
||||||
tor_assert(r >= 0);
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Return a pseudorandom integer, chosen uniformly from the values
|
|
||||||
* between 0 and <b>max</b>-1 inclusive. <b>max</b> must be between 1 and
|
|
||||||
* INT_MAX+1, inclusive. */
|
|
||||||
int
|
|
||||||
crypto_rand_int(unsigned int max)
|
|
||||||
{
|
|
||||||
unsigned int val;
|
|
||||||
unsigned int cutoff;
|
|
||||||
tor_assert(max <= ((unsigned int)INT_MAX)+1);
|
|
||||||
tor_assert(max > 0); /* don't div by 0 */
|
|
||||||
|
|
||||||
/* We ignore any values that are >= 'cutoff,' to avoid biasing the
|
|
||||||
* distribution with clipping at the upper end of unsigned int's
|
|
||||||
* range.
|
|
||||||
*/
|
|
||||||
cutoff = UINT_MAX - (UINT_MAX%max);
|
|
||||||
while (1) {
|
|
||||||
crypto_rand((char*)&val, sizeof(val));
|
|
||||||
if (val < cutoff)
|
|
||||||
return val % max;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Return a pseudorandom integer, chosen uniformly from the values i such
|
|
||||||
* that min <= i < max.
|
|
||||||
*
|
|
||||||
* <b>min</b> MUST be in range [0, <b>max</b>).
|
|
||||||
* <b>max</b> MUST be in range (min, INT_MAX].
|
|
||||||
*/
|
|
||||||
int
|
|
||||||
crypto_rand_int_range(unsigned int min, unsigned int max)
|
|
||||||
{
|
|
||||||
tor_assert(min < max);
|
|
||||||
tor_assert(max <= INT_MAX);
|
|
||||||
|
|
||||||
/* The overflow is avoided here because crypto_rand_int() returns a value
|
|
||||||
* between 0 and (max - min) inclusive. */
|
|
||||||
return min + crypto_rand_int(max - min);
|
|
||||||
}
|
|
||||||
|
|
||||||
/** As crypto_rand_int_range, but supports uint64_t. */
|
|
||||||
uint64_t
|
|
||||||
crypto_rand_uint64_range(uint64_t min, uint64_t max)
|
|
||||||
{
|
|
||||||
tor_assert(min < max);
|
|
||||||
return min + crypto_rand_uint64(max - min);
|
|
||||||
}
|
|
||||||
|
|
||||||
/** As crypto_rand_int_range, but supports time_t. */
|
|
||||||
time_t
|
|
||||||
crypto_rand_time_range(time_t min, time_t max)
|
|
||||||
{
|
|
||||||
tor_assert(min < max);
|
|
||||||
return min + (time_t)crypto_rand_uint64(max - min);
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Return a pseudorandom 64-bit integer, chosen uniformly from the values
|
|
||||||
* between 0 and <b>max</b>-1 inclusive. */
|
|
||||||
uint64_t
|
|
||||||
crypto_rand_uint64(uint64_t max)
|
|
||||||
{
|
|
||||||
uint64_t val;
|
|
||||||
uint64_t cutoff;
|
|
||||||
tor_assert(max < UINT64_MAX);
|
|
||||||
tor_assert(max > 0); /* don't div by 0 */
|
|
||||||
|
|
||||||
/* We ignore any values that are >= 'cutoff,' to avoid biasing the
|
|
||||||
* distribution with clipping at the upper end of unsigned int's
|
|
||||||
* range.
|
|
||||||
*/
|
|
||||||
cutoff = UINT64_MAX - (UINT64_MAX%max);
|
|
||||||
while (1) {
|
|
||||||
crypto_rand((char*)&val, sizeof(val));
|
|
||||||
if (val < cutoff)
|
|
||||||
return val % max;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Return a pseudorandom double d, chosen uniformly from the range
|
|
||||||
* 0.0 <= d < 1.0.
|
|
||||||
*/
|
|
||||||
double
|
|
||||||
crypto_rand_double(void)
|
|
||||||
{
|
|
||||||
/* We just use an unsigned int here; we don't really care about getting
|
|
||||||
* more than 32 bits of resolution */
|
|
||||||
unsigned int u;
|
|
||||||
crypto_rand((char*)&u, sizeof(u));
|
|
||||||
#if SIZEOF_INT == 4
|
|
||||||
#define UINT_MAX_AS_DOUBLE 4294967296.0
|
|
||||||
#elif SIZEOF_INT == 8
|
|
||||||
#define UINT_MAX_AS_DOUBLE 1.8446744073709552e+19
|
|
||||||
#else
|
|
||||||
#error SIZEOF_INT is neither 4 nor 8
|
|
||||||
#endif /* SIZEOF_INT == 4 || ... */
|
|
||||||
return ((double)u) / UINT_MAX_AS_DOUBLE;
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Generate and return a new random hostname starting with <b>prefix</b>,
|
|
||||||
* ending with <b>suffix</b>, and containing no fewer than
|
|
||||||
* <b>min_rand_len</b> and no more than <b>max_rand_len</b> random base32
|
|
||||||
* characters. Does not check for failure.
|
|
||||||
*
|
|
||||||
* Clip <b>max_rand_len</b> to MAX_DNS_LABEL_SIZE.
|
|
||||||
**/
|
|
||||||
char *
|
|
||||||
crypto_random_hostname(int min_rand_len, int max_rand_len, const char *prefix,
|
|
||||||
const char *suffix)
|
|
||||||
{
|
|
||||||
char *result, *rand_bytes;
|
|
||||||
int randlen, rand_bytes_len;
|
|
||||||
size_t resultlen, prefixlen;
|
|
||||||
|
|
||||||
if (max_rand_len > MAX_DNS_LABEL_SIZE)
|
|
||||||
max_rand_len = MAX_DNS_LABEL_SIZE;
|
|
||||||
if (min_rand_len > max_rand_len)
|
|
||||||
min_rand_len = max_rand_len;
|
|
||||||
|
|
||||||
randlen = crypto_rand_int_range(min_rand_len, max_rand_len+1);
|
|
||||||
|
|
||||||
prefixlen = strlen(prefix);
|
|
||||||
resultlen = prefixlen + strlen(suffix) + randlen + 16;
|
|
||||||
|
|
||||||
rand_bytes_len = ((randlen*5)+7)/8;
|
|
||||||
if (rand_bytes_len % 5)
|
|
||||||
rand_bytes_len += 5 - (rand_bytes_len%5);
|
|
||||||
rand_bytes = tor_malloc(rand_bytes_len);
|
|
||||||
crypto_rand(rand_bytes, rand_bytes_len);
|
|
||||||
|
|
||||||
result = tor_malloc(resultlen);
|
|
||||||
memcpy(result, prefix, prefixlen);
|
|
||||||
base32_encode(result+prefixlen, resultlen-prefixlen,
|
|
||||||
rand_bytes, rand_bytes_len);
|
|
||||||
tor_free(rand_bytes);
|
|
||||||
strlcpy(result+prefixlen+randlen, suffix, resultlen-(prefixlen+randlen));
|
|
||||||
|
|
||||||
return result;
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Return a randomly chosen element of <b>sl</b>; or NULL if <b>sl</b>
|
|
||||||
* is empty. */
|
|
||||||
void *
|
|
||||||
smartlist_choose(const smartlist_t *sl)
|
|
||||||
{
|
|
||||||
int len = smartlist_len(sl);
|
|
||||||
if (len)
|
|
||||||
return smartlist_get(sl,crypto_rand_int(len));
|
|
||||||
return NULL; /* no elements to choose from */
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Scramble the elements of <b>sl</b> into a random order. */
|
|
||||||
void
|
|
||||||
smartlist_shuffle(smartlist_t *sl)
|
|
||||||
{
|
|
||||||
int i;
|
|
||||||
/* From the end of the list to the front, choose at random from the
|
|
||||||
positions we haven't looked at yet, and swap that position into the
|
|
||||||
current position. Remember to give "no swap" the same probability as
|
|
||||||
any other swap. */
|
|
||||||
for (i = smartlist_len(sl)-1; i > 0; --i) {
|
|
||||||
int j = crypto_rand_int(i+1);
|
|
||||||
smartlist_swap(sl, i, j);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Destroy the <b>sz</b> bytes of data stored at <b>mem</b>, setting them to
|
|
||||||
* the value <b>byte</b>.
|
|
||||||
* If <b>mem</b> is NULL or <b>sz</b> is zero, nothing happens.
|
|
||||||
*
|
|
||||||
* This function is preferable to memset, since many compilers will happily
|
|
||||||
* optimize out memset() when they can convince themselves that the data being
|
|
||||||
* cleared will never be read.
|
|
||||||
*
|
|
||||||
* Right now, our convention is to use this function when we are wiping data
|
|
||||||
* that's about to become inaccessible, such as stack buffers that are about
|
|
||||||
* to go out of scope or structures that are about to get freed. (In
|
|
||||||
* practice, it appears that the compilers we're currently using will optimize
|
|
||||||
* out the memset()s for stack-allocated buffers, but not those for
|
|
||||||
* about-to-be-freed structures. That could change, though, so we're being
|
|
||||||
* wary.) If there are live reads for the data, then you can just use
|
|
||||||
* memset().
|
|
||||||
*/
|
|
||||||
void
|
|
||||||
memwipe(void *mem, uint8_t byte, size_t sz)
|
|
||||||
{
|
|
||||||
if (sz == 0) {
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
/* If sz is nonzero, then mem must not be NULL. */
|
|
||||||
tor_assert(mem != NULL);
|
|
||||||
|
|
||||||
/* Data this large is likely to be an underflow. */
|
|
||||||
tor_assert(sz < SIZE_T_CEILING);
|
|
||||||
|
|
||||||
/* Because whole-program-optimization exists, we may not be able to just
|
|
||||||
* have this function call "memset". A smart compiler could inline it, then
|
|
||||||
* eliminate dead memsets, and declare itself to be clever. */
|
|
||||||
|
|
||||||
#if defined(SecureZeroMemory) || defined(HAVE_SECUREZEROMEMORY)
|
|
||||||
/* Here's what you do on windows. */
|
|
||||||
SecureZeroMemory(mem,sz);
|
|
||||||
#elif defined(HAVE_RTLSECUREZEROMEMORY)
|
|
||||||
RtlSecureZeroMemory(mem,sz);
|
|
||||||
#elif defined(HAVE_EXPLICIT_BZERO)
|
|
||||||
/* The BSDs provide this. */
|
|
||||||
explicit_bzero(mem, sz);
|
|
||||||
#elif defined(HAVE_MEMSET_S)
|
|
||||||
/* This is in the C99 standard. */
|
|
||||||
memset_s(mem, sz, 0, sz);
|
|
||||||
#else
|
|
||||||
/* This is a slow and ugly function from OpenSSL that fills 'mem' with junk
|
|
||||||
* based on the pointer value, then uses that junk to update a global
|
|
||||||
* variable. It's an elaborate ruse to trick the compiler into not
|
|
||||||
* optimizing out the "wipe this memory" code. Read it if you like zany
|
|
||||||
* programming tricks! In later versions of Tor, we should look for better
|
|
||||||
* not-optimized-out memory wiping stuff...
|
|
||||||
*
|
|
||||||
* ...or maybe not. In practice, there are pure-asm implementations of
|
|
||||||
* OPENSSL_cleanse() on most platforms, which ought to do the job.
|
|
||||||
**/
|
|
||||||
|
|
||||||
OPENSSL_cleanse(mem, sz);
|
|
||||||
#endif /* defined(SecureZeroMemory) || defined(HAVE_SECUREZEROMEMORY) || ... */
|
|
||||||
|
|
||||||
/* Just in case some caller of memwipe() is relying on getting a buffer
|
|
||||||
* filled with a particular value, fill the buffer.
