mirrors/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2025-02-24 22:58:50 +01:00
Code Issues Projects Releases Wiki Activity

Merge remote-tracking branch 'isis/bug24660_r1'

Browse source
This commit is contained in:
Nick Mathewson 2018-05-03 13:50:18 -04:00
commit c3b7258370
125 changed files with 1308 additions and 735 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/common/address_set.c
View file

@ -15,7 +15,7 @@
#include "address.h"
#include "compat.h"
#include "container.h"
#include "crypto.h"
#include "crypto_rand.h"
#include "util.h"
#include "siphash.h"

1
src/common/aes.c
View file

@ -17,7 +17,6 @@
#endif
#include <openssl/opensslv.h>
#include "crypto.h"
#include "crypto_openssl_mgt.h"
#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,0)

2
src/common/compat_libevent.c
View file

@ -11,7 +11,7 @@
#define COMPAT_LIBEVENT_PRIVATE
#include "compat_libevent.h"
#include "crypto.h"
#include "crypto_rand.h"
#include "util.h"
#include "torlog.h"

608
src/common/crypto.c
View file

@ -23,22 +23,21 @@
#endif /* defined(_WIN32) */
#define CRYPTO_PRIVATE
#include "crypto.h"
#include "compat_openssl.h"
#include "crypto.h"
#include "crypto_curve25519.h"
#include "crypto_digest.h"
#include "crypto_ed25519.h"
#include "crypto_format.h"
#include "crypto_rand.h"
#include "crypto_rsa.h"
#include "crypto_digest.h"
#include "crypto_util.h"
DISABLE_GCC_WARNING(redundant-decls)
#include <openssl/err.h>
#include <openssl/rsa.h>
#include <openssl/pem.h>
#include <openssl/evp.h>
#include <openssl/engine.h>
#include <openssl/rand.h>
#include <openssl/bn.h>
#include <openssl/dh.h>
#include <openssl/conf.h>
@ -61,12 +60,6 @@ ENABLE_GCC_WARNING(redundant-decls)
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#ifdef HAVE_FCNTL_H
#include <fcntl.h>
#endif
#ifdef HAVE_SYS_FCNTL_H
#include <sys/fcntl.h>
#endif
#ifdef HAVE_SYS_SYSCALL_H
#include <sys/syscall.h>
#endif
@ -85,12 +78,6 @@ ENABLE_GCC_WARNING(redundant-decls)
#include "keccak-tiny/keccak-tiny.h"
/** Longest recognized */
#define MAX_DNS_LABEL_SIZE 63
/** Largest strong entropy request */
#define MAX_STRONGEST_RAND_SIZE 256
/** A structure to hold the first half (x, g^x) of a Diffie-Hellman handshake
* while we're waiting for the second.*/
struct crypto_dh_t {
@ -163,23 +150,6 @@ try_load_engine(const char *path, const char *engine)
}
#endif /* !defined(DISABLE_ENGINES) */
/** Make sure that openssl is using its default PRNG. Return 1 if we had to
* adjust it; 0 otherwise. */
STATIC int
crypto_force_rand_ssleay(void)
{
RAND_METHOD *default_method;
default_method = RAND_OpenSSL();
if (RAND_get_rand_method() != default_method) {
log_notice(LD_CRYPTO, "It appears that one of our engines has provided "
"a replacement the OpenSSL RNG. Resetting it to the default "
"implementation.");
RAND_set_rand_method(default_method);
return 1;
}
return 0;
}
static int have_seeded_siphash = 0;
/** Set up the siphash key if we haven't already done so. */
@ -1091,576 +1061,6 @@ crypto_dh_free_(crypto_dh_t *dh)
tor_free(dh);
}
/* random numbers */
/** How many bytes of entropy we add at once.
*
* This is how much entropy OpenSSL likes to add right now, so maybe it will
* work for us too. */
#define ADD_ENTROPY 32
/** Set the seed of the weak RNG to a random value. */
void
crypto_seed_weak_rng(tor_weak_rng_t *rng)
{
unsigned seed;
crypto_rand((void*)&seed, sizeof(seed));
tor_init_weak_random(rng, seed);
}
#ifdef TOR_UNIT_TESTS
int break_strongest_rng_syscall = 0;
int break_strongest_rng_fallback = 0;
#endif
/** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
* via system calls, storing it into <b>out</b>. Return 0 on success, -1 on
* failure. A maximum request size of 256 bytes is imposed.
*/
static int
crypto_strongest_rand_syscall(uint8_t *out, size_t out_len)
{
tor_assert(out_len <= MAX_STRONGEST_RAND_SIZE);
/* We only log at notice-level here because in the case that this function
* fails the crypto_strongest_rand_raw() caller will log with a warning-level
* message and let crypto_strongest_rand() error out and finally terminating
* Tor with an assertion error.
*/
#ifdef TOR_UNIT_TESTS
if (break_strongest_rng_syscall)
return -1;
#endif
#if defined(_WIN32)
static int provider_set = 0;
static HCRYPTPROV provider;
if (!provider_set) {
if (!CryptAcquireContext(&provider, NULL, NULL, PROV_RSA_FULL,
CRYPT_VERIFYCONTEXT)) {
log_notice(LD_CRYPTO, "Unable to set Windows CryptoAPI provider [1].");
return -1;
}
provider_set = 1;
}
if (!CryptGenRandom(provider, out_len, out)) {
log_notice(LD_CRYPTO, "Unable get entropy from the Windows CryptoAPI.");
return -1;
}
return 0;
#elif defined(__linux__) && defined(SYS_getrandom)
static int getrandom_works = 1; /* Be optimistic about our chances... */
/* getrandom() isn't as straightforward as getentropy(), and has
* no glibc wrapper.
*
* As far as I can tell from getrandom(2) and the source code, the
* requests we issue will always succeed (though it will block on the
* call if /dev/urandom isn't seeded yet), since we are NOT specifying
* GRND_NONBLOCK and the request is <= 256 bytes.
*
* The manpage is unclear on what happens if a signal interrupts the call
* while the request is blocked due to lack of entropy....
*
* We optimistically assume that getrandom() is available and functional
* because it is the way of the future, and 2 branch mispredicts pale in
* comparison to the overheads involved with failing to open
* /dev/srandom followed by opening and reading from /dev/urandom.
*/
if (PREDICT_LIKELY(getrandom_works)) {
long ret;
/* A flag of '0' here means to read from '/dev/urandom', and to
* block if insufficient entropy is available to service the
* request.
*/
const unsigned int flags = 0;
do {
ret = syscall(SYS_getrandom, out, out_len, flags);
} while (ret == -1 && ((errno == EINTR) ||(errno == EAGAIN)));
if (PREDICT_UNLIKELY(ret == -1)) {
/* LCOV_EXCL_START we can't actually make the syscall fail in testing. */
tor_assert(errno != EAGAIN);
tor_assert(errno != EINTR);
/* Useful log message for errno. */
if (errno == ENOSYS) {
log_notice(LD_CRYPTO, "Can't get entropy from getrandom()."
" You are running a version of Tor built to support"
" getrandom(), but the kernel doesn't implement this"
" function--probably because it is too old?"
" Trying fallback method instead.");
} else {
log_notice(LD_CRYPTO, "Can't get entropy from getrandom(): %s."
" Trying fallback method instead.",
strerror(errno));
}
getrandom_works = 0; /* Don't bother trying again. */
return -1;
/* LCOV_EXCL_STOP */
}
tor_assert(ret == (long)out_len);
return 0;
}
return -1; /* getrandom() previously failed unexpectedly. */
