Commit Graph

137 Commits

Author SHA1 Message Date
Nick Mathewson
e66b5153bd Extract add-entropy code from crypto_fast_rng to a new function 2019-04-30 11:11:39 -04:00
George Kadianakis
b371ea5b0e Merge branch 'tor-github/pr/761' 2019-04-05 14:52:36 +03:00
Nick Mathewson
1779878f9e Merge remote-tracking branch 'tor-github/pr/752' 2019-04-04 20:39:36 -04:00
Nick Mathewson
027c536598 rename inherit values to avoid conflict with system defines 2019-04-04 12:56:52 -04:00
Nick Mathewson
785c3f84de fast_rng: if noinherit has failed, then check getpid() for bad forks
getpid() can be really expensive sometimes, and it can fail to
detect some kind of fork+prng mistakes, so we need to avoid it if
it's safe to do so.

This patch might slow down fast_prng a lot on any old operating
system that lacks a way to prevent ram from being inherited, AND
requires a syscall for any getpid() calls.  But it should make sure
that we either crash or continue safely on incorrect fork+prng usage
elsewhere in the future.
2019-04-04 12:56:52 -04:00
Nick Mathewson
12205c3cbe Make map_anon expose the result of a noinherit attempt
Previously we did this for tests only, but it's valuable for getting
proper fork behavior in rand_fast.
2019-04-04 12:56:52 -04:00
Nick Mathewson
ab6ad3c040 Drop thread-local fast_rng on fork.
This will cause the child process to construct a new one in a nice
safe way.

Closes ticket 29668; bug not in any released Tor.
2019-04-04 12:56:52 -04:00
George Kadianakis
846d379b50
circpad/prob_distr: Use crypto_fast_rng() instead of the old RNG. 2019-03-22 09:22:54 +10:00
rl1987
5d53862139 Split crypto_digest.c
* Move out code that depends on NSS to crypto_digest_nss.c
* Move out code that depends on OpenSSL to crypto_digest_openssl.c
* Keep the general code that is not specific to any of the above in
  crypto_digest.c
2019-03-02 20:07:05 +02:00
David Goulet
13e93bdfd5 Merge branch 'tor-github/pr/718' 2019-03-01 09:36:23 -05:00
Nick Mathewson
64f594499a Document crypto_fast_rng_one_in_n. 2019-03-01 08:20:54 -05:00
David Goulet
b402a0887f Merge branch 'tor-github/pr/655' 2019-02-26 11:30:44 -05:00
Nick Mathewson
97b9dfe305 Add a convenience macro to get a fast one-in-n calculation 2019-02-20 12:21:05 -05:00
Nick Mathewson
b25cd5cfe1 Implement code to manage a per-thread instance of crypto_fast_rng()
The subsystems API makes this really simple, fortunately.

Closes ticket 29536
2019-02-19 15:36:08 -05:00
David Goulet
6c173d00f5 Merge branch 'tor-github/pr/702' 2019-02-14 11:43:10 -05:00
George Kadianakis
00b073b1bc Merge branch 'maint-0.3.5' 2019-02-14 18:01:07 +02:00
Nick Mathewson
f3cbd6426c Implement a fast aes-ctr prng
This module is currently implemented to use the same technique as
libottery (later used by the bsds' arc4random replacement), using
AES-CTR-256 as its underlying stream cipher.  It's backtracking-
resistant immediately after each call, and prediction-resistant
after a while.

Here's how it works:

We generate psuedorandom bytes using AES-CTR-256.  We generate BUFLEN bytes
at a time.  When we do this, we keep the first SEED_LEN bytes as the key
and the IV for our next invocation of AES_CTR, and yield the remaining
BUFLEN - SEED_LEN bytes to the user as they invoke the PRNG.  As we yield
bytes to the user, we clear them from the buffer.

Every RESEED_AFTER times we refill the buffer, we mix in an additional
SEED_LEN bytes from our strong PRNG into the seed.

If the user ever asks for a huge number of bytes at once, we pull SEED_LEN
bytes from the PRNG and use them with our stream cipher to fill the user's
request.
2019-02-14 09:26:40 -05:00
Nick Mathewson
622a9a8a36 Extract the common body of our random-int functions into a macro
This is the second part of refactoring the random-int-in-range code.
2019-02-14 09:26:40 -05:00
Nick Mathewson
49ec29044d Add more openssl includes to fix no-deprecated compilation
Closes ticket 29026; patch from Mangix.
2019-02-08 08:51:23 -05:00
Nick Mathewson
b9abdcd6bc Fix compilation when openssl is compiled without engine support.
Patch from Mangix. Closes part of ticket 29026.
2019-02-08 08:50:43 -05:00
Nick Mathewson
a49149fc13 Extract numeric CSPRNG functions into a new module.
Some of the code for getting a random value within a range wants to
be shared between crypto_rand() and the new crypto_fast_rng() code.
2019-02-06 22:06:05 -05:00
Nick Mathewson
21d184a184 Remove extraneous #if/#endif wrapper in crypto_rand.c
I don't know how this got here, but this kind of a wrapper only
belongs in a header file.
2019-02-06 22:05:39 -05:00
Nick Mathewson
21dd3ece62 Merge branch 'maint-0.3.5' 2019-01-22 11:55:56 -05:00
Nick Mathewson
9b0dd1ae04 Add a function to compute an XOF in one shot.
Motivation:
  1. It's convenient.
  2. It's all that openssl supports.