|
|
||||||
*
|
|
||||||
* If this function gets inlined, this memset might get eliminated, but
|
|
||||||
* that's okay: We only care about this particular memset in the case where
|
|
||||||
* the caller should have been using memset(), and the memset() wouldn't get
|
|
||||||
* eliminated. In other words, this is here so that we won't break anything
|
|
||||||
* if somebody accidentally calls memwipe() instead of memset().
|
|
||||||
**/
|
|
||||||
memset(mem, byte, sz);
|
|
||||||
}
|
|
||||||
|
|
||||||
/** @{ */
|
/** @{ */
|
||||||
/** Uninitialize the crypto library. Return 0 on success. Does not detect
|
/** Uninitialize the crypto library. Return 0 on success. Does not detect
|
||||||
* failure.
|
* failure.
|
||||||
|
@ -105,31 +105,6 @@ int crypto_expand_key_material_rfc5869_sha256(
|
|||||||
const uint8_t *info_in, size_t info_in_len,
|
const uint8_t *info_in, size_t info_in_len,
|
||||||
uint8_t *key_out, size_t key_out_len);
|
uint8_t *key_out, size_t key_out_len);
|
||||||
|
|
||||||
/* random numbers */
|
|
||||||
int crypto_seed_rng(void) ATTR_WUR;
|
|
||||||
MOCK_DECL(void,crypto_rand,(char *to, size_t n));
|
|
||||||
void crypto_rand_unmocked(char *to, size_t n);
|
|
||||||
void crypto_strongest_rand(uint8_t *out, size_t out_len);
|
|
||||||
int crypto_rand_int(unsigned int max);
|
|
||||||
int crypto_rand_int_range(unsigned int min, unsigned int max);
|
|
||||||
uint64_t crypto_rand_uint64_range(uint64_t min, uint64_t max);
|
|
||||||
time_t crypto_rand_time_range(time_t min, time_t max);
|
|
||||||
uint64_t crypto_rand_uint64(uint64_t max);
|
|
||||||
double crypto_rand_double(void);
|
|
||||||
struct tor_weak_rng_t;
|
|
||||||
void crypto_seed_weak_rng(struct tor_weak_rng_t *rng);
|
|
||||||
int crypto_init_siphash_key(void);
|
|
||||||
|
|
||||||
char *crypto_random_hostname(int min_rand_len, int max_rand_len,
|
|
||||||
const char *prefix, const char *suffix);
|
|
||||||
|
|
||||||
struct smartlist_t;
|
|
||||||
void *smartlist_choose(const struct smartlist_t *sl);
|
|
||||||
void smartlist_shuffle(struct smartlist_t *sl);
|
|
||||||
|
|
||||||
/** OpenSSL-based utility functions. */
|
|
||||||
void memwipe(void *mem, uint8_t byte, size_t sz);
|
|
||||||
|
|
||||||
/* Prototypes for private functions only used by tortls.c, crypto.c, and the
|
/* Prototypes for private functions only used by tortls.c, crypto.c, and the
|
||||||
* unit tests. */
|
* unit tests. */
|
||||||
struct dh_st;
|
struct dh_st;
|
||||||
@ -137,16 +112,5 @@ struct dh_st *crypto_dh_get_dh_(crypto_dh_t *dh);
|
|||||||
|
|
||||||
void crypto_add_spaces_to_fp(char *out, size_t outlen, const char *in);
|
void crypto_add_spaces_to_fp(char *out, size_t outlen, const char *in);
|
||||||
|
|
||||||
#ifdef CRYPTO_PRIVATE
|
|
||||||
|
|
||||||
STATIC int crypto_force_rand_ssleay(void);
|
|
||||||
STATIC int crypto_strongest_rand_raw(uint8_t *out, size_t out_len);
|
|
||||||
|
|
||||||
#ifdef TOR_UNIT_TESTS
|
|
||||||
extern int break_strongest_rng_syscall;
|
|
||||||
extern int break_strongest_rng_fallback;
|
|
||||||
#endif
|
|
||||||
#endif /* defined(CRYPTO_PRIVATE) */
|
|
||||||
|
|
||||||
#endif /* !defined(TOR_CRYPTO_H) */
|
#endif /* !defined(TOR_CRYPTO_H) */
|
||||||
|
|
||||||
|
@ -25,6 +25,8 @@
|
|||||||
#include "crypto_curve25519.h"
|
#include "crypto_curve25519.h"
|
||||||
#include "crypto_format.h"
|
#include "crypto_format.h"
|
||||||
#include "crypto_digest.h"
|
#include "crypto_digest.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
#include "torlog.h"
|
#include "torlog.h"
|
||||||
|
|
||||||
|
@ -10,10 +10,13 @@
|
|||||||
* operations.
|
* operations.
|
||||||
**/
|
**/
|
||||||
|
|
||||||
|
#include "container.h"
|
||||||
#include "crypto_digest.h"
|
#include "crypto_digest.h"
|
||||||
|
|
||||||
#include "crypto.h" /* common functions */
|
|
||||||
#include "crypto_openssl_mgt.h"
|
#include "crypto_openssl_mgt.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
|
#include "torlog.h"
|
||||||
|
|
||||||
|
#include "keccak-tiny/keccak-tiny.h"
|
||||||
|
|
||||||
DISABLE_GCC_WARNING(redundant-decls)
|
DISABLE_GCC_WARNING(redundant-decls)
|
||||||
|
|
||||||
@ -22,8 +25,6 @@ DISABLE_GCC_WARNING(redundant-decls)
|
|||||||
|
|
||||||
ENABLE_GCC_WARNING(redundant-decls)
|
ENABLE_GCC_WARNING(redundant-decls)
|
||||||
|
|
||||||
#include "container.h"
|
|
||||||
|
|
||||||
/* Crypto digest functions */
|
/* Crypto digest functions */
|
||||||
|
|
||||||
/** Compute the SHA1 digest of the <b>len</b> bytes on data stored in
|
/** Compute the SHA1 digest of the <b>len</b> bytes on data stored in
|
||||||
|
@ -27,6 +27,8 @@
|
|||||||
#include "crypto_curve25519.h"
|
#include "crypto_curve25519.h"
|
||||||
#include "crypto_ed25519.h"
|
#include "crypto_ed25519.h"
|
||||||
#include "crypto_format.h"
|
#include "crypto_format.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "torlog.h"
|
#include "torlog.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
#include "util_format.h"
|
#include "util_format.h"
|
||||||
|
@ -20,6 +20,7 @@
|
|||||||
#include "crypto_ed25519.h"
|
#include "crypto_ed25519.h"
|
||||||
#include "crypto_format.h"
|
#include "crypto_format.h"
|
||||||
#include "crypto_digest.h"
|
#include "crypto_digest.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
#include "util_format.h"
|
#include "util_format.h"
|
||||||
#include "torlog.h"
|
#include "torlog.h"
|
||||||
|
@ -12,6 +12,8 @@
|
|||||||
#include "crypto_s2k.h"
|
#include "crypto_s2k.h"
|
||||||
#include "crypto_pwbox.h"
|
#include "crypto_pwbox.h"
|
||||||
#include "crypto_digest.h"
|
#include "crypto_digest.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "di_ops.h"
|
#include "di_ops.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
#include "pwbox.h"
|
#include "pwbox.h"
|
||||||
|
609
src/common/crypto_rand.c
Normal file
609
src/common/crypto_rand.c
Normal file
@ -0,0 +1,609 @@
|
|||||||
|
/* Copyright (c) 2001, Matej Pfajfar.
|
||||||
|
* Copyright (c) 2001-2004, Roger Dingledine.
|
||||||
|
* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
|
||||||
|
* Copyright (c) 2007-2018, The Tor Project, Inc. */
|
||||||
|
/* See LICENSE for licensing information */
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \file crypto_rand.c
|
||||||
|
*
|
||||||
|
* \brief Functions for initialising and seeding (pseudo-)random
|
||||||
|
* number generators, and working with randomness.
|
||||||
|
**/
|
||||||
|
|
||||||
|
#ifndef CRYPTO_RAND_PRIVATE
|
||||||
|
#define CRYPTO_RAND_PRIVATE
|
||||||
|
|
||||||
|
#ifdef _WIN32
|
||||||
|
#include <windows.h>
|
||||||
|
#include <wincrypt.h>
|
||||||
|
#endif /* defined(_WIN32) */
|
||||||
|
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
|
||||||
|
#include "container.h"
|
||||||
|
#include "compat.h"
|
||||||
|
#include "compat_openssl.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
|
#include "sandbox.h"
|
||||||
|
#include "testsupport.h"
|
||||||
|
#include "torlog.h"
|
||||||
|
#include "util.h"
|
||||||
|
#include "util_format.h"
|
||||||
|
|
||||||
|
DISABLE_GCC_WARNING(redundant-decls)
|
||||||
|
#include <openssl/rand.h>
|
||||||
|
ENABLE_GCC_WARNING(redundant-decls)
|
||||||
|
|
||||||
|
#if __GNUC__ && GCC_VERSION >= 402
|
||||||
|
#if GCC_VERSION >= 406
|
||||||
|
#pragma GCC diagnostic pop
|
||||||
|
#else
|
||||||
|
#pragma GCC diagnostic warning "-Wredundant-decls"
|
||||||
|
#endif
|
||||||
|
#endif /* __GNUC__ && GCC_VERSION >= 402 */
|
||||||
|
|
||||||
|
#ifdef HAVE_FCNTL_H
|
||||||
|
#include <fcntl.h>
|
||||||
|
#endif
|
||||||
|
#ifdef HAVE_SYS_FCNTL_H
|
||||||
|
#include <sys/fcntl.h>
|
||||||
|
#endif
|
||||||
|
#ifdef HAVE_SYS_STAT_H
|
||||||
|
#include <sys/stat.h>
|
||||||
|
#endif
|
||||||
|
#ifdef HAVE_UNISTD_H
|
||||||
|
#include <unistd.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/**
|
||||||
|
* How many bytes of entropy we add at once.
|
||||||
|
*
|
||||||
|
* This is how much entropy OpenSSL likes to add right now, so maybe it will
|
||||||
|
* work for us too.
|
||||||
|
**/
|
||||||
|
#define ADD_ENTROPY 32
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Longest recognized DNS query.
|
||||||
|
**/
|
||||||
|
#define MAX_DNS_LABEL_SIZE 63
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Largest strong entropy request permitted.
|
||||||
|
**/
|
||||||
|
#define MAX_STRONGEST_RAND_SIZE 256
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Set the seed of the weak RNG to a random value.
|
||||||
|
**/
|
||||||
|
void
|
||||||
|
crypto_seed_weak_rng(tor_weak_rng_t *rng)
|
||||||
|
{
|
||||||
|
unsigned seed;
|
||||||
|
crypto_rand((void*)&seed, sizeof(seed));
|
||||||
|
tor_init_weak_random(rng, seed);
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef TOR_UNIT_TESTS
|
||||||
|
int break_strongest_rng_syscall = 0;
|
||||||
|
int break_strongest_rng_fallback = 0;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
|
||||||
|
* via system calls, storing it into <b>out</b>. Return 0 on success, -1 on
|
||||||
|
* failure. A maximum request size of 256 bytes is imposed.
|
||||||
|
**/
|
||||||
|
static int
|
||||||
|
crypto_strongest_rand_syscall(uint8_t *out, size_t out_len)
|
||||||
|
{
|
||||||
|
tor_assert(out_len <= MAX_STRONGEST_RAND_SIZE);
|
||||||
|
|
||||||
|
/* We only log at notice-level here because in the case that this function
|
||||||
|
* fails the crypto_strongest_rand_raw() caller will log with a warning-level
|
||||||
|
* message and let crypto_strongest_rand() error out and finally terminating
|
||||||
|
* Tor with an assertion error.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#ifdef TOR_UNIT_TESTS
|
||||||
|
if (break_strongest_rng_syscall)
|
||||||
|
return -1;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(_WIN32)
|
||||||
|
static int provider_set = 0;
|
||||||
|
static HCRYPTPROV provider;
|
||||||
|
|
||||||
|
if (!provider_set) {
|
||||||
|
if (!CryptAcquireContext(&provider, NULL, NULL, PROV_RSA_FULL,
|
||||||
|
CRYPT_VERIFYCONTEXT)) {
|
||||||
|
log_notice(LD_CRYPTO, "Unable to set Windows CryptoAPI provider [1].");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
provider_set = 1;
|
||||||
|
}
|
||||||
|
if (!CryptGenRandom(provider, out_len, out)) {
|
||||||
|
log_notice(LD_CRYPTO, "Unable get entropy from the Windows CryptoAPI.");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
#elif defined(__linux__) && defined(SYS_getrandom)
|
||||||
|
static int getrandom_works = 1; /* Be optimistic about our chances... */
|
||||||
|
|
||||||
|
/* getrandom() isn't as straightforward as getentropy(), and has
|
||||||
|
* no glibc wrapper.