#elif defined(HAVE_GETENTROPY)
/* getentropy() is what Linux's getrandom() wants to be when it grows up.
* the only gotcha is that requests are limited to 256 bytes.
*/
return getentropy(out, out_len);
#else
(void) out;
#endif /* defined(_WIN32) || ... */
/* This platform doesn't have a supported syscall based random. */
return -1;
}
/** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
* via the per-platform fallback mechanism, storing it into <b>out</b>.
* Return 0 on success, -1 on failure. A maximum request size of 256 bytes
* is imposed.
*/
static int
crypto_strongest_rand_fallback(uint8_t *out, size_t out_len)
{
#ifdef TOR_UNIT_TESTS
if (break_strongest_rng_fallback)
return -1;
#endif
#ifdef _WIN32
/* Windows exclusively uses crypto_strongest_rand_syscall(). */
(void)out;
(void)out_len;
return -1;
#else /* !(defined(_WIN32)) */
static const char *filenames[] = {
"/dev/srandom", "/dev/urandom", "/dev/random", NULL
};
int fd, i;
size_t n;
for (i = 0; filenames[i]; ++i) {
log_debug(LD_FS, "Considering %s as entropy source", filenames[i]);
fd = open(sandbox_intern_string(filenames[i]), O_RDONLY, 0);
if (fd<0) continue;
log_info(LD_CRYPTO, "Reading entropy from \"%s\"", filenames[i]);
n = read_all(fd, (char*)out, out_len, 0);
close(fd);
if (n != out_len) {
/* LCOV_EXCL_START
* We can't make /dev/foorandom actually fail. */
log_notice(LD_CRYPTO,
"Error reading from entropy source %s (read only %lu bytes).",
filenames[i],
(unsigned long)n);
return -1;
/* LCOV_EXCL_STOP */
}
return 0;
}
return -1;
#endif /* defined(_WIN32) */
}
/** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
* storing it into <b>out</b>. Return 0 on success, -1 on failure. A maximum
* request size of 256 bytes is imposed.
*/
STATIC int
crypto_strongest_rand_raw(uint8_t *out, size_t out_len)
{
static const size_t sanity_min_size = 16;
static const int max_attempts = 3;
tor_assert(out_len <= MAX_STRONGEST_RAND_SIZE);
/* For buffers >= 16 bytes (128 bits), we sanity check the output by
* zero filling the buffer and ensuring that it actually was at least
* partially modified.
*
* Checking that any individual byte is non-zero seems like it would
* fail too often (p = out_len * 1/256) for comfort, but this is an
* "adjust according to taste" sort of check.
*/
memwipe(out, 0, out_len);
for (int i = 0; i < max_attempts; i++) {
/* Try to use the syscall/OS favored mechanism to get strong entropy. */
if (crypto_strongest_rand_syscall(out, out_len) != 0) {
/* Try to use the less-favored mechanism to get strong entropy. */
if (crypto_strongest_rand_fallback(out, out_len) != 0) {
/* Welp, we tried. Hopefully the calling code terminates the process
* since we're basically boned without good entropy.
*/
log_warn(LD_CRYPTO,
"Cannot get strong entropy: no entropy source found.");
return -1;
}
}
if ((out_len < sanity_min_size) || !tor_mem_is_zero((char*)out, out_len))
return 0;
}
/* LCOV_EXCL_START
*
* We tried max_attempts times to fill a buffer >= 128 bits long,
* and each time it returned all '0's. Either the system entropy
* source is busted, or the user should go out and buy a ticket to
* every lottery on the planet.
*/
log_warn(LD_CRYPTO, "Strong OS entropy returned all zero buffer.");
return -1;
/* LCOV_EXCL_STOP */
}
/** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
* storing it into <b>out</b>.
*/
void
crypto_strongest_rand(uint8_t *out, size_t out_len)
{
#define DLEN SHA512_DIGEST_LENGTH
/* We're going to hash DLEN bytes from the system RNG together with some
* bytes from the openssl PRNG, in order to yield DLEN bytes.
*/
uint8_t inp[DLEN*2];
uint8_t tmp[DLEN];
tor_assert(out);
while (out_len) {
crypto_rand((char*) inp, DLEN);
if (crypto_strongest_rand_raw(inp+DLEN, DLEN) < 0) {
// LCOV_EXCL_START
log_err(LD_CRYPTO, "Failed to load strong entropy when generating an "
"important key. Exiting.");
/* Die with an assertion so we get a stack trace. */
tor_assert(0);
// LCOV_EXCL_STOP
}
if (out_len >= DLEN) {
SHA512(inp, sizeof(inp), out);
out += DLEN;
out_len -= DLEN;
} else {
SHA512(inp, sizeof(inp), tmp);
memcpy(out, tmp, out_len);
break;
}
}
memwipe(tmp, 0, sizeof(tmp));
memwipe(inp, 0, sizeof(inp));
#undef DLEN
}
/** Seed OpenSSL's random number generator with bytes from the operating
* system. Return 0 on success, -1 on failure.
*/
int
crypto_seed_rng(void)
{
int rand_poll_ok = 0, load_entropy_ok = 0;
uint8_t buf[ADD_ENTROPY];
/* OpenSSL has a RAND_poll function that knows about more kinds of
* entropy than we do. We'll try calling that, *and* calling our own entropy
* functions. If one succeeds, we'll accept the RNG as seeded. */
rand_poll_ok = RAND_poll();
if (rand_poll_ok == 0)
log_warn(LD_CRYPTO, "RAND_poll() failed."); // LCOV_EXCL_LINE
load_entropy_ok = !crypto_strongest_rand_raw(buf, sizeof(buf));
if (load_entropy_ok) {
RAND_seed(buf, sizeof(buf));
}
memwipe(buf, 0, sizeof(buf));
if ((rand_poll_ok || load_entropy_ok) && RAND_status() == 1)
return 0;
else
return -1;
}
/** Write <b>n</b> bytes of strong random data to <b>to</b>. Supports mocking
* for unit tests.
*
* This function is not allowed to fail; if it would fail to generate strong
* entropy, it must terminate the process instead.
*/
MOCK_IMPL(void,
crypto_rand, (char *to, size_t n))
{
crypto_rand_unmocked(to, n);
}
/** Write <b>n</b> bytes of strong random data to <b>to</b>. Most callers
* will want crypto_rand instead.
*
* This function is not allowed to fail; if it would fail to generate strong
* entropy, it must terminate the process instead.
*/
void
crypto_rand_unmocked(char *to, size_t n)
{
int r;
if (n == 0)
return;
tor_assert(n < INT_MAX);
tor_assert(to);
r = RAND_bytes((unsigned char*)to, (int)n);
/* We consider a PRNG failure non-survivable. Let's assert so that we get a
* stack trace about where it happened.
*/
tor_assert(r >= 0);
}
/** Return a pseudorandom integer, chosen uniformly from the values
* between 0 and <b>max</b>-1 inclusive. <b>max</b> must be between 1 and
* INT_MAX+1, inclusive. */
int
crypto_rand_int(unsigned int max)
{
unsigned int val;
unsigned int cutoff;
tor_assert(max <= ((unsigned int)INT_MAX)+1);
tor_assert(max > 0); /* don't div by 0 */
/* We ignore any values that are >= 'cutoff,' to avoid biasing the
* distribution with clipping at the upper end of unsigned int's
* range.
*/
cutoff = UINT_MAX - (UINT_MAX%max);
while (1) {
crypto_rand((char*)&val, sizeof(val));
if (val < cutoff)
return val % max;
}
}
/** Return a pseudorandom integer, chosen uniformly from the values i such
* that min <= i < max.
*
* <b>min</b> MUST be in range [0, <b>max</b>).
* <b>max</b> MUST be in range (min, INT_MAX].
*/
int