Part of 28837.
2019-01-17 12:43:20 -05:00
Nick Mathewson
c393171403 Use openssl's version of sha3 when available.
Part of 28837.
2019-01-17 12:43:20 -05:00
Nick Mathewson
0981ac4c59 Log more messages when failing to decode RSA keys
We log these messages at INFO level, except when we are reading a
private key from a file, in which case we log at WARN.

This fixes a regression from when we re-wrote our PEM code to be
generic between nss and openssl.

Fixes bug 29042, bugfix on 0.3.5.1-alpha.
2019-01-16 14:35:30 -05:00
Nick Mathewson
2f683465d4 Bump copyright date to 2019 2019-01-16 12:33:22 -05:00
Nick Mathewson
efe55b8898 Bump copyright date to 2019. 2019-01-16 12:32:32 -05:00
Nick Mathewson
b169c8c14f Merge remote-tracking branch 'asn-github/adaptive_padding-final' 2019-01-14 14:48:00 -05:00
George Kadianakis
e0e0338dc4 Rename crypto_rand_uint32() -> crypto_rand_u32()
See https://github.com/torproject/tor/pull/624#discussion_r246453777
2019-01-10 13:06:08 +02:00
Nick Mathewson
9ba690e33f Merge branch 'maint-0.3.5' 2019-01-03 09:45:56 -05:00
Nick Mathewson
abdc6aede2 Merge branch 'ticket28851_035_squashed' into maint-0.3.5 2019-01-03 09:45:53 -05:00
Nick Mathewson
b82717b273 Stop re-checking our hardcoded dh parameters on every startup
Closes ticket 28851.
2019-01-03 09:45:43 -05:00
Nick Mathewson
47176eb678 Merge branch 'maint-0.3.5' 2019-01-03 09:44:15 -05:00
George Kadianakis
2ccf326837 Implement and test probability distributions used by WTF-PAD.
This project introduces the prob_distr.c subsystem which implements all the
probability distributions that WTF-PAD needs. It also adds unittests for all of
them.

Code and tests courtesy of Riastradh.

Co-authored-by: Taylor R Campbell <campbell+tor@mumble.net>
Co-authored-by: Mike Perry <mikeperry-git@torproject.org>
2019-01-02 15:25:55 +02:00
Nick Mathewson
041e9235c1 Lower the loop_max constant in curve25519_basepoint_spot_check()
The point of this function is to make sure that the ed25519-based
implementation of curve25519_basepoint() actually works when we
start tor, and use the regular fallback implementation if it
doesn't.  But it accounts for 9% of our startup time in the case
when we have directory information, and I think it's safe to make
the test shorter.  After all, it has yet to find any actual bugs in
curved25519_scalarmult_basepoint_donna() on any platforms.

Closes ticket 28838.
2018-12-13 11:26:09 -05:00
Nick Mathewson
e429e31ad1 Normalize .may_include to always have paths, and paths to include 2018-11-14 16:07:35 -05:00
Nick Mathewson
d000e798ac Merge branch 'maint-0.3.5' 2018-11-13 08:27:29 -05:00
Nick Mathewson
ae4c94bb64 Merge branch 'maint-0.3.4' into maint-0.3.5 2018-11-13 08:27:29 -05:00
Nick Mathewson
c6336727ca Rename subsystem callback functions to make them consistent 2018-11-09 11:12:12 -05:00
Nick Mathewson
cad61f0f6d Move prefork, postfork, and thread-exit hooks into subsys
So far, crypto is the only module that uses them, but others are
likely to do so in the future.
2018-11-05 09:22:02 -05:00
Nick Mathewson
50436ccea4 Add crypto module as a subsystem. 2018-11-05 09:22:02 -05:00
Nick Mathewson
d1d66866b2 Rename a function; it is used to convert a value _From_ le.
We can't use htons()/ntohs() -- those are no-ops on exactly the
wrong platforms.
2018-10-19 08:42:28 -04:00
Nick Mathewson
f8a1dc64f9 Fix a misspelled macro test that was breaking big-endian OPE
Fixes bug 28115; bugfix on 0.3.5.1-alpha.
2018-10-19 08:41:25 -04:00
Nick Mathewson
2dccef0eb4 Merge branch 'bug27772_squashed' 2018-10-14 15:31:52 -04:00
Nick Mathewson
361eaa9931 Merge remote-tracking branch 'public/ticket27856' 2018-10-09 09:04:53 -04:00
Nick Mathewson
58299b2927 Merge remote-tracking branch 'public/bug27728' 2018-10-01 12:06:39 -05:00
Nick Mathewson
9e1a3be064 Prevent duplicate initialization of NSS DH module
Allowing this didn't do any actual harm, since there aren't any
shared structures or leakable objects here.  Still, it's bad style
and might cause trouble in the future.

Closes ticket 27856.
2018-09-27 13:26:47 -04:00
Nick Mathewson
6c739c3fb2 Fix arm compilation with openssl <1.1
Bug 27781; bugfix on 0.3.5.1-alpha.
2018-09-24 11:11:29 -04:00
Nick Mathewson
7ace8d5a61 Assert that some trunnel _new() functions return non-NULL
The trunnel functions are written under the assumption that their
allocators can fail, so GCC LTO thinks they might return NULL.  In
point of fact, they're using tor_malloc() and friends, which can't
fail, but GCC won't necessarily figure that out.

Fixes part of #27772.
2018-09-18 14:43:57 -04:00