|
||||||
|
*
|
||||||
|
* As far as I can tell from getrandom(2) and the source code, the
|
||||||
|
* requests we issue will always succeed (though it will block on the
|
||||||
|
* call if /dev/urandom isn't seeded yet), since we are NOT specifying
|
||||||
|
* GRND_NONBLOCK and the request is <= 256 bytes.
|
||||||
|
*
|
||||||
|
* The manpage is unclear on what happens if a signal interrupts the call
|
||||||
|
* while the request is blocked due to lack of entropy....
|
||||||
|
*
|
||||||
|
* We optimistically assume that getrandom() is available and functional
|
||||||
|
* because it is the way of the future, and 2 branch mispredicts pale in
|
||||||
|
* comparison to the overheads involved with failing to open
|
||||||
|
* /dev/srandom followed by opening and reading from /dev/urandom.
|
||||||
|
*/
|
||||||
|
if (PREDICT_LIKELY(getrandom_works)) {
|
||||||
|
long ret;
|
||||||
|
/* A flag of '0' here means to read from '/dev/urandom', and to
|
||||||
|
* block if insufficient entropy is available to service the
|
||||||
|
* request.
|
||||||
|
*/
|
||||||
|
const unsigned int flags = 0;
|
||||||
|
do {
|
||||||
|
ret = syscall(SYS_getrandom, out, out_len, flags);
|
||||||
|
} while (ret == -1 && ((errno == EINTR) ||(errno == EAGAIN)));
|
||||||
|
|
||||||
|
if (PREDICT_UNLIKELY(ret == -1)) {
|
||||||
|
/* LCOV_EXCL_START we can't actually make the syscall fail in testing. */
|
||||||
|
tor_assert(errno != EAGAIN);
|
||||||
|
tor_assert(errno != EINTR);
|
||||||
|
|
||||||
|
/* Useful log message for errno. */
|
||||||
|
if (errno == ENOSYS) {
|
||||||
|
log_notice(LD_CRYPTO, "Can't get entropy from getrandom()."
|
||||||
|
" You are running a version of Tor built to support"
|
||||||
|
" getrandom(), but the kernel doesn't implement this"
|
||||||
|
" function--probably because it is too old?"
|
||||||
|
" Trying fallback method instead.");
|
||||||
|
} else {
|
||||||
|
log_notice(LD_CRYPTO, "Can't get entropy from getrandom(): %s."
|
||||||
|
" Trying fallback method instead.",
|
||||||
|
strerror(errno));
|
||||||
|
}
|
||||||
|
|
||||||
|
getrandom_works = 0; /* Don't bother trying again. */
|
||||||
|
return -1;
|
||||||
|
/* LCOV_EXCL_STOP */
|
||||||
|
}
|
||||||
|
|
||||||
|
tor_assert(ret == (long)out_len);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
return -1; /* getrandom() previously failed unexpectedly. */
|
||||||
|
#elif defined(HAVE_GETENTROPY)
|
||||||
|
/* getentropy() is what Linux's getrandom() wants to be when it grows up.
|
||||||
|
* the only gotcha is that requests are limited to 256 bytes.
|
||||||
|
*/
|
||||||
|
return getentropy(out, out_len);
|
||||||
|
#else
|
||||||
|
(void) out;
|
||||||
|
#endif /* defined(_WIN32) || ... */
|
||||||
|
|
||||||
|
/* This platform doesn't have a supported syscall based random. */
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
|
||||||
|
* via the per-platform fallback mechanism, storing it into <b>out</b>.
|
||||||
|
* Return 0 on success, -1 on failure. A maximum request size of 256 bytes
|
||||||
|
* is imposed.
|
||||||
|
**/
|
||||||
|
static int
|
||||||
|
crypto_strongest_rand_fallback(uint8_t *out, size_t out_len)
|
||||||
|
{
|
||||||
|
#ifdef TOR_UNIT_TESTS
|
||||||
|
if (break_strongest_rng_fallback)
|
||||||
|
return -1;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef _WIN32
|
||||||
|
/* Windows exclusively uses crypto_strongest_rand_syscall(). */
|
||||||
|
(void)out;
|
||||||
|
(void)out_len;
|
||||||
|
return -1;
|
||||||
|
#else /* !(defined(_WIN32)) */
|
||||||
|
static const char *filenames[] = {
|
||||||
|
"/dev/srandom", "/dev/urandom", "/dev/random", NULL
|
||||||
|
};
|
||||||
|
int fd, i;
|
||||||
|
size_t n;
|
||||||
|
|
||||||
|
for (i = 0; filenames[i]; ++i) {
|
||||||
|
log_debug(LD_FS, "Considering %s as entropy source", filenames[i]);
|
||||||
|
fd = open(sandbox_intern_string(filenames[i]), O_RDONLY, 0);
|
||||||
|
if (fd<0) continue;
|
||||||
|
log_info(LD_CRYPTO, "Reading entropy from \"%s\"", filenames[i]);
|
||||||
|
n = read_all(fd, (char*)out, out_len, 0);
|
||||||
|
close(fd);
|
||||||
|
if (n != out_len) {
|
||||||
|
/* LCOV_EXCL_START
|
||||||
|
* We can't make /dev/foorandom actually fail. */
|
||||||
|
log_notice(LD_CRYPTO,
|
||||||
|
"Error reading from entropy source %s (read only %lu bytes).",
|
||||||
|
filenames[i],
|
||||||
|
(unsigned long)n);
|
||||||
|
return -1;
|
||||||
|
/* LCOV_EXCL_STOP */
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
return -1;
|
||||||
|
#endif /* defined(_WIN32) */
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
|
||||||
|
* storing it into <b>out</b>. Return 0 on success, -1 on failure. A maximum
|
||||||
|
* request size of 256 bytes is imposed.
|
||||||
|
**/
|
||||||
|
STATIC int
|
||||||
|
crypto_strongest_rand_raw(uint8_t *out, size_t out_len)
|
||||||
|
{
|
||||||
|
static const size_t sanity_min_size = 16;
|
||||||
|
static const int max_attempts = 3;
|
||||||
|
tor_assert(out_len <= MAX_STRONGEST_RAND_SIZE);
|
||||||
|
|
||||||
|
/* For buffers >= 16 bytes (128 bits), we sanity check the output by
|
||||||
|
* zero filling the buffer and ensuring that it actually was at least
|
||||||
|
* partially modified.
|
||||||
|
*
|
||||||
|
* Checking that any individual byte is non-zero seems like it would
|
||||||
|
* fail too often (p = out_len * 1/256) for comfort, but this is an
|
||||||
|
* "adjust according to taste" sort of check.
|
||||||
|
*/
|
||||||
|
memwipe(out, 0, out_len);
|
||||||
|
for (int i = 0; i < max_attempts; i++) {
|
||||||
|
/* Try to use the syscall/OS favored mechanism to get strong entropy. */
|
||||||
|
if (crypto_strongest_rand_syscall(out, out_len) != 0) {
|
||||||
|
/* Try to use the less-favored mechanism to get strong entropy. */
|
||||||
|
if (crypto_strongest_rand_fallback(out, out_len) != 0) {
|
||||||
|
/* Welp, we tried. Hopefully the calling code terminates the process
|
||||||
|
* since we're basically boned without good entropy.
|
||||||
|
*/
|
||||||
|
log_warn(LD_CRYPTO,
|
||||||
|
"Cannot get strong entropy: no entropy source found.");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ((out_len < sanity_min_size) || !tor_mem_is_zero((char*)out, out_len))
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* LCOV_EXCL_START
|
||||||
|
*
|
||||||
|
* We tried max_attempts times to fill a buffer >= 128 bits long,
|
||||||
|
* and each time it returned all '0's. Either the system entropy
|
||||||
|
* source is busted, or the user should go out and buy a ticket to
|
||||||
|
* every lottery on the planet.
|
||||||
|
*/
|
||||||
|
log_warn(LD_CRYPTO, "Strong OS entropy returned all zero buffer.");
|
||||||
|
|
||||||
|
return -1;
|
||||||
|
/* LCOV_EXCL_STOP */
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
|
||||||
|
* storing it into <b>out</b>.
|
||||||
|
**/
|
||||||
|
void
|
||||||
|
crypto_strongest_rand(uint8_t *out, size_t out_len)
|
||||||
|
{
|
||||||
|
#define DLEN SHA512_DIGEST_LENGTH
|
||||||
|
/* We're going to hash DLEN bytes from the system RNG together with some
|
||||||
|
* bytes from the openssl PRNG, in order to yield DLEN bytes.
|
||||||
|
*/
|
||||||
|
uint8_t inp[DLEN*2];
|
||||||
|
uint8_t tmp[DLEN];
|
||||||
|
tor_assert(out);
|
||||||
|
while (out_len) {
|
||||||
|
crypto_rand((char*) inp, DLEN);
|
||||||
|
if (crypto_strongest_rand_raw(inp+DLEN, DLEN) < 0) {
|
||||||
|
// LCOV_EXCL_START
|
||||||
|
log_err(LD_CRYPTO, "Failed to load strong entropy when generating an "
|
||||||
|
"important key. Exiting.");
|
||||||
|
/* Die with an assertion so we get a stack trace. */
|
||||||
|
tor_assert(0);
|
||||||
|
// LCOV_EXCL_STOP
|
||||||
|
}
|
||||||
|
if (out_len >= DLEN) {
|
||||||
|
SHA512(inp, sizeof(inp), out);
|
||||||
|
out += DLEN;
|
||||||
|
out_len -= DLEN;
|
||||||
|
} else {
|
||||||
|
SHA512(inp, sizeof(inp), tmp);
|
||||||
|
memcpy(out, tmp, out_len);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
memwipe(tmp, 0, sizeof(tmp));
|
||||||
|
memwipe(inp, 0, sizeof(inp));
|
||||||
|
#undef DLEN
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Seed OpenSSL's random number generator with bytes from the operating
|
||||||
|
* system. Return 0 on success, -1 on failure.
|
||||||
|
**/
|
||||||
|
int
|
||||||
|
crypto_seed_rng(void)
|
||||||
|
{
|
||||||
|
int rand_poll_ok = 0, load_entropy_ok = 0;
|
||||||
|
uint8_t buf[ADD_ENTROPY];
|
||||||
|
|
||||||
|
/* OpenSSL has a RAND_poll function that knows about more kinds of
|
||||||
|
* entropy than we do. We'll try calling that, *and* calling our own entropy
|
||||||
|
* functions. If one succeeds, we'll accept the RNG as seeded. */
|
||||||
|
rand_poll_ok = RAND_poll();
|
||||||
|
if (rand_poll_ok == 0)
|
||||||
|
log_warn(LD_CRYPTO, "RAND_poll() failed."); // LCOV_EXCL_LINE
|
||||||
|
|
||||||
|
load_entropy_ok = !crypto_strongest_rand_raw(buf, sizeof(buf));
|
||||||
|
if (load_entropy_ok) {
|
||||||
|
RAND_seed(buf, sizeof(buf));
|
||||||
|
}
|
||||||
|
|
||||||
|
memwipe(buf, 0, sizeof(buf));
|
||||||
|
|
||||||
|
if ((rand_poll_ok || load_entropy_ok) && RAND_status() == 1)
|
||||||
|
return 0;
|
||||||
|
else
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Write <b>n</b> bytes of strong random data to <b>to</b>. Supports mocking
|
||||||
|
* for unit tests.