crypto_rand_int_range(unsigned int min, unsigned int max)
{
tor_assert(min < max);
tor_assert(max <= INT_MAX);
/* The overflow is avoided here because crypto_rand_int() returns a value
* between 0 and (max - min) inclusive. */
return min + crypto_rand_int(max - min);
}
/** As crypto_rand_int_range, but supports uint64_t. */
uint64_t
crypto_rand_uint64_range(uint64_t min, uint64_t max)
{
tor_assert(min < max);
return min + crypto_rand_uint64(max - min);
}
/** As crypto_rand_int_range, but supports time_t. */
time_t
crypto_rand_time_range(time_t min, time_t max)
{
tor_assert(min < max);
return min + (time_t)crypto_rand_uint64(max - min);
}
/** Return a pseudorandom 64-bit integer, chosen uniformly from the values
* between 0 and <b>max</b>-1 inclusive. */
uint64_t
crypto_rand_uint64(uint64_t max)
{
uint64_t val;
uint64_t cutoff;
tor_assert(max < UINT64_MAX);
tor_assert(max > 0); /* don't div by 0 */
/* We ignore any values that are >= 'cutoff,' to avoid biasing the
* distribution with clipping at the upper end of unsigned int's
* range.
*/
cutoff = UINT64_MAX - (UINT64_MAX%max);
while (1) {
crypto_rand((char*)&val, sizeof(val));
if (val < cutoff)
return val % max;
}
}
/** Return a pseudorandom double d, chosen uniformly from the range
* 0.0 <= d < 1.0.
*/
double
crypto_rand_double(void)
{
/* We just use an unsigned int here; we don't really care about getting
* more than 32 bits of resolution */
unsigned int u;
crypto_rand((char*)&u, sizeof(u));
#if SIZEOF_INT == 4
#define UINT_MAX_AS_DOUBLE 4294967296.0
#elif SIZEOF_INT == 8
#define UINT_MAX_AS_DOUBLE 1.8446744073709552e+19
#else
#error SIZEOF_INT is neither 4 nor 8
#endif /* SIZEOF_INT == 4 || ... */
return ((double)u) / UINT_MAX_AS_DOUBLE;
}
/** Generate and return a new random hostname starting with <b>prefix</b>,
* ending with <b>suffix</b>, and containing no fewer than
* <b>min_rand_len</b> and no more than <b>max_rand_len</b> random base32
* characters. Does not check for failure.
*
* Clip <b>max_rand_len</b> to MAX_DNS_LABEL_SIZE.
**/
char *
crypto_random_hostname(int min_rand_len, int max_rand_len, const char *prefix,
const char *suffix)
{
char *result, *rand_bytes;
int randlen, rand_bytes_len;
size_t resultlen, prefixlen;
if (max_rand_len > MAX_DNS_LABEL_SIZE)
max_rand_len = MAX_DNS_LABEL_SIZE;
if (min_rand_len > max_rand_len)
min_rand_len = max_rand_len;
randlen = crypto_rand_int_range(min_rand_len, max_rand_len+1);
prefixlen = strlen(prefix);
resultlen = prefixlen + strlen(suffix) + randlen + 16;
rand_bytes_len = ((randlen*5)+7)/8;
if (rand_bytes_len % 5)
rand_bytes_len += 5 - (rand_bytes_len%5);
rand_bytes = tor_malloc(rand_bytes_len);
crypto_rand(rand_bytes, rand_bytes_len);
result = tor_malloc(resultlen);
memcpy(result, prefix, prefixlen);
base32_encode(result+prefixlen, resultlen-prefixlen,
rand_bytes, rand_bytes_len);
tor_free(rand_bytes);
strlcpy(result+prefixlen+randlen, suffix, resultlen-(prefixlen+randlen));
return result;
}
/** Return a randomly chosen element of <b>sl</b>; or NULL if <b>sl</b>
* is empty. */
void *
smartlist_choose(const smartlist_t *sl)
{
int len = smartlist_len(sl);
if (len)
return smartlist_get(sl,crypto_rand_int(len));
return NULL; /* no elements to choose from */
}
/** Scramble the elements of <b>sl</b> into a random order. */
void
smartlist_shuffle(smartlist_t *sl)
{
int i;
/* From the end of the list to the front, choose at random from the
positions we haven't looked at yet, and swap that position into the
current position. Remember to give "no swap" the same probability as
any other swap. */
for (i = smartlist_len(sl)-1; i > 0; --i) {
int j = crypto_rand_int(i+1);
smartlist_swap(sl, i, j);
}
}
/**
* Destroy the <b>sz</b> bytes of data stored at <b>mem</b>, setting them to
* the value <b>byte</b>.
* If <b>mem</b> is NULL or <b>sz</b> is zero, nothing happens.
*
* This function is preferable to memset, since many compilers will happily
* optimize out memset() when they can convince themselves that the data being
* cleared will never be read.
*
* Right now, our convention is to use this function when we are wiping data
* that's about to become inaccessible, such as stack buffers that are about
* to go out of scope or structures that are about to get freed. (In
* practice, it appears that the compilers we're currently using will optimize
* out the memset()s for stack-allocated buffers, but not those for
* about-to-be-freed structures. That could change, though, so we're being
* wary.) If there are live reads for the data, then you can just use
* memset().
*/
void
memwipe(void *mem, uint8_t byte, size_t sz)
{
if (sz == 0) {
return;
}
/* If sz is nonzero, then mem must not be NULL. */
tor_assert(mem != NULL);
/* Data this large is likely to be an underflow. */
tor_assert(sz < SIZE_T_CEILING);
/* Because whole-program-optimization exists, we may not be able to just
* have this function call "memset". A smart compiler could inline it, then
* eliminate dead memsets, and declare itself to be clever. */
#if defined(SecureZeroMemory) || defined(HAVE_SECUREZEROMEMORY)
/* Here's what you do on windows. */
SecureZeroMemory(mem,sz);
#elif defined(HAVE_RTLSECUREZEROMEMORY)
RtlSecureZeroMemory(mem,sz);
#elif defined(HAVE_EXPLICIT_BZERO)
/* The BSDs provide this. */
explicit_bzero(mem, sz);
#elif defined(HAVE_MEMSET_S)
/* This is in the C99 standard. */
memset_s(mem, sz, 0, sz);
#else
/* This is a slow and ugly function from OpenSSL that fills 'mem' with junk
* based on the pointer value, then uses that junk to update a global
* variable. It's an elaborate ruse to trick the compiler into not
* optimizing out the "wipe this memory" code. Read it if you like zany
* programming tricks! In later versions of Tor, we should look for better
* not-optimized-out memory wiping stuff...
*
* ...or maybe not. In practice, there are pure-asm implementations of
* OPENSSL_cleanse() on most platforms, which ought to do the job.
**/
OPENSSL_cleanse(mem, sz);
#endif /* defined(SecureZeroMemory) || defined(HAVE_SECUREZEROMEMORY) || ... */
/* Just in case some caller of memwipe() is relying on getting a buffer
* filled with a particular value, fill the buffer.
*
* If this function gets inlined, this memset might get eliminated, but
* that's okay: We only care about this particular memset in the case where
* the caller should have been using memset(), and the memset() wouldn't get
* eliminated. In other words, this is here so that we won't break anything
* if somebody accidentally calls memwipe() instead of memset().
**/
memset(mem, byte, sz);
}
/** @{ */
/** Uninitialize the crypto library. Return 0 on success. Does not detect
* failure.