|
||||||
|
*
|
||||||
|
* This function is not allowed to fail; if it would fail to generate strong
|
||||||
|
* entropy, it must terminate the process instead.
|
||||||
|
**/
|
||||||
|
MOCK_IMPL(void,
|
||||||
|
crypto_rand, (char *to, size_t n))
|
||||||
|
{
|
||||||
|
crypto_rand_unmocked(to, n);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Write <b>n</b> bytes of strong random data to <b>to</b>. Most callers
|
||||||
|
* will want crypto_rand instead.
|
||||||
|
*
|
||||||
|
* This function is not allowed to fail; if it would fail to generate strong
|
||||||
|
* entropy, it must terminate the process instead.
|
||||||
|
**/
|
||||||
|
void
|
||||||
|
crypto_rand_unmocked(char *to, size_t n)
|
||||||
|
{
|
||||||
|
int r;
|
||||||
|
if (n == 0)
|
||||||
|
return;
|
||||||
|
|
||||||
|
tor_assert(n < INT_MAX);
|
||||||
|
tor_assert(to);
|
||||||
|
r = RAND_bytes((unsigned char*)to, (int)n);
|
||||||
|
/* We consider a PRNG failure non-survivable. Let's assert so that we get a
|
||||||
|
* stack trace about where it happened.
|
||||||
|
*/
|
||||||
|
tor_assert(r >= 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Return a pseudorandom integer, chosen uniformly from the values
|
||||||
|
* between 0 and <b>max</b>-1 inclusive. <b>max</b> must be between 1 and
|
||||||
|
* INT_MAX+1, inclusive.
|
||||||
|
*/
|
||||||
|
int
|
||||||
|
crypto_rand_int(unsigned int max)
|
||||||
|
{
|
||||||
|
unsigned int val;
|
||||||
|
unsigned int cutoff;
|
||||||
|
tor_assert(max <= ((unsigned int)INT_MAX)+1);
|
||||||
|
tor_assert(max > 0); /* don't div by 0 */
|
||||||
|
|
||||||
|
/* We ignore any values that are >= 'cutoff,' to avoid biasing the
|
||||||
|
* distribution with clipping at the upper end of unsigned int's
|
||||||
|
* range.
|
||||||
|
*/
|
||||||
|
cutoff = UINT_MAX - (UINT_MAX%max);
|
||||||
|
while (1) {
|
||||||
|
crypto_rand((char*)&val, sizeof(val));
|
||||||
|
if (val < cutoff)
|
||||||
|
return val % max;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Return a pseudorandom integer, chosen uniformly from the values i such
|
||||||
|
* that min <= i < max.
|
||||||
|
*
|
||||||
|
* <b>min</b> MUST be in range [0, <b>max</b>).
|
||||||
|
* <b>max</b> MUST be in range (min, INT_MAX].
|
||||||
|
**/
|
||||||
|
int
|
||||||
|
crypto_rand_int_range(unsigned int min, unsigned int max)
|
||||||
|
{
|
||||||
|
tor_assert(min < max);
|
||||||
|
tor_assert(max <= INT_MAX);
|
||||||
|
|
||||||
|
/* The overflow is avoided here because crypto_rand_int() returns a value
|
||||||
|
* between 0 and (max - min) inclusive. */
|
||||||
|
return min + crypto_rand_int(max - min);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* As crypto_rand_int_range, but supports uint64_t.
|
||||||
|
**/
|
||||||
|
uint64_t
|
||||||
|
crypto_rand_uint64_range(uint64_t min, uint64_t max)
|
||||||
|
{
|
||||||
|
tor_assert(min < max);
|
||||||
|
return min + crypto_rand_uint64(max - min);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* As crypto_rand_int_range, but supports time_t.
|
||||||
|
**/
|
||||||
|
time_t
|
||||||
|
crypto_rand_time_range(time_t min, time_t max)
|
||||||
|
{
|
||||||
|
tor_assert(min < max);
|
||||||
|
return min + (time_t)crypto_rand_uint64(max - min);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Return a pseudorandom 64-bit integer, chosen uniformly from the values
|
||||||
|
* between 0 and <b>max</b>-1 inclusive.
|
||||||
|
**/
|
||||||
|
uint64_t
|
||||||
|
crypto_rand_uint64(uint64_t max)
|
||||||
|
{
|
||||||
|
uint64_t val;
|
||||||
|
uint64_t cutoff;
|
||||||
|
tor_assert(max < UINT64_MAX);
|
||||||
|
tor_assert(max > 0); /* don't div by 0 */
|
||||||
|
|
||||||
|
/* We ignore any values that are >= 'cutoff,' to avoid biasing the
|
||||||
|
* distribution with clipping at the upper end of unsigned int's
|
||||||
|
* range.
|
||||||
|
*/
|
||||||
|
cutoff = UINT64_MAX - (UINT64_MAX%max);
|
||||||
|
while (1) {
|
||||||
|
crypto_rand((char*)&val, sizeof(val));
|
||||||
|
if (val < cutoff)
|
||||||
|
return val % max;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Return a pseudorandom double d, chosen uniformly from the range
|
||||||
|
* 0.0 <= d < 1.0.
|
||||||
|
**/
|
||||||
|
double
|
||||||
|
crypto_rand_double(void)
|
||||||
|
{
|
||||||
|
/* We just use an unsigned int here; we don't really care about getting
|
||||||
|
* more than 32 bits of resolution */
|
||||||
|
unsigned int u;
|
||||||
|
crypto_rand((char*)&u, sizeof(u));
|
||||||
|
#if SIZEOF_INT == 4
|
||||||
|
#define UINT_MAX_AS_DOUBLE 4294967296.0
|
||||||
|
#elif SIZEOF_INT == 8
|
||||||
|
#define UINT_MAX_AS_DOUBLE 1.8446744073709552e+19
|
||||||
|
#else
|
||||||
|
#error SIZEOF_INT is neither 4 nor 8
|
||||||
|
#endif /* SIZEOF_INT == 4 || ... */
|
||||||
|
return ((double)u) / UINT_MAX_AS_DOUBLE;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Generate and return a new random hostname starting with <b>prefix</b>,
|
||||||
|
* ending with <b>suffix</b>, and containing no fewer than
|
||||||
|
* <b>min_rand_len</b> and no more than <b>max_rand_len</b> random base32
|
||||||
|
* characters. Does not check for failure.
|
||||||
|
*
|
||||||
|
* Clip <b>max_rand_len</b> to MAX_DNS_LABEL_SIZE.
|
||||||
|
**/
|
||||||
|
char *
|
||||||
|
crypto_random_hostname(int min_rand_len, int max_rand_len, const char *prefix,
|
||||||
|
const char *suffix)
|
||||||
|
{
|
||||||
|
char *result, *rand_bytes;
|
||||||
|
int randlen, rand_bytes_len;
|
||||||
|
size_t resultlen, prefixlen;
|
||||||
|
|
||||||
|
if (max_rand_len > MAX_DNS_LABEL_SIZE)
|
||||||
|
max_rand_len = MAX_DNS_LABEL_SIZE;
|
||||||
|
if (min_rand_len > max_rand_len)
|
||||||
|
min_rand_len = max_rand_len;
|
||||||
|
|
||||||
|
randlen = crypto_rand_int_range(min_rand_len, max_rand_len+1);
|
||||||
|
|
||||||
|
prefixlen = strlen(prefix);
|
||||||
|
resultlen = prefixlen + strlen(suffix) + randlen + 16;
|
||||||
|
|
||||||
|
rand_bytes_len = ((randlen*5)+7)/8;
|
||||||
|
if (rand_bytes_len % 5)
|
||||||
|
rand_bytes_len += 5 - (rand_bytes_len%5);
|
||||||
|
rand_bytes = tor_malloc(rand_bytes_len);
|
||||||
|
crypto_rand(rand_bytes, rand_bytes_len);
|
||||||
|
|
||||||
|
result = tor_malloc(resultlen);
|
||||||
|
memcpy(result, prefix, prefixlen);
|
||||||
|
base32_encode(result+prefixlen, resultlen-prefixlen,
|
||||||
|
rand_bytes, rand_bytes_len);
|
||||||
|
tor_free(rand_bytes);
|
||||||
|
strlcpy(result+prefixlen+randlen, suffix, resultlen-(prefixlen+randlen));
|
||||||
|
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Return a randomly chosen element of <b>sl</b>; or NULL if <b>sl</b>
|
||||||
|
* is empty.
|
||||||
|
**/
|
||||||
|
void *
|
||||||
|
smartlist_choose(const smartlist_t *sl)
|
||||||
|
{
|
||||||
|
int len = smartlist_len(sl);
|
||||||
|
if (len)
|
||||||
|
return smartlist_get(sl,crypto_rand_int(len));
|
||||||
|
return NULL; /* no elements to choose from */
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Scramble the elements of <b>sl</b> into a random order.
|
||||||
|
**/
|
||||||
|
void
|
||||||
|
smartlist_shuffle(smartlist_t *sl)
|
||||||
|
{
|
||||||
|
int i;
|
||||||
|
/* From the end of the list to the front, choose at random from the
|
||||||
|
positions we haven't looked at yet, and swap that position into the
|
||||||
|
current position. Remember to give "no swap" the same probability as
|
||||||
|
any other swap. */
|
||||||
|
for (i = smartlist_len(sl)-1; i > 0; --i) {
|
||||||
|
int j = crypto_rand_int(i+1);
|
||||||
|
smartlist_swap(sl, i, j);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/** Make sure that openssl is using its default PRNG. Return 1 if we had to
|
||||||
|
* adjust it; 0 otherwise. */
|
||||||
|
int
|
||||||
|
crypto_force_rand_ssleay(void)
|
||||||
|
{
|
||||||
|
RAND_METHOD *default_method;
|
||||||
|
default_method = RAND_OpenSSL();
|
||||||
|
if (RAND_get_rand_method() != default_method) {
|
||||||
|
log_notice(LD_CRYPTO, "It appears that one of our engines has provided "
|
||||||
|
"a replacement the OpenSSL RNG. Resetting it to the default "
|
||||||
|
"implementation.");
|
||||||
|
RAND_set_rand_method(default_method);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* !defined(CRYPTO_RAND_PRIVATE) */
|
||||||
|
|
53
src/common/crypto_rand.h
Normal file
53
src/common/crypto_rand.h
Normal file
@ -0,0 +1,53 @@
|
|||||||
|
/* Copyright (c) 2001, Matej Pfajfar.
|
||||||
|
* Copyright (c) 2001-2004, Roger Dingledine.
|
||||||
|
* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
|
||||||
|
* Copyright (c) 2007-2018, The Tor Project, Inc. */
|
||||||
|
/* See LICENSE for licensing information */
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \file crypto_rand.h
|
||||||
|
*
|
||||||
|
* \brief Common functions for using (psuedo-)random number generators.
|
||||||
|
**/
|
||||||
|
|
||||||
|
#ifndef TOR_CRYPTO_RAND_H
|
||||||
|
#define TOR_CRYPTO_RAND_H
|
||||||
|
|
||||||
|
#include "torint.h"
|
||||||
|
#include "util.h"
|
||||||
|
|
||||||
|
/* random numbers */
|
||||||
|
int crypto_seed_rng(void) ATTR_WUR;
|
||||||
|
MOCK_DECL(void,crypto_rand,(char *to, size_t n));
|
||||||
|
void crypto_rand_unmocked(char *to, size_t n);
|
||||||
|
void crypto_strongest_rand(uint8_t *out, size_t out_len);
|
||||||
|
int crypto_rand_int(unsigned int max);
|
||||||
|
int crypto_rand_int_range(unsigned int min, unsigned int max);
|
||||||
|
uint64_t crypto_rand_uint64_range(uint64_t min, uint64_t max);
|
||||||
|
time_t crypto_rand_time_range(time_t min, time_t max);
|
||||||
|
uint64_t crypto_rand_uint64(uint64_t max);
|
||||||
|
double crypto_rand_double(void);
|
||||||
|
struct tor_weak_rng_t;
|
||||||
|
void crypto_seed_weak_rng(struct tor_weak_rng_t *rng);
|
||||||
|
int crypto_init_siphash_key(void);
|
||||||
|
|
||||||
|
char *crypto_random_hostname(int min_rand_len, int max_rand_len,
|
||||||
|
const char *prefix, const char *suffix);
|
||||||
|
|
||||||
|
struct smartlist_t;
|
||||||
|
void *smartlist_choose(const struct smartlist_t *sl);
|
||||||
|
void smartlist_shuffle(struct smartlist_t *sl);
|
||||||
|
int crypto_force_rand_ssleay(void);
|
||||||
|
|
||||||
|
#ifdef CRYPTO_RAND_PRIVATE
|
||||||
|
|
||||||
|
STATIC int crypto_strongest_rand_raw(uint8_t *out, size_t out_len);
|
||||||
|
|
||||||
|
#ifdef TOR_UNIT_TESTS
|
||||||
|
extern int break_strongest_rng_syscall;
|
||||||
|
extern int break_strongest_rng_fallback;
|
||||||
|
#endif
|
||||||
|
#endif /* defined(CRYPTO_RAND_PRIVATE) */
|
||||||
|
|
||||||
|
#endif /* !defined(TOR_CRYPTO_RAND_H) */
|
||||||
|
|
@ -15,6 +15,8 @@
|
|||||||
#include "crypto_curve25519.h"
|
#include "crypto_curve25519.h"
|
||||||
#include "crypto_format.h"
|
#include "crypto_format.h"
|
||||||
#include "crypto_digest.h"
|
#include "crypto_digest.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
|
|
||||||
DISABLE_GCC_WARNING(redundant-decls)
|
DISABLE_GCC_WARNING(redundant-decls)
|
||||||
|
|
||||||
|
@ -17,6 +17,8 @@
|
|||||||
#include "compat.h"
|
#include "compat.h"
|
||||||
#include "crypto_s2k.h"
|
#include "crypto_s2k.h"
|
||||||
#include "crypto_digest.h"
|
#include "crypto_digest.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
|
|
||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
|
|
||||||
|
105
src/common/crypto_util.c
Normal file
105
src/common/crypto_util.c
Normal file
@ -0,0 +1,105 @@
|
|||||||
|
/* Copyright (c) 2001, Matej Pfajfar.
|
||||||
|
* Copyright (c) 2001-2004, Roger Dingledine.
|
||||||
|
* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
|
||||||
|
* Copyright (c) 2007-2018, The Tor Project, Inc. */
|
||||||
|
/* See LICENSE for licensing information */
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \file crypto_util.c
|
||||||
|
*
|
||||||
|
* \brief Common cryptographic utilities.
|
||||||
|
**/
|
||||||
|
|
||||||
|
#ifndef CRYPTO_UTIL_PRIVATE
|
||||||
|
#define CRYPTO_UTIL_PRIVATE
|
||||||
|
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
#ifdef _WIN32
|
||||||
|
#include <windows.h>
|
||||||
|
#include <wincrypt.h>
|
||||||
|
#endif /* defined(_WIN32) */
|
||||||
|
|
||||||
|
#include "crypto_util.h"
|
||||||
|
#include "util.h"
|
||||||
|
|
||||||
|
DISABLE_GCC_WARNING(redundant-decls)
|
||||||
|
|
||||||
|
#include <openssl/crypto.h>
|
||||||
|
|
||||||
|
ENABLE_GCC_WARNING(redundant-decls)
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Destroy the <b>sz</b> bytes of data stored at <b>mem</b>, setting them to
|
||||||
|
* the value <b>byte</b>.
|
||||||
|
* If <b>mem</b> is NULL or <b>sz</b> is zero, nothing happens.
|
||||||
|
*
|
||||||
|
* This function is preferable to memset, since many compilers will happily
|
||||||
|
* optimize out memset() when they can convince themselves that the data being
|
||||||
|
* cleared will never be read.
|
||||||
|
*
|
||||||
|
* Right now, our convention is to use this function when we are wiping data
|
||||||
|
* that's about to become inaccessible, such as stack buffers that are about
|
||||||
|
* to go out of scope or structures that are about to get freed. (In
|
||||||
|
* practice, it appears that the compilers we're currently using will optimize
|
||||||
|
* out the memset()s for stack-allocated buffers, but not those for
|
||||||
|
* about-to-be-freed structures. That could change, though, so we're being
|
||||||
|
* wary.) If there are live reads for the data, then you can just use
|
||||||
|
* memset().
|
||||||
|
*/
|
||||||
|
void
|
||||||
|
memwipe(void *mem, uint8_t byte, size_t sz)
|
||||||
|
{
|
||||||
|
if (sz == 0) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
/* If sz is nonzero, then mem must not be NULL. */
|
||||||
|
tor_assert(mem != NULL);
|
||||||
|
|
||||||
|
/* Data this large is likely to be an underflow. */
|
||||||
|
tor_assert(sz < SIZE_T_CEILING);
|
||||||
|
|
||||||
|
/* Because whole-program-optimization exists, we may not be able to just
|
||||||
|
* have this function call "memset". A smart compiler could inline it, then
|
||||||
|
* eliminate dead memsets, and declare itself to be clever. */
|
||||||
|
|
||||||
|
#if defined(SecureZeroMemory) || defined(HAVE_SECUREZEROMEMORY)
|
||||||
|
/* Here's what you do on windows. */
|
||||||
|
SecureZeroMemory(mem,sz);
|
||||||
|
#elif defined(HAVE_RTLSECUREZEROMEMORY)
|
||||||
|
RtlSecureZeroMemory(mem,sz);
|
||||||
|
#elif defined(HAVE_EXPLICIT_BZERO)
|
||||||
|
/* The BSDs provide this. */
|
||||||
|
explicit_bzero(mem, sz);
|
||||||
|
#elif defined(HAVE_MEMSET_S)
|
||||||
|
/* This is in the C99 standard. */
|
||||||
|
memset_s(mem, sz, 0, sz);
|
||||||
|
#else
|
||||||
|
/* This is a slow and ugly function from OpenSSL that fills 'mem' with junk
|
||||||
|
* based on the pointer value, then uses that junk to update a global
|
||||||
|
* variable. It's an elaborate ruse to trick the compiler into not
|
||||||
|
* optimizing out the "wipe this memory" code. Read it if you like zany
|
||||||
|
* programming tricks! In later versions of Tor, we should look for better
|
||||||
|
* not-optimized-out memory wiping stuff...
|
||||||
|
*
|
||||||
|
* ...or maybe not. In practice, there are pure-asm implementations of
|
||||||
|
* OPENSSL_cleanse() on most platforms, which ought to do the job.
|
||||||
|
**/
|
||||||
|
|
||||||
|
OPENSSL_cleanse(mem, sz);
|
||||||
|
#endif /* defined(SecureZeroMemory) || defined(HAVE_SECUREZEROMEMORY) || ... */
|
||||||
|
|
||||||
|
/* Just in case some caller of memwipe() is relying on getting a buffer
|
||||||
|
* filled with a particular value, fill the buffer.
|
||||||
|
*
|
||||||
|
* If this function gets inlined, this memset might get eliminated, but
|
||||||
|
* that's okay: We only care about this particular memset in the case where
|
||||||
|
* the caller should have been using memset(), and the memset() wouldn't get
|
||||||
|
* eliminated. In other words, this is here so that we won't break anything
|
||||||
|
* if somebody accidentally calls memwipe() instead of memset().
|
||||||
|
**/
|
||||||
|
memset(mem, byte, sz);
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* !defined(CRYPTO_UTIL_PRIVATE) */
|
||||||
|
|
27
src/common/crypto_util.h
Normal file
27
src/common/crypto_util.h
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
/* Copyright (c) 2001, Matej Pfajfar.
|
||||||
|
* Copyright (c) 2001-2004, Roger Dingledine.
|
||||||
|
* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
|
||||||
|
* Copyright (c) 2007-2018, The Tor Project, Inc. */
|
||||||
|
/* See LICENSE for licensing information */
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \file crypto_util.h
|
||||||
|
*
|
||||||
|
* \brief Common functions for cryptographic routines.
|
||||||
|
**/
|
||||||
|
|
||||||
|
#ifndef TOR_CRYPTO_UTIL_H
|
||||||
|
#define TOR_CRYPTO_UTIL_H
|
||||||
|
|
||||||
|
#include "torint.h"
|
||||||
|
|
||||||
|
/** OpenSSL-based utility functions. */
|
||||||
|
void memwipe(void *mem, uint8_t byte, size_t sz);
|
||||||
|
|
||||||
|
#ifdef CRYPTO_UTIL_PRIVATE
|
||||||
|
#ifdef TOR_UNIT_TESTS
|
||||||
|
#endif /* defined(TOR_UNIT_TESTS) */
|
||||||
|
#endif /* defined(CRYPTO_UTIL_PRIVATE) */
|
||||||
|
|
||||||
|
#endif /* !defined(TOR_CRYPTO_UTIL_H) */
|
||||||
|
|
@ -118,8 +118,10 @@ LIBOR_CRYPTO_A_SRC = \
|
|||||||
src/common/crypto_rsa.c \
|
src/common/crypto_rsa.c \
|
||||||
src/common/crypto_openssl_mgt.c \
|
src/common/crypto_openssl_mgt.c \
|
||||||
src/common/crypto_pwbox.c \
|
src/common/crypto_pwbox.c \
|
||||||
|
src/common/crypto_rand.c \
|
||||||
src/common/crypto_s2k.c \
|
src/common/crypto_s2k.c \
|
||||||
src/common/crypto_format.c \
|
src/common/crypto_format.c \
|
||||||
|
src/common/crypto_util.c \
|
||||||
src/common/tortls.c \
|
src/common/tortls.c \
|
||||||
src/common/crypto_curve25519.c \
|
src/common/crypto_curve25519.c \
|
||||||
src/common/crypto_ed25519.c
|
src/common/crypto_ed25519.c
|
||||||
@ -173,7 +175,9 @@ COMMONHEADERS = \
|
|||||||
src/common/crypto_openssl_mgt.h \
|
src/common/crypto_openssl_mgt.h \
|
||||||
src/common/crypto_rsa.h \
|
src/common/crypto_rsa.h \
|
||||||
src/common/crypto_pwbox.h \
|
src/common/crypto_pwbox.h \
|
||||||
|
src/common/crypto_rand.h \
|
||||||
src/common/crypto_s2k.h \
|
src/common/crypto_s2k.h \
|
||||||
|
src/common/crypto_util.h \
|
||||||
src/common/di_ops.h \
|
src/common/di_ops.h \
|
||||||
src/common/handles.h \
|
src/common/handles.h \
|
||||||
src/common/memarea.h \
|
src/common/memarea.h \
|
||||||
|
@ -26,6 +26,8 @@
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#include "crypto.h"
|
#include "crypto.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "compat.h"
|
#include "compat.h"
|
||||||
|
|
||||||
/* Some versions of OpenSSL declare SSL_get_selected_srtp_profile twice in
|
/* Some versions of OpenSSL declare SSL_get_selected_srtp_profile twice in
|
||||||
|
@ -25,7 +25,7 @@
|
|||||||
#include "orconfig.h"
|
#include "orconfig.h"
|
||||||
#include "compat.h"
|
#include "compat.h"
|
||||||
#include "compat_threads.h"
|
#include "compat_threads.h"
|
||||||
#include "crypto.h"
|
#include "crypto_rand.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
#include "workqueue.h"
|
#include "workqueue.h"
|
||||||
#include "tor_queue.h"
|
#include "tor_queue.h"
|
||||||
|
@ -8,7 +8,7 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
/* Tor: Instead of calling OpenSSL's CSPRNG directly, call the wrapper. */
|
/* Tor: Instead of calling OpenSSL's CSPRNG directly, call the wrapper. */
|
||||||
#include "crypto.h"
|
#include "crypto_rand.h"
|
||||||
|
|
||||||
static void
|
static void
|
||||||
ED25519_FN(ed25519_randombytes_unsafe) (void *p, size_t len)
|
ED25519_FN(ed25519_randombytes_unsafe) (void *p, size_t len)
|
||||||
|
@ -40,6 +40,8 @@
|
|||||||
#include "ed25519-randombytes.h"
|
#include "ed25519-randombytes.h"
|
||||||
#include "ed25519-hash.h"
|
#include "ed25519-hash.h"
|
||||||
|
|
||||||
|
#include "crypto_util.h"
|
||||||
|
|
||||||
typedef unsigned char ed25519_signature[64];
|
typedef unsigned char ed25519_signature[64];
|
||||||
typedef unsigned char ed25519_public_key[32];
|
typedef unsigned char ed25519_public_key[32];
|
||||||
typedef unsigned char ed25519_secret_key[32];
|
typedef unsigned char ed25519_secret_key[32];
|
||||||
|
@ -7,7 +7,7 @@
|
|||||||
#include "ed25519_ref10.h"
|
#include "ed25519_ref10.h"
|
||||||
|
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include "crypto.h"
|
#include "crypto_util.h"