40
src/common/crypto.h
View file

@ -17,13 +17,10 @@
#include <stdio.h>
#include "torint.h"
#include "testsupport.h"
#include "compat.h"
#include "util.h"
#include "crypto_rsa.h"
#include "keccak-tiny/keccak-tiny.h"
/** Length of our symmetric cipher's keys of 128-bit. */
#define CIPHER_KEY_LEN 16
/** Length of our symmetric cipher's IV of 128-bit. */
@ -41,6 +38,7 @@ typedef struct aes_cnt_cipher crypto_cipher_t;
typedef struct crypto_dh_t crypto_dh_t;
/* global state */
int crypto_init_siphash_key(void);
int crypto_early_init(void) ATTR_WUR;
int crypto_global_init(int hardwareAccel,
const char *accelName,
@ -105,31 +103,6 @@ int crypto_expand_key_material_rfc5869_sha256(
const uint8_t *info_in, size_t info_in_len,
uint8_t *key_out, size_t key_out_len);
/* random numbers */
int crypto_seed_rng(void) ATTR_WUR;
MOCK_DECL(void,crypto_rand,(char *to, size_t n));
void crypto_rand_unmocked(char *to, size_t n);
void crypto_strongest_rand(uint8_t *out, size_t out_len);
int crypto_rand_int(unsigned int max);
int crypto_rand_int_range(unsigned int min, unsigned int max);
uint64_t crypto_rand_uint64_range(uint64_t min, uint64_t max);
time_t crypto_rand_time_range(time_t min, time_t max);
uint64_t crypto_rand_uint64(uint64_t max);
double crypto_rand_double(void);
struct tor_weak_rng_t;
void crypto_seed_weak_rng(struct tor_weak_rng_t *rng);
int crypto_init_siphash_key(void);
char *crypto_random_hostname(int min_rand_len, int max_rand_len,
const char *prefix, const char *suffix);
struct smartlist_t;
void *smartlist_choose(const struct smartlist_t *sl);
void smartlist_shuffle(struct smartlist_t *sl);
/** OpenSSL-based utility functions. */
void memwipe(void *mem, uint8_t byte, size_t sz);
/* Prototypes for private functions only used by tortls.c, crypto.c, and the
* unit tests. */
struct dh_st;
@ -137,16 +110,5 @@ struct dh_st *crypto_dh_get_dh_(crypto_dh_t *dh);
void crypto_add_spaces_to_fp(char *out, size_t outlen, const char *in);
#ifdef CRYPTO_PRIVATE
STATIC int crypto_force_rand_ssleay(void);
STATIC int crypto_strongest_rand_raw(uint8_t *out, size_t out_len);
#ifdef TOR_UNIT_TESTS
extern int break_strongest_rng_syscall;
extern int break_strongest_rng_fallback;
#endif
#endif /* defined(CRYPTO_PRIVATE) */
#endif /* !defined(TOR_CRYPTO_H) */

5
src/common/crypto_curve25519.c
View file

@ -21,10 +21,11 @@
#include <sys/stat.h>
#endif
#include "container.h"
#include "crypto.h"
#include "crypto_curve25519.h"
#include "crypto_format.h"
#include "crypto_digest.h"
#include "crypto_format.h"
#include "crypto_rand.h"
#include "crypto_util.h"
#include "util.h"
#include "torlog.h"

9
src/common/crypto_digest.c
View file

@ -10,10 +10,13 @@
* operations.
**/
#include "container.h"
#include "crypto_digest.h"
#include "crypto.h" /* common functions */
#include "crypto_openssl_mgt.h"
#include "crypto_util.h"
#include "torlog.h"
#include "keccak-tiny/keccak-tiny.h"
DISABLE_GCC_WARNING(redundant-decls)
@ -22,8 +25,6 @@ DISABLE_GCC_WARNING(redundant-decls)
ENABLE_GCC_WARNING(redundant-decls)
#include "container.h"
/* Crypto digest functions */
/** Compute the SHA1 digest of the <b>len</b> bytes on data stored in

6
src/common/crypto_ed25519.c
View file

@ -21,12 +21,12 @@
#include <sys/stat.h>
#endif
#include "crypto.h"
#include "crypto_digest.h"
#include "crypto_curve25519.h"
#include "crypto_digest.h"
#include "crypto_ed25519.h"
#include "crypto_format.h"
#include "crypto_rand.h"
#include "crypto_util.h"
#include "torlog.h"
#include "util.h"
#include "util_format.h"

4
src/common/crypto_format.c
View file

@ -15,11 +15,11 @@
#include <sys/stat.h>
#endif
#include "container.h"
#include "crypto.h"
#include "crypto_curve25519.h"
#include "crypto_digest.h"
#include "crypto_ed25519.h"
#include "crypto_format.h"
#include "crypto_digest.h"
#include "crypto_util.h"
#include "util.h"
#include "util_format.h"
#include "torlog.h"