|
||||||
|
|
||||||
static void
|
static void
|
||||||
ed25519_ref10_gettweak(unsigned char *out, const unsigned char *param)
|
ed25519_ref10_gettweak(unsigned char *out, const unsigned char *param)
|
||||||
|
@ -6,6 +6,9 @@
|
|||||||
#include "crypto_hash_sha512.h"
|
#include "crypto_hash_sha512.h"
|
||||||
#include "ge.h"
|
#include "ge.h"
|
||||||
|
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
|
|
||||||
int
|
int
|
||||||
crypto_sign_seckey(unsigned char *sk)
|
crypto_sign_seckey(unsigned char *sk)
|
||||||
{
|
{
|
||||||
|
@ -9,7 +9,7 @@
|
|||||||
#include "keccak-tiny.h"
|
#include "keccak-tiny.h"
|
||||||
|
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include "crypto.h"
|
#include "crypto_util.h"
|
||||||
#include "byteorder.h"
|
#include "byteorder.h"
|
||||||
|
|
||||||
/******** Endianness conversion helpers ********/
|
/******** Endianness conversion helpers ********/
|
||||||
|
@ -21,6 +21,7 @@
|
|||||||
#include "config.h"
|
#include "config.h"
|
||||||
#include "connection_edge.h"
|
#include "connection_edge.h"
|
||||||
#include "control.h"
|
#include "control.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "dns.h"
|
#include "dns.h"
|
||||||
#include "routerset.h"
|
#include "routerset.h"
|
||||||
#include "nodelist.h"
|
#include "nodelist.h"
|
||||||
|
@ -16,6 +16,7 @@
|
|||||||
#include "networkstatus.h"
|
#include "networkstatus.h"
|
||||||
#include "connection.h"
|
#include "connection.h"
|
||||||
#include "connection_or.h"
|
#include "connection_or.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "main.h"
|
#include "main.h"
|
||||||
#include "rephist.h"
|
#include "rephist.h"
|
||||||
#include "router.h"
|
#include "router.h"
|
||||||
|
@ -30,6 +30,7 @@
|
|||||||
#include "circuitstats.h"
|
#include "circuitstats.h"
|
||||||
#include "connection_edge.h"
|
#include "connection_edge.h"
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "entrynodes.h"
|
#include "entrynodes.h"
|
||||||
#include "networkstatus.h"
|
#include "networkstatus.h"
|
||||||
#include "relay.h"
|
#include "relay.h"
|
||||||
|
@ -43,7 +43,7 @@
|
|||||||
#include "connection_edge.h"
|
#include "connection_edge.h"
|
||||||
#include "connection_or.h"
|
#include "connection_or.h"
|
||||||
#include "control.h"
|
#include "control.h"
|
||||||
#include "crypto.h"
|
#include "crypto_rand.h"
|
||||||
#include "directory.h"
|
#include "directory.h"
|
||||||
#include "entrynodes.h"
|
#include "entrynodes.h"
|
||||||
#include "hs_ntor.h"
|
#include "hs_ntor.h"
|
||||||
|
@ -65,6 +65,8 @@
|
|||||||
#include "connection_edge.h"
|
#include "connection_edge.h"
|
||||||
#include "connection_or.h"
|
#include "connection_or.h"
|
||||||
#include "control.h"
|
#include "control.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "entrynodes.h"
|
#include "entrynodes.h"
|
||||||
#include "main.h"
|
#include "main.h"
|
||||||
#include "hs_circuit.h"
|
#include "hs_circuit.h"
|
||||||
|
@ -31,6 +31,7 @@
|
|||||||
#include "config.h"
|
#include "config.h"
|
||||||
#include "confparse.h"
|
#include "confparse.h"
|
||||||
#include "control.h"
|
#include "control.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "main.h"
|
#include "main.h"
|
||||||
#include "networkstatus.h"
|
#include "networkstatus.h"
|
||||||
#include "rendclient.h"
|
#include "rendclient.h"
|
||||||
|
@ -46,6 +46,7 @@
|
|||||||
#include "config.h"
|
#include "config.h"
|
||||||
#include "control.h"
|
#include "control.h"
|
||||||
#include "cpuworker.h"
|
#include "cpuworker.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "dos.h"
|
#include "dos.h"
|
||||||
#include "hibernate.h"
|
#include "hibernate.h"
|
||||||
#include "nodelist.h"
|
#include "nodelist.h"
|
||||||
|
@ -78,6 +78,8 @@
|
|||||||
#include "control.h"
|
#include "control.h"
|
||||||
#include "confparse.h"
|
#include "confparse.h"
|
||||||
#include "cpuworker.h"
|
#include "cpuworker.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "dirserv.h"
|
#include "dirserv.h"
|
||||||
#include "dirvote.h"
|
#include "dirvote.h"
|
||||||
#include "dns.h"
|
#include "dns.h"
|
||||||
|
@ -76,6 +76,7 @@
|
|||||||
#include "connection_edge.h"
|
#include "connection_edge.h"
|
||||||
#include "connection_or.h"
|
#include "connection_or.h"
|
||||||
#include "control.h"
|
#include "control.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "directory.h"
|
#include "directory.h"
|
||||||
#include "dirserv.h"
|
#include "dirserv.h"
|
||||||
#include "dns.h"
|
#include "dns.h"
|
||||||
|
@ -70,6 +70,7 @@
|
|||||||
#include "connection_edge.h"
|
#include "connection_edge.h"
|
||||||
#include "connection_or.h"
|
#include "connection_or.h"
|
||||||
#include "control.h"
|
#include "control.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "dns.h"
|
#include "dns.h"
|
||||||
#include "dnsserv.h"
|
#include "dnsserv.h"
|
||||||
#include "directory.h"
|
#include "directory.h"
|
||||||
|
@ -39,6 +39,8 @@
|
|||||||
#include "connection.h"
|
#include "connection.h"
|
||||||
#include "connection_or.h"
|
#include "connection_or.h"
|
||||||
#include "control.h"
|
#include "control.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "dirserv.h"
|
#include "dirserv.h"
|
||||||
#include "entrynodes.h"
|
#include "entrynodes.h"
|
||||||
#include "geoip.h"
|
#include "geoip.h"
|
||||||
|
@ -5,6 +5,7 @@
|
|||||||
|
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
#include "conscache.h"
|
#include "conscache.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "storagedir.h"
|
#include "storagedir.h"
|
||||||
|
|
||||||
#define CCE_MAGIC 0x17162253
|
#define CCE_MAGIC 0x17162253
|
||||||
|
@ -52,6 +52,8 @@
|
|||||||
#include "connection_edge.h"
|
#include "connection_edge.h"
|
||||||
#include "connection_or.h"
|
#include "connection_or.h"
|
||||||
#include "control.h"
|
#include "control.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "directory.h"
|
#include "directory.h"
|
||||||
#include "dirserv.h"
|
#include "dirserv.h"
|
||||||
#include "dnsserv.h"
|
#include "dnsserv.h"
|
||||||
|
@ -24,6 +24,8 @@
|
|||||||
#include "connection_or.h"
|
#include "connection_or.h"
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
#include "cpuworker.h"
|
#include "cpuworker.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "main.h"
|
#include "main.h"
|
||||||
#include "onion.h"
|
#include "onion.h"
|
||||||
#include "rephist.h"
|
#include "rephist.h"
|
||||||
|
@ -18,6 +18,8 @@
|
|||||||
#include "consdiffmgr.h"
|
#include "consdiffmgr.h"
|
||||||
#include "control.h"
|
#include "control.h"
|
||||||
#include "compat.h"
|
#include "compat.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "directory.h"
|
#include "directory.h"
|
||||||
#include "dirserv.h"
|
#include "dirserv.h"
|
||||||
#include "dirvote.h"
|
#include "dirvote.h"
|
||||||
|
@ -56,6 +56,7 @@
|
|||||||
#include "connection.h"
|
#include "connection.h"
|
||||||
#include "connection_edge.h"
|
#include "connection_edge.h"
|
||||||
#include "control.h"
|
#include "control.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "dns.h"
|
#include "dns.h"
|
||||||
#include "main.h"
|
#include "main.h"
|
||||||
#include "policies.h"
|
#include "policies.h"
|
||||||
|
@ -11,6 +11,7 @@
|
|||||||
#include "or.h"
|
#include "or.h"
|
||||||
#include "channel.h"
|
#include "channel.h"
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "geoip.h"
|
#include "geoip.h"
|
||||||
#include "main.h"
|
#include "main.h"
|
||||||
#include "networkstatus.h"
|
#include "networkstatus.h"
|
||||||
|
@ -123,6 +123,7 @@
|
|||||||
#include "confparse.h"
|
#include "confparse.h"
|
||||||
#include "connection.h"
|
#include "connection.h"
|
||||||
#include "control.h"
|
#include "control.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "directory.h"
|
#include "directory.h"
|
||||||
#include "entrynodes.h"
|
#include "entrynodes.h"
|
||||||
#include "main.h"
|
#include "main.h"
|
||||||
|
@ -23,6 +23,8 @@
|
|||||||
#include "ext_orport.h"
|
#include "ext_orport.h"
|
||||||
#include "control.h"
|
#include "control.h"
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "main.h"
|
#include "main.h"
|
||||||
#include "proto_ext_or.h"
|
#include "proto_ext_or.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
|
@ -36,6 +36,7 @@ hibernating, phase 2:
|
|||||||
#include "connection_edge.h"
|
#include "connection_edge.h"
|
||||||
#include "connection_or.h"
|
#include "connection_or.h"
|
||||||
#include "control.h"
|
#include "control.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "hibernate.h"
|
#include "hibernate.h"
|
||||||
#include "main.h"
|
#include "main.h"
|
||||||
#include "router.h"
|
#include "router.h"
|
||||||
|
@ -11,6 +11,7 @@
|
|||||||
|
|
||||||
#include "or.h"
|
#include "or.h"
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "hs_ident.h"
|
#include "hs_ident.h"
|
||||||
#include "hs_common.h"
|
#include "hs_common.h"
|
||||||
#include "hs_client.h"
|
#include "hs_client.h"
|
||||||
|
@ -8,6 +8,7 @@
|
|||||||
|
|
||||||
#include "or.h"
|
#include "or.h"
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "rendservice.h"
|
#include "rendservice.h"
|
||||||
#include "replaycache.h"
|
#include "replaycache.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
|
@ -13,6 +13,8 @@
|
|||||||
#include "circuitlist.h"
|
#include "circuitlist.h"
|
||||||
#include "circuituse.h"
|
#include "circuituse.h"
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "nodelist.h"
|
#include "nodelist.h"
|
||||||
#include "policies.h"
|
#include "policies.h"
|
||||||
#include "relay.h"
|
#include "relay.h"
|
||||||
|
@ -13,6 +13,8 @@
|
|||||||
#include "hs_ident.h"
|
#include "hs_ident.h"
|
||||||
#include "connection_edge.h"
|
#include "connection_edge.h"
|
||||||
#include "container.h"
|
#include "container.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "rendclient.h"
|
#include "rendclient.h"
|
||||||
#include "hs_descriptor.h"
|
#include "hs_descriptor.h"
|
||||||
#include "hs_cache.h"
|
#include "hs_cache.h"
|
||||||
|
@ -15,6 +15,8 @@
|
|||||||
|
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
#include "circuitbuild.h"
|
#include "circuitbuild.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "networkstatus.h"
|
#include "networkstatus.h"
|
||||||
#include "nodelist.h"
|
#include "nodelist.h"
|
||||||
#include "hs_cache.h"
|
#include "hs_cache.h"
|
||||||
|
@ -8,6 +8,7 @@
|
|||||||
|
|
||||||
#include "or.h"
|
#include "or.h"
|
||||||
#include "control.h"
|
#include "control.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "hs_common.h"
|
#include "hs_common.h"
|
||||||
#include "hs_control.h"
|
#include "hs_control.h"
|
||||||
#include "hs_descriptor.h"
|
#include "hs_descriptor.h"
|
||||||
|
@ -59,6 +59,8 @@
|
|||||||
#include "ed25519_cert.h" /* Trunnel interface. */
|
#include "ed25519_cert.h" /* Trunnel interface. */
|
||||||
#include "hs_descriptor.h"
|
#include "hs_descriptor.h"
|
||||||
#include "circuitbuild.h"
|
#include "circuitbuild.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "parsecommon.h"
|
#include "parsecommon.h"
|
||||||
#include "rendcache.h"
|
#include "rendcache.h"
|
||||||
#include "hs_cache.h"
|
#include "hs_cache.h"
|
||||||
|
@ -16,6 +16,7 @@
|
|||||||
#include "container.h"
|
#include "container.h"
|
||||||
#include "crypto.h"
|
#include "crypto.h"
|
||||||
#include "crypto_ed25519.h"
|
#include "crypto_ed25519.h"
|
||||||
|
#include "ed25519_cert.h" /* needed for trunnel */
|
||||||
#include "torcert.h"
|
#include "torcert.h"
|
||||||
|
|
||||||
/* Trunnel */
|
/* Trunnel */
|
||||||
|
@ -7,6 +7,7 @@
|
|||||||
* subsytem.