6
src/common/crypto_pwbox.c
View file

@ -9,9 +9,11 @@
*/
#include "crypto.h"
#include "crypto_s2k.h"
#include "crypto_pwbox.h"
#include "crypto_digest.h"
#include "crypto_pwbox.h"
#include "crypto_rand.h"
#include "crypto_s2k.h"
#include "crypto_util.h"
#include "di_ops.h"
#include "util.h"
#include "pwbox.h"

609
src/common/crypto_rand.c Normal file
View file

@ -0,0 +1,609 @@
/* Copyright (c) 2001, Matej Pfajfar.
* Copyright (c) 2001-2004, Roger Dingledine.
* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
* Copyright (c) 2007-2018, The Tor Project, Inc. */
/* See LICENSE for licensing information */
/**
* \file crypto_rand.c
*
* \brief Functions for initialising and seeding (pseudo-)random
* number generators, and working with randomness.
**/
#ifndef CRYPTO_RAND_PRIVATE
#define CRYPTO_RAND_PRIVATE
#ifdef _WIN32
#include <windows.h>
#include <wincrypt.h>
#endif /* defined(_WIN32) */
#include "crypto_rand.h"
#include "container.h"
#include "compat.h"
#include "compat_openssl.h"
#include "crypto_util.h"
#include "sandbox.h"
#include "testsupport.h"
#include "torlog.h"
#include "util.h"
#include "util_format.h"
DISABLE_GCC_WARNING(redundant-decls)
#include <openssl/rand.h>
ENABLE_GCC_WARNING(redundant-decls)
#if __GNUC__ && GCC_VERSION >= 402
#if GCC_VERSION >= 406
#pragma GCC diagnostic pop
#else
#pragma GCC diagnostic warning "-Wredundant-decls"
#endif
#endif /* __GNUC__ && GCC_VERSION >= 402 */
#ifdef HAVE_FCNTL_H
#include <fcntl.h>
#endif
#ifdef HAVE_SYS_FCNTL_H
#include <sys/fcntl.h>
#endif
#ifdef HAVE_SYS_STAT_H
#include <sys/stat.h>
#endif
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
/**
* How many bytes of entropy we add at once.
*
* This is how much entropy OpenSSL likes to add right now, so maybe it will
* work for us too.
**/
#define ADD_ENTROPY 32
/**
* Longest recognized DNS query.
**/
#define MAX_DNS_LABEL_SIZE 63
/**
* Largest strong entropy request permitted.
**/
#define MAX_STRONGEST_RAND_SIZE 256
/**
* Set the seed of the weak RNG to a random value.
**/
void
crypto_seed_weak_rng(tor_weak_rng_t *rng)
{
unsigned seed;
crypto_rand((void*)&seed, sizeof(seed));
tor_init_weak_random(rng, seed);
}
#ifdef TOR_UNIT_TESTS
int break_strongest_rng_syscall = 0;
int break_strongest_rng_fallback = 0;
#endif
/**
* Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
* via system calls, storing it into <b>out</b>. Return 0 on success, -1 on
* failure. A maximum request size of 256 bytes is imposed.
**/
static int
crypto_strongest_rand_syscall(uint8_t *out, size_t out_len)
{
tor_assert(out_len <= MAX_STRONGEST_RAND_SIZE);
/* We only log at notice-level here because in the case that this function
* fails the crypto_strongest_rand_raw() caller will log with a warning-level
* message and let crypto_strongest_rand() error out and finally terminating
* Tor with an assertion error.
*/
#ifdef TOR_UNIT_TESTS
if (break_strongest_rng_syscall)
return -1;
#endif
#if defined(_WIN32)
static int provider_set = 0;
static HCRYPTPROV provider;
if (!provider_set) {
if (!CryptAcquireContext(&provider, NULL, NULL, PROV_RSA_FULL,
CRYPT_VERIFYCONTEXT)) {
log_notice(LD_CRYPTO, "Unable to set Windows CryptoAPI provider [1].");
return -1;
}
provider_set = 1;
}
if (!CryptGenRandom(provider, out_len, out)) {
log_notice(LD_CRYPTO, "Unable get entropy from the Windows CryptoAPI.");
return -1;
}
return 0;
#elif defined(__linux__) && defined(SYS_getrandom)
static int getrandom_works = 1; /* Be optimistic about our chances... */
/* getrandom() isn't as straightforward as getentropy(), and has
* no glibc wrapper.
*
* As far as I can tell from getrandom(2) and the source code, the
* requests we issue will always succeed (though it will block on the
* call if /dev/urandom isn't seeded yet), since we are NOT specifying
* GRND_NONBLOCK and the request is <= 256 bytes.
*
* The manpage is unclear on what happens if a signal interrupts the call
* while the request is blocked due to lack of entropy....
*
* We optimistically assume that getrandom() is available and functional
* because it is the way of the future, and 2 branch mispredicts pale in
* comparison to the overheads involved with failing to open
* /dev/srandom followed by opening and reading from /dev/urandom.
*/
if (PREDICT_LIKELY(getrandom_works)) {
long ret;
/* A flag of '0' here means to read from '/dev/urandom', and to
* block if insufficient entropy is available to service the
* request.
*/
const unsigned int flags = 0;
do {
ret = syscall(SYS_getrandom, out, out_len, flags);
} while (ret == -1 && ((errno == EINTR) ||(errno == EAGAIN)));
if (PREDICT_UNLIKELY(ret == -1)) {
/* LCOV_EXCL_START we can't actually make the syscall fail in testing. */
tor_assert(errno != EAGAIN);
tor_assert(errno != EINTR);
/* Useful log message for errno. */
if (errno == ENOSYS) {
log_notice(LD_CRYPTO, "Can't get entropy from getrandom()."
" You are running a version of Tor built to support"
" getrandom(), but the kernel doesn't implement this"
" function--probably because it is too old?"
" Trying fallback method instead.");
} else {
log_notice(LD_CRYPTO, "Can't get entropy from getrandom(): %s."
" Trying fallback method instead.",
strerror(errno));
}
getrandom_works = 0; /* Don't bother trying again. */
return -1;
/* LCOV_EXCL_STOP */
}
tor_assert(ret == (long)out_len);
return 0;
}
return -1; /* getrandom() previously failed unexpectedly. */
#elif defined(HAVE_GETENTROPY)
/* getentropy() is what Linux's getrandom() wants to be when it grows up.
* the only gotcha is that requests are limited to 256 bytes.
*/
return getentropy(out, out_len);
#else
(void) out;
#endif /* defined(_WIN32) || ... */
/* This platform doesn't have a supported syscall based random. */
return -1;
}
/**
* Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
* via the per-platform fallback mechanism, storing it into <b>out</b>.
* Return 0 on success, -1 on failure. A maximum request size of 256 bytes
* is imposed.
**/
static int
crypto_strongest_rand_fallback(uint8_t *out, size_t out_len)
{
#ifdef TOR_UNIT_TESTS
if (break_strongest_rng_fallback)
return -1;
#endif
#ifdef _WIN32
/* Windows exclusively uses crypto_strongest_rand_syscall(). */
(void)out;
(void)out_len;
return -1;
#else /* !(defined(_WIN32)) */
static const char *filenames[] = {
"/dev/srandom", "/dev/urandom", "/dev/random", NULL
};
int fd, i;
size_t n;
for (i = 0; filenames[i]; ++i) {
log_debug(LD_FS, "Considering %s as entropy source", filenames[i]);
fd = open(sandbox_intern_string(filenames[i]), O_RDONLY, 0);
if (fd<0) continue;
log_info(LD_CRYPTO, "Reading entropy from \"%s\"", filenames[i]);
n = read_all(fd, (char*)out, out_len, 0);
close(fd);
if (n != out_len) {
/* LCOV_EXCL_START
* We can't make /dev/foorandom actually fail. */
log_notice(LD_CRYPTO,
"Error reading from entropy source %s (read only %lu bytes).",
filenames[i],
(unsigned long)n);
return -1;
/* LCOV_EXCL_STOP */
}
return 0;
}
return -1;
#endif /* defined(_WIN32) */
}
/**
* Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
* storing it into <b>out</b>. Return 0 on success, -1 on failure. A maximum
* request size of 256 bytes is imposed.
**/
STATIC int
crypto_strongest_rand_raw(uint8_t *out, size_t out_len)
{
static const size_t sanity_min_size = 16;
static const int max_attempts = 3;
tor_assert(out_len <= MAX_STRONGEST_RAND_SIZE);
/* For buffers >= 16 bytes (128 bits), we sanity check the output by
* zero filling the buffer and ensuring that it actually was at least
* partially modified.
*
* Checking that any individual byte is non-zero seems like it would
* fail too often (p = out_len * 1/256) for comfort, but this is an
* "adjust according to taste" sort of check.
*/
memwipe(out, 0, out_len);
for (int i = 0; i < max_attempts; i++) {
/* Try to use the syscall/OS favored mechanism to get strong entropy. */
if (crypto_strongest_rand_syscall(out, out_len) != 0) {
/* Try to use the less-favored mechanism to get strong entropy. */
if (crypto_strongest_rand_fallback(out, out_len) != 0) {
/* Welp, we tried. Hopefully the calling code terminates the process
* since we're basically boned without good entropy.
*/