|
* subsytem.
|
||||||
**/
|
**/
|
||||||
|
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "hs_ident.h"
|
#include "hs_ident.h"
|
||||||
|
|
||||||
/* Return a newly allocated circuit identifier. The given public key is copied
|
/* Return a newly allocated circuit identifier. The given public key is copied
|
||||||
|
@ -25,6 +25,7 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include "or.h"
|
#include "or.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "hs_ntor.h"
|
#include "hs_ntor.h"
|
||||||
|
|
||||||
/* String constants used by the ntor HS protocol */
|
/* String constants used by the ntor HS protocol */
|
||||||
|
@ -15,6 +15,8 @@
|
|||||||
#include "circuituse.h"
|
#include "circuituse.h"
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
#include "connection.h"
|
#include "connection.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "directory.h"
|
#include "directory.h"
|
||||||
#include "main.h"
|
#include "main.h"
|
||||||
#include "networkstatus.h"
|
#include "networkstatus.h"
|
||||||
|
@ -70,6 +70,7 @@
|
|||||||
#include "control.h"
|
#include "control.h"
|
||||||
#include "cpuworker.h"
|
#include "cpuworker.h"
|
||||||
#include "crypto_s2k.h"
|
#include "crypto_s2k.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "directory.h"
|
#include "directory.h"
|
||||||
#include "dirserv.h"
|
#include "dirserv.h"
|
||||||
#include "dirvote.h"
|
#include "dirvote.h"
|
||||||
|
@ -48,6 +48,8 @@
|
|||||||
#include "connection_or.h"
|
#include "connection_or.h"
|
||||||
#include "consdiffmgr.h"
|
#include "consdiffmgr.h"
|
||||||
#include "control.h"
|
#include "control.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "directory.h"
|
#include "directory.h"
|
||||||
#include "dirserv.h"
|
#include "dirserv.h"
|
||||||
#include "dirvote.h"
|
#include "dirvote.h"
|
||||||
|
@ -67,6 +67,7 @@
|
|||||||
#include "circuitlist.h"
|
#include "circuitlist.h"
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
#include "cpuworker.h"
|
#include "cpuworker.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "networkstatus.h"
|
#include "networkstatus.h"
|
||||||
#include "onion.h"
|
#include "onion.h"
|
||||||
#include "onion_fast.h"
|
#include "onion_fast.h"
|
||||||
|
@ -29,6 +29,8 @@
|
|||||||
|
|
||||||
#include "or.h"
|
#include "or.h"
|
||||||
#include "onion_fast.h"
|
#include "onion_fast.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
|
|
||||||
/** Release all state held in <b>victim</b>. */
|
/** Release all state held in <b>victim</b>. */
|
||||||
void
|
void
|
||||||
|
@ -23,6 +23,7 @@
|
|||||||
#define ONION_NTOR_PRIVATE
|
#define ONION_NTOR_PRIVATE
|
||||||
#include "crypto.h"
|
#include "crypto.h"
|
||||||
#include "crypto_digest.h"
|
#include "crypto_digest.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "onion_ntor.h"
|
#include "onion_ntor.h"
|
||||||
#include "torlog.h"
|
#include "torlog.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
|
@ -29,6 +29,8 @@
|
|||||||
|
|
||||||
#include "or.h"
|
#include "or.h"
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "onion_tap.h"
|
#include "onion_tap.h"
|
||||||
#include "rephist.h"
|
#include "rephist.h"
|
||||||
|
|
||||||
|
@ -9,6 +9,7 @@
|
|||||||
#include "buffers.h"
|
#include "buffers.h"
|
||||||
#include "control.h"
|
#include "control.h"
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "ext_orport.h"
|
#include "ext_orport.h"
|
||||||
#include "proto_socks.h"
|
#include "proto_socks.h"
|
||||||
#include "reasons.h"
|
#include "reasons.h"
|
||||||
|
@ -61,6 +61,8 @@
|
|||||||
#include "connection_edge.h"
|
#include "connection_edge.h"
|
||||||
#include "connection_or.h"
|
#include "connection_or.h"
|
||||||
#include "control.h"
|
#include "control.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "geoip.h"
|
#include "geoip.h"
|
||||||
#include "hs_cache.h"
|
#include "hs_cache.h"
|
||||||
#include "main.h"
|
#include "main.h"
|
||||||
|
@ -15,6 +15,8 @@
|
|||||||
#include "config.h"
|
#include "config.h"
|
||||||
#include "connection.h"
|
#include "connection.h"
|
||||||
#include "connection_edge.h"
|
#include "connection_edge.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "directory.h"
|
#include "directory.h"
|
||||||
#include "hs_common.h"
|
#include "hs_common.h"
|
||||||
#include "hs_circuit.h"
|
#include "hs_circuit.h"
|
||||||
|
@ -14,6 +14,8 @@
|
|||||||
#include "circuitbuild.h"
|
#include "circuitbuild.h"
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
#include "control.h"
|
#include "control.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "hs_common.h"
|
#include "hs_common.h"
|
||||||
#include "rendclient.h"
|
#include "rendclient.h"
|
||||||
#include "rendcommon.h"
|
#include "rendcommon.h"
|
||||||
|
@ -16,6 +16,8 @@
|
|||||||
#include "circuituse.h"
|
#include "circuituse.h"
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
#include "control.h"
|
#include "control.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "directory.h"
|
#include "directory.h"
|
||||||
#include "hs_common.h"
|
#include "hs_common.h"
|
||||||
#include "hs_config.h"
|
#include "hs_config.h"
|
||||||
|
@ -78,6 +78,7 @@
|
|||||||
#include "circuitlist.h"
|
#include "circuitlist.h"
|
||||||
#include "circuituse.h"
|
#include "circuituse.h"
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "networkstatus.h"
|
#include "networkstatus.h"
|
||||||
#include "nodelist.h"
|
#include "nodelist.h"
|
||||||
#include "rephist.h"
|
#include "rephist.h"
|
||||||
|
@ -13,6 +13,8 @@
|
|||||||
#include "config.h"
|
#include "config.h"
|
||||||
#include "connection.h"
|
#include "connection.h"
|
||||||
#include "control.h"
|
#include "control.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "crypto_curve25519.h"
|
#include "crypto_curve25519.h"
|
||||||
#include "directory.h"
|
#include "directory.h"
|
||||||
#include "dirserv.h"
|
#include "dirserv.h"
|
||||||
|
@ -16,6 +16,7 @@
|
|||||||
|
|
||||||
#include "or.h"
|
#include "or.h"
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "router.h"
|
#include "router.h"
|
||||||
#include "crypto_pwbox.h"
|
#include "crypto_pwbox.h"
|
||||||
#include "routerkeys.h"
|
#include "routerkeys.h"
|
||||||
|
@ -99,6 +99,7 @@
|
|||||||
#include "config.h"
|
#include "config.h"
|
||||||
#include "connection.h"
|
#include "connection.h"
|
||||||
#include "control.h"
|
#include "control.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "directory.h"
|
#include "directory.h"
|
||||||
#include "dirserv.h"
|
#include "dirserv.h"
|
||||||
#include "dirvote.h"
|
#include "dirvote.h"
|
||||||
|
@ -58,6 +58,7 @@
|
|||||||
#include "or.h"
|
#include "or.h"
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
#include "circuitstats.h"
|
#include "circuitstats.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "dirserv.h"
|
#include "dirserv.h"
|
||||||
#include "dirvote.h"
|
#include "dirvote.h"
|
||||||
#include "parsecommon.h"
|
#include "parsecommon.h"
|
||||||
|
@ -91,6 +91,8 @@
|
|||||||
#include "shared_random.h"
|
#include "shared_random.h"
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
#include "confparse.h"
|
#include "confparse.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "dirvote.h"
|
#include "dirvote.h"
|
||||||
#include "networkstatus.h"
|
#include "networkstatus.h"
|
||||||
#include "routerkeys.h"
|
#include "routerkeys.h"
|
||||||
|
@ -14,6 +14,7 @@
|
|||||||
#include "shared_random.h"
|
#include "shared_random.h"
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
#include "confparse.h"
|
#include "confparse.h"
|
||||||
|
#include "crypto_util.h"
|
||||||
#include "dirvote.h"
|
#include "dirvote.h"
|
||||||
#include "networkstatus.h"
|
#include "networkstatus.h"
|
||||||
#include "router.h"
|
#include "router.h"
|
||||||
|
@ -27,7 +27,7 @@
|
|||||||
|
|
||||||
#include "or.h"
|
#include "or.h"
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
#include "crypto.h"
|
#include "crypto_util.h"
|
||||||
#include "torcert.h"
|
#include "torcert.h"
|
||||||
#include "ed25519_cert.h"
|
#include "ed25519_cert.h"
|
||||||
#include "torlog.h"
|
#include "torlog.h"
|
||||||
|
@ -23,6 +23,7 @@
|
|||||||
#include "crypto_curve25519.h"
|
#include "crypto_curve25519.h"
|
||||||
#include "onion_ntor.h"
|
#include "onion_ntor.h"
|
||||||
#include "crypto_ed25519.h"
|
#include "crypto_ed25519.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "consdiff.h"
|
#include "consdiff.h"
|
||||||
|
|
||||||
#if defined(HAVE_CLOCK_GETTIME) && defined(CLOCK_PROCESS_CPUTIME_ID)
|
#if defined(HAVE_CLOCK_GETTIME) && defined(CLOCK_PROCESS_CPUTIME_ID)
|
||||||
|
@ -2,6 +2,7 @@
|
|||||||
/* See LICENSE for licensing information */
|
/* See LICENSE for licensing information */
|
||||||
|
|
||||||
#include "or.h"
|
#include "or.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "test.h"
|
#include "test.h"
|
||||||
#include "rendcommon.h"
|
#include "rendcommon.h"
|
||||||
#include "rend_test_helpers.h"
|
#include "rend_test_helpers.h"
|
||||||
|
@ -7,7 +7,7 @@
|
|||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
|
|
||||||
#include "crypto.h"
|
#include "crypto_util.h"
|
||||||
#include "compat.h"
|
#include "compat.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
|
|
||||||
|
@ -11,7 +11,7 @@
|
|||||||
|
|
||||||
#include "compat.h"
|
#include "compat.h"
|
||||||