log_warn(LD_CRYPTO,
"Cannot get strong entropy: no entropy source found.");
return -1;
}
}
if ((out_len < sanity_min_size) || !tor_mem_is_zero((char*)out, out_len))
return 0;
}
/* LCOV_EXCL_START
*
* We tried max_attempts times to fill a buffer >= 128 bits long,
* and each time it returned all '0's. Either the system entropy
* source is busted, or the user should go out and buy a ticket to
* every lottery on the planet.
*/
log_warn(LD_CRYPTO, "Strong OS entropy returned all zero buffer.");
return -1;
/* LCOV_EXCL_STOP */
}
/**
* Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
* storing it into <b>out</b>.
**/
void
crypto_strongest_rand(uint8_t *out, size_t out_len)
{
#define DLEN SHA512_DIGEST_LENGTH
/* We're going to hash DLEN bytes from the system RNG together with some
* bytes from the openssl PRNG, in order to yield DLEN bytes.
*/
uint8_t inp[DLEN*2];
uint8_t tmp[DLEN];
tor_assert(out);
while (out_len) {
crypto_rand((char*) inp, DLEN);
if (crypto_strongest_rand_raw(inp+DLEN, DLEN) < 0) {
// LCOV_EXCL_START
log_err(LD_CRYPTO, "Failed to load strong entropy when generating an "
"important key. Exiting.");
/* Die with an assertion so we get a stack trace. */
tor_assert(0);
// LCOV_EXCL_STOP
}
if (out_len >= DLEN) {
SHA512(inp, sizeof(inp), out);
out += DLEN;
out_len -= DLEN;
} else {
SHA512(inp, sizeof(inp), tmp);
memcpy(out, tmp, out_len);
break;
}
}
memwipe(tmp, 0, sizeof(tmp));
memwipe(inp, 0, sizeof(inp));
#undef DLEN
}
/**
* Seed OpenSSL's random number generator with bytes from the operating
* system. Return 0 on success, -1 on failure.
**/
int
crypto_seed_rng(void)
{
int rand_poll_ok = 0, load_entropy_ok = 0;
uint8_t buf[ADD_ENTROPY];
/* OpenSSL has a RAND_poll function that knows about more kinds of
* entropy than we do. We'll try calling that, *and* calling our own entropy
* functions. If one succeeds, we'll accept the RNG as seeded. */
rand_poll_ok = RAND_poll();
if (rand_poll_ok == 0)
log_warn(LD_CRYPTO, "RAND_poll() failed."); // LCOV_EXCL_LINE
load_entropy_ok = !crypto_strongest_rand_raw(buf, sizeof(buf));
if (load_entropy_ok) {
RAND_seed(buf, sizeof(buf));
}
memwipe(buf, 0, sizeof(buf));
if ((rand_poll_ok || load_entropy_ok) && RAND_status() == 1)
return 0;
else
return -1;
}
/**
* Write <b>n</b> bytes of strong random data to <b>to</b>. Supports mocking
* for unit tests.
*
* This function is not allowed to fail; if it would fail to generate strong
* entropy, it must terminate the process instead.
**/
MOCK_IMPL(void,
crypto_rand, (char *to, size_t n))
{
crypto_rand_unmocked(to, n);
}
/**
* Write <b>n</b> bytes of strong random data to <b>to</b>. Most callers
* will want crypto_rand instead.
*
* This function is not allowed to fail; if it would fail to generate strong
* entropy, it must terminate the process instead.
**/
void
crypto_rand_unmocked(char *to, size_t n)
{
int r;
if (n == 0)
return;
tor_assert(n < INT_MAX);
tor_assert(to);
r = RAND_bytes((unsigned char*)to, (int)n);
/* We consider a PRNG failure non-survivable. Let's assert so that we get a
* stack trace about where it happened.
*/
tor_assert(r >= 0);
}
/**
* Return a pseudorandom integer, chosen uniformly from the values
* between 0 and <b>max</b>-1 inclusive. <b>max</b> must be between 1 and
* INT_MAX+1, inclusive.
*/
int
crypto_rand_int(unsigned int max)
{
unsigned int val;
unsigned int cutoff;
tor_assert(max <= ((unsigned int)INT_MAX)+1);
tor_assert(max > 0); /* don't div by 0 */
/* We ignore any values that are >= 'cutoff,' to avoid biasing the
* distribution with clipping at the upper end of unsigned int's
* range.
*/
cutoff = UINT_MAX - (UINT_MAX%max);
while (1) {
crypto_rand((char*)&val, sizeof(val));
if (val < cutoff)
return val % max;
}
}
/**
* Return a pseudorandom integer, chosen uniformly from the values i such
* that min <= i < max.
*
* <b>min</b> MUST be in range [0, <b>max</b>).
* <b>max</b> MUST be in range (min, INT_MAX].
**/
int
crypto_rand_int_range(unsigned int min, unsigned int max)
{
tor_assert(min < max);
tor_assert(max <= INT_MAX);
/* The overflow is avoided here because crypto_rand_int() returns a value
* between 0 and (max - min) inclusive. */
return min + crypto_rand_int(max - min);
}
/**
* As crypto_rand_int_range, but supports uint64_t.
**/
uint64_t
crypto_rand_uint64_range(uint64_t min, uint64_t max)
{
tor_assert(min < max);
return min + crypto_rand_uint64(max - min);
}
/**
* As crypto_rand_int_range, but supports time_t.
**/
time_t
crypto_rand_time_range(time_t min, time_t max)
{
tor_assert(min < max);
return min + (time_t)crypto_rand_uint64(max - min);
}
/**
* Return a pseudorandom 64-bit integer, chosen uniformly from the values
* between 0 and <b>max</b>-1 inclusive.
**/
uint64_t
crypto_rand_uint64(uint64_t max)
{
uint64_t val;
uint64_t cutoff;
tor_assert(max < UINT64_MAX);
tor_assert(max > 0); /* don't div by 0 */
/* We ignore any values that are >= 'cutoff,' to avoid biasing the
* distribution with clipping at the upper end of unsigned int's
* range.
*/
cutoff = UINT64_MAX - (UINT64_MAX%max);
while (1) {
crypto_rand((char*)&val, sizeof(val));
if (val < cutoff)
return val % max;
}
}
/**
* Return a pseudorandom double d, chosen uniformly from the range
* 0.0 <= d < 1.0.
**/
double
crypto_rand_double(void)
{
/* We just use an unsigned int here; we don't really care about getting
* more than 32 bits of resolution */
unsigned int u;
crypto_rand((char*)&u, sizeof(u));
#if SIZEOF_INT == 4
#define UINT_MAX_AS_DOUBLE 4294967296.0
#elif SIZEOF_INT == 8
#define UINT_MAX_AS_DOUBLE 1.8446744073709552e+19
#else
#error SIZEOF_INT is neither 4 nor 8
#endif /* SIZEOF_INT == 4 || ... */
return ((double)u) / UINT_MAX_AS_DOUBLE;
}
/**
* Generate and return a new random hostname starting with <b>prefix</b>,
* ending with <b>suffix</b>, and containing no fewer than
* <b>min_rand_len</b> and no more than <b>max_rand_len</b> random base32
* characters. Does not check for failure.
*
* Clip <b>max_rand_len</b> to MAX_DNS_LABEL_SIZE.
**/
char *
crypto_random_hostname(int min_rand_len, int max_rand_len, const char *prefix,
const char *suffix)
{
char *result, *rand_bytes;
int randlen, rand_bytes_len;
size_t resultlen, prefixlen;
if (max_rand_len > MAX_DNS_LABEL_SIZE)
max_rand_len = MAX_DNS_LABEL_SIZE;
if (min_rand_len > max_rand_len)
min_rand_len = max_rand_len;
randlen = crypto_rand_int_range(min_rand_len, max_rand_len+1);
prefixlen = strlen(prefix);
resultlen = prefixlen + strlen(suffix) + randlen + 16;
rand_bytes_len = ((randlen*5)+7)/8;
if (rand_bytes_len % 5)
rand_bytes_len += 5 - (rand_bytes_len%5);
rand_bytes = tor_malloc(rand_bytes_len);
crypto_rand(rand_bytes, rand_bytes_len);
result = tor_malloc(resultlen);
memcpy(result, prefix, prefixlen);
base32_encode(result+prefixlen, resultlen-prefixlen,
rand_bytes, rand_bytes_len);
tor_free(rand_bytes);
strlcpy(result+prefixlen+randlen, suffix, resultlen-(prefixlen+randlen));
return result;
}
/**
* Return a randomly chosen element of <b>sl</b>; or NULL if <b>sl</b>
* is empty.
**/
void *
smartlist_choose(const smartlist_t *sl)
{
int len = smartlist_len(sl);
if (len)
return smartlist_get(sl,crypto_rand_int(len));
return NULL; /* no elements to choose from */
}
/**
* Scramble the elements of <b>sl</b> into a random order.
**/
void
smartlist_shuffle(smartlist_t *sl)
{
int i;
/* From the end of the list to the front, choose at random from the
positions we haven't looked at yet, and swap that position into the
current position. Remember to give "no swap" the same probability as
any other swap. */
for (i = smartlist_len(sl)-1; i > 0; --i) {
int j = crypto_rand_int(i+1);
smartlist_swap(sl, i, j);
}
}
/** Make sure that openssl is using its default PRNG. Return 1 if we had to
* adjust it; 0 otherwise. */
int
crypto_force_rand_ssleay(void)
{
RAND_METHOD *default_method;
default_method = RAND_OpenSSL();
if (RAND_get_rand_method() != default_method) {
log_notice(LD_CRYPTO, "It appears that one of our engines has provided "
"a replacement the OpenSSL RNG. Resetting it to the default "
"implementation.");
RAND_set_rand_method(default_method);
return 1;
}
return 0;
}
#endif /* !defined(CRYPTO_RAND_PRIVATE) */