#include "compat_libevent.h"
|
#include "compat_libevent.h"
|
||||||
#include "crypto.h"
|
#include "crypto_rand.h"
|
||||||
#include "timers.h"
|
#include "timers.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
|
|
||||||
|
@ -9,6 +9,7 @@
|
|||||||
**/
|
**/
|
||||||
|
|
||||||
#include "orconfig.h"
|
#include "orconfig.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#ifdef HAVE_FCNTL_H
|
#ifdef HAVE_FCNTL_H
|
||||||
|
@ -2,6 +2,7 @@
|
|||||||
/* See LICENSE for licensing information */
|
/* See LICENSE for licensing information */
|
||||||
|
|
||||||
#include "or.h"
|
#include "or.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "address_set.h"
|
#include "address_set.h"
|
||||||
#include "microdesc.h"
|
#include "microdesc.h"
|
||||||
#include "networkstatus.h"
|
#include "networkstatus.h"
|
||||||
|
@ -8,6 +8,7 @@
|
|||||||
#include "or.h"
|
#include "or.h"
|
||||||
#include "buffers.h"
|
#include "buffers.h"
|
||||||
#include "buffers_tls.h"
|
#include "buffers_tls.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "proto_http.h"
|
#include "proto_http.h"
|
||||||
#include "proto_socks.h"
|
#include "proto_socks.h"
|
||||||
#include "test.h"
|
#include "test.h"
|
||||||
|
@ -12,6 +12,7 @@
|
|||||||
#include "connection_edge.h"
|
#include "connection_edge.h"
|
||||||
#include "connection_or.h"
|
#include "connection_or.h"
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "onion.h"
|
#include "onion.h"
|
||||||
#include "onion_tap.h"
|
#include "onion_tap.h"
|
||||||
#include "onion_fast.h"
|
#include "onion_fast.h"
|
||||||
|
@ -12,6 +12,7 @@
|
|||||||
#include "circuitmux_ewma.h"
|
#include "circuitmux_ewma.h"
|
||||||
/* For var_cell_free */
|
/* For var_cell_free */
|
||||||
#include "connection_or.h"
|
#include "connection_or.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
/* For packed_cell stuff */
|
/* For packed_cell stuff */
|
||||||
#define RELAY_PRIVATE
|
#define RELAY_PRIVATE
|
||||||
#include "relay.h"
|
#include "relay.h"
|
||||||
|
@ -9,6 +9,7 @@
|
|||||||
#include "consdiff.h"
|
#include "consdiff.h"
|
||||||
#include "consdiffmgr.h"
|
#include "consdiffmgr.h"
|
||||||
#include "cpuworker.h"
|
#include "cpuworker.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "networkstatus.h"
|
#include "networkstatus.h"
|
||||||
#include "routerparse.h"
|
#include "routerparse.h"
|
||||||
#include "workqueue.h"
|
#include "workqueue.h"
|
||||||
|
@ -5,6 +5,7 @@
|
|||||||
|
|
||||||
#include "orconfig.h"
|
#include "orconfig.h"
|
||||||
#include "or.h"
|
#include "or.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "fp_pair.h"
|
#include "fp_pair.h"
|
||||||
#include "test.h"
|
#include "test.h"
|
||||||
|
|
||||||
|
@ -5,7 +5,7 @@
|
|||||||
|
|
||||||
#include "orconfig.h"
|
#include "orconfig.h"
|
||||||
#define CRYPTO_CURVE25519_PRIVATE
|
#define CRYPTO_CURVE25519_PRIVATE
|
||||||
#define CRYPTO_PRIVATE
|
#define CRYPTO_RAND_PRIVATE
|
||||||
#include "or.h"
|
#include "or.h"
|
||||||
#include "test.h"
|
#include "test.h"
|
||||||
#include "aes.h"
|
#include "aes.h"
|
||||||
@ -13,6 +13,7 @@
|
|||||||
#include "siphash.h"
|
#include "siphash.h"
|
||||||
#include "crypto_curve25519.h"
|
#include "crypto_curve25519.h"
|
||||||
#include "crypto_ed25519.h"
|
#include "crypto_ed25519.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "ed25519_vectors.inc"
|
#include "ed25519_vectors.inc"
|
||||||
|
|
||||||
/** Run unit tests for Diffie-Hellman functionality. */
|
/** Run unit tests for Diffie-Hellman functionality. */
|
||||||
|
@ -5,9 +5,9 @@
|
|||||||
|
|
||||||
#include "orconfig.h"
|
#include "orconfig.h"
|
||||||
|
|
||||||
#define CRYPTO_PRIVATE
|
#define CRYPTO_RAND_PRIVATE
|
||||||
|
|
||||||
#include "crypto.h"
|
#include "crypto_rand.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
#include "util_format.h"
|
#include "util_format.h"
|
||||||
#include "compat.h"
|
#include "compat.h"
|
||||||
|
@ -9,6 +9,7 @@
|
|||||||
#include "test.h"
|
#include "test.h"
|
||||||
#include "crypto_s2k.h"
|
#include "crypto_s2k.h"
|
||||||
#include "crypto_pwbox.h"
|
#include "crypto_pwbox.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
|
|
||||||
#if defined(HAVE_LIBSCRYPT_H) && defined(HAVE_LIBSCRYPT_SCRYPT)
|
#if defined(HAVE_LIBSCRYPT_H) && defined(HAVE_LIBSCRYPT_SCRYPT)
|
||||||
#define HAVE_LIBSCRYPT
|
#define HAVE_LIBSCRYPT
|
||||||
|
@ -23,6 +23,7 @@
|
|||||||
#include "config.h"
|
#include "config.h"
|
||||||
#include "control.h"
|
#include "control.h"
|
||||||
#include "crypto_ed25519.h"
|
#include "crypto_ed25519.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "directory.h"
|
#include "directory.h"
|
||||||
#include "dirserv.h"
|
#include "dirserv.h"
|
||||||
#include "dirvote.h"
|
#include "dirvote.h"
|
||||||
|
@ -8,6 +8,7 @@
|
|||||||
#include "or.h"
|
#include "or.h"
|
||||||
#include "dos.h"
|
#include "dos.h"
|
||||||
#include "circuitlist.h"
|
#include "circuitlist.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "geoip.h"
|
#include "geoip.h"
|
||||||
#include "channel.h"
|
#include "channel.h"
|
||||||
#include "microdesc.h"
|
#include "microdesc.h"
|
||||||
|
@ -16,6 +16,7 @@
|
|||||||
#include "circuitlist.h"
|
#include "circuitlist.h"
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
#include "confparse.h"
|
#include "confparse.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "directory.h"
|
#include "directory.h"
|
||||||
#include "entrynodes.h"
|
#include "entrynodes.h"
|
||||||
#include "nodelist.h"
|
#include "nodelist.h"
|
||||||
|
@ -10,6 +10,7 @@
|
|||||||
#include "connection_or.h"
|
#include "connection_or.h"
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
#include "control.h"
|
#include "control.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "ext_orport.h"
|
#include "ext_orport.h"
|
||||||
#include "main.h"
|
#include "main.h"
|
||||||
#include "test.h"
|
#include "test.h"
|
||||||
|
@ -18,6 +18,7 @@
|
|||||||
#include "config.h"
|
#include "config.h"
|
||||||
#include "confparse.h"
|
#include "confparse.h"
|
||||||
#include "connection.h"
|
#include "connection.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "main.h"
|
#include "main.h"
|
||||||
#include "nodelist.h"
|
#include "nodelist.h"
|
||||||
#include "relay.h"
|
#include "relay.h"
|
||||||
|
@ -14,6 +14,7 @@
|
|||||||
#include "log_test_helpers.h"
|
#include "log_test_helpers.h"
|
||||||
|
|
||||||
#include "crypto_ed25519.h"
|
#include "crypto_ed25519.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "hs_cell.h"
|
#include "hs_cell.h"
|
||||||
#include "hs_intropoint.h"
|
#include "hs_intropoint.h"
|
||||||
#include "hs_service.h"
|
#include "hs_service.h"
|
||||||
|
@ -17,6 +17,7 @@
|
|||||||
#include "hs_test_helpers.h"
|
#include "hs_test_helpers.h"
|
||||||
|
|
||||||
#include "connection_edge.h"
|
#include "connection_edge.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "hs_common.h"
|
#include "hs_common.h"
|
||||||
#include "hs_client.h"
|
#include "hs_client.h"
|
||||||
#include "hs_service.h"
|
#include "hs_service.h"
|
||||||
|
@ -10,6 +10,7 @@
|
|||||||
|
|
||||||
#include "crypto_ed25519.h"
|
#include "crypto_ed25519.h"
|
||||||
#include "crypto_digest.h"
|
#include "crypto_digest.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "ed25519_cert.h"
|
#include "ed25519_cert.h"
|
||||||
#include "or.h"
|
#include "or.h"
|
||||||
#include "hs_descriptor.h"
|
#include "hs_descriptor.h"
|
||||||
|
@ -13,7 +13,7 @@
|
|||||||
|
|
||||||
#include "test.h"
|
#include "test.h"
|
||||||
#include "log_test_helpers.h"
|
#include "log_test_helpers.h"
|
||||||
#include "crypto.h"
|
#include "crypto_rand.h"
|
||||||
|
|
||||||
#include "or.h"
|
#include "or.h"
|
||||||
#include "circuitlist.h"
|
#include "circuitlist.h"
|
||||||
|
@ -33,7 +33,7 @@
|
|||||||
#include "circuitbuild.h"
|
#include "circuitbuild.h"
|
||||||
#include "circuitlist.h"
|
#include "circuitlist.h"
|
||||||
#include "circuituse.h"
|
#include "circuituse.h"
|
||||||
#include "crypto.h"
|
#include "crypto_rand.h"
|
||||||
#include "dirvote.h"
|
#include "dirvote.h"
|
||||||
#include "networkstatus.h"
|
#include "networkstatus.h"
|
||||||
#include "nodelist.h"
|
#include "nodelist.h"
|
||||||
|
@ -7,6 +7,7 @@
|
|||||||
**/
|
**/
|
||||||
|
|
||||||
#include "or.h"
|
#include "or.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "networkstatus.h"
|
#include "networkstatus.h"
|
||||||
#include "nodelist.h"
|
#include "nodelist.h"
|
||||||
#include "torcert.h"
|
#include "torcert.h"
|
||||||
|
@ -13,6 +13,7 @@
|
|||||||
#include "compat_libevent.h"
|
#include "compat_libevent.h"
|
||||||
#include "connection.h"
|
#include "connection.h"
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "relay.h"
|
#include "relay.h"
|
||||||
#include "test.h"
|
#include "test.h"
|
||||||
#include "test_helpers.h"
|
#include "test_helpers.h"
|
||||||
|
@ -18,6 +18,7 @@
|
|||||||
#include "connection.h"
|
#include "connection.h"
|
||||||
#include "container.h"
|
#include "container.h"
|
||||||
#include "control.h"
|
#include "control.h"
|
||||||
|
#include "crypto_rand.h"
|
||||||
#include "directory.h"
|
#include "directory.h"
|
||||||
#include "dirvote.h"
|
#include "dirvote.h"
|
||||||
#include "entrynodes.h"
|
#include "entrynodes.h"
|
||||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user