52
src/common/crypto_rand.h Normal file
View file

@ -0,0 +1,52 @@
/* Copyright (c) 2001, Matej Pfajfar.
* Copyright (c) 2001-2004, Roger Dingledine.
* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
* Copyright (c) 2007-2018, The Tor Project, Inc. */
/* See LICENSE for licensing information */
/**
* \file crypto_rand.h
*
* \brief Common functions for using (psuedo-)random number generators.
**/
#ifndef TOR_CRYPTO_RAND_H
#define TOR_CRYPTO_RAND_H
#include "torint.h"
#include "util.h"
/* random numbers */
int crypto_seed_rng(void) ATTR_WUR;
MOCK_DECL(void,crypto_rand,(char *to, size_t n));
void crypto_rand_unmocked(char *to, size_t n);
void crypto_strongest_rand(uint8_t *out, size_t out_len);
int crypto_rand_int(unsigned int max);
int crypto_rand_int_range(unsigned int min, unsigned int max);
uint64_t crypto_rand_uint64_range(uint64_t min, uint64_t max);
time_t crypto_rand_time_range(time_t min, time_t max);
uint64_t crypto_rand_uint64(uint64_t max);
double crypto_rand_double(void);
struct tor_weak_rng_t;
void crypto_seed_weak_rng(struct tor_weak_rng_t *rng);
char *crypto_random_hostname(int min_rand_len, int max_rand_len,
const char *prefix, const char *suffix);
struct smartlist_t;
void *smartlist_choose(const struct smartlist_t *sl);
void smartlist_shuffle(struct smartlist_t *sl);
int crypto_force_rand_ssleay(void);
#ifdef CRYPTO_RAND_PRIVATE
STATIC int crypto_strongest_rand_raw(uint8_t *out, size_t out_len);
#ifdef TOR_UNIT_TESTS
extern int break_strongest_rng_syscall;
extern int break_strongest_rng_fallback;
#endif
#endif /* defined(CRYPTO_RAND_PRIVATE) */
#endif /* !defined(TOR_CRYPTO_RAND_H) */

8
src/common/crypto_rsa.c
View file

@ -9,12 +9,14 @@
* \brief Block of functions related with RSA utilities and operations.
**/
#include "crypto_rsa.h"
#include "crypto.h"
#include "compat_openssl.h"
#include "crypto_curve25519.h"
#include "crypto_format.h"
#include "crypto_digest.h"
#include "crypto_format.h"
#include "compat_openssl.h"
#include "crypto_rand.h"
#include "crypto_rsa.h"
#include "crypto_util.h"
DISABLE_GCC_WARNING(redundant-decls)

8
src/common/crypto_s2k.c
View file

@ -12,11 +12,13 @@
#define CRYPTO_S2K_PRIVATE
#include "crypto.h"
#include "util.h"
#include "compat.h"
#include "crypto_s2k.h"
#include "crypto.h"
#include "crypto_digest.h"
#include "crypto_rand.h"
#include "crypto_s2k.h"
#include "crypto_util.h"
#include "util.h"
#include <openssl/evp.h>

105
src/common/crypto_util.c Normal file
View file

@ -0,0 +1,105 @@
/* Copyright (c) 2001, Matej Pfajfar.
* Copyright (c) 2001-2004, Roger Dingledine.
* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
* Copyright (c) 2007-2018, The Tor Project, Inc. */
/* See LICENSE for licensing information */
/**
* \file crypto_util.c
*
* \brief Common cryptographic utilities.
**/
#ifndef CRYPTO_UTIL_PRIVATE
#define CRYPTO_UTIL_PRIVATE
#include <string.h>
#ifdef _WIN32
#include <windows.h>
#include <wincrypt.h>
#endif /* defined(_WIN32) */
#include "crypto_util.h"
#include "util.h"
DISABLE_GCC_WARNING(redundant-decls)
#include <openssl/crypto.h>
ENABLE_GCC_WARNING(redundant-decls)
/**
* Destroy the <b>sz</b> bytes of data stored at <b>mem</b>, setting them to
* the value <b>byte</b>.
* If <b>mem</b> is NULL or <b>sz</b> is zero, nothing happens.
*
* This function is preferable to memset, since many compilers will happily
* optimize out memset() when they can convince themselves that the data being
* cleared will never be read.
*
* Right now, our convention is to use this function when we are wiping data
* that's about to become inaccessible, such as stack buffers that are about
* to go out of scope or structures that are about to get freed. (In
* practice, it appears that the compilers we're currently using will optimize
* out the memset()s for stack-allocated buffers, but not those for
* about-to-be-freed structures. That could change, though, so we're being
* wary.) If there are live reads for the data, then you can just use
* memset().
*/
void
memwipe(void *mem, uint8_t byte, size_t sz)
{
if (sz == 0) {
return;
}
/* If sz is nonzero, then mem must not be NULL. */
tor_assert(mem != NULL);
/* Data this large is likely to be an underflow. */
tor_assert(sz < SIZE_T_CEILING);
/* Because whole-program-optimization exists, we may not be able to just
* have this function call "memset". A smart compiler could inline it, then
* eliminate dead memsets, and declare itself to be clever. */
#if defined(SecureZeroMemory) || defined(HAVE_SECUREZEROMEMORY)
/* Here's what you do on windows. */
SecureZeroMemory(mem,sz);
#elif defined(HAVE_RTLSECUREZEROMEMORY)
RtlSecureZeroMemory(mem,sz);
#elif defined(HAVE_EXPLICIT_BZERO)
/* The BSDs provide this. */
explicit_bzero(mem, sz);
#elif defined(HAVE_MEMSET_S)
/* This is in the C99 standard. */
memset_s(mem, sz, 0, sz);
#else
/* This is a slow and ugly function from OpenSSL that fills 'mem' with junk
* based on the pointer value, then uses that junk to update a global
* variable. It's an elaborate ruse to trick the compiler into not
* optimizing out the "wipe this memory" code. Read it if you like zany
* programming tricks! In later versions of Tor, we should look for better
* not-optimized-out memory wiping stuff...
*
* ...or maybe not. In practice, there are pure-asm implementations of
* OPENSSL_cleanse() on most platforms, which ought to do the job.
**/
OPENSSL_cleanse(mem, sz);
#endif /* defined(SecureZeroMemory) || defined(HAVE_SECUREZEROMEMORY) || ... */
/* Just in case some caller of memwipe() is relying on getting a buffer
* filled with a particular value, fill the buffer.
*
* If this function gets inlined, this memset might get eliminated, but
* that's okay: We only care about this particular memset in the case where
* the caller should have been using memset(), and the memset() wouldn't get
* eliminated. In other words, this is here so that we won't break anything
* if somebody accidentally calls memwipe() instead of memset().
**/
memset(mem, byte, sz);
}
#endif /* !defined(CRYPTO_UTIL_PRIVATE) */

27
src/common/crypto_util.h Normal file
View file

@ -0,0 +1,27 @@
/* Copyright (c) 2001, Matej Pfajfar.
* Copyright (c) 2001-2004, Roger Dingledine.
* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
* Copyright (c) 2007-2018, The Tor Project, Inc. */
/* See LICENSE for licensing information */
/**
* \file crypto_util.h
*
* \brief Common functions for cryptographic routines.
**/
#ifndef TOR_CRYPTO_UTIL_H
#define TOR_CRYPTO_UTIL_H
#include "torint.h"
/** OpenSSL-based utility functions. */
void memwipe(void *mem, uint8_t byte, size_t sz);
#ifdef CRYPTO_UTIL_PRIVATE
#ifdef TOR_UNIT_TESTS
#endif /* defined(TOR_UNIT_TESTS) */
#endif /* defined(CRYPTO_UTIL_PRIVATE) */
#endif /* !defined(TOR_CRYPTO_UTIL_H) */

10
src/common/include.am
View file

@ -116,11 +116,13 @@ LIBOR_CRYPTO_A_SRC = \
src/common/compress_zstd.c \
src/common/crypto.c \
src/common/crypto_digest.c \
src/common/crypto_rsa.c \
src/common/crypto_format.c \
src/common/crypto_openssl_mgt.c \
src/common/crypto_pwbox.c \
src/common/crypto_rand.c \
src/common/crypto_rsa.c \
src/common/crypto_s2k.c \
src/common/crypto_format.c \
src/common/crypto_util.c \
src/common/tortls.c \
src/common/crypto_curve25519.c \
src/common/crypto_ed25519.c
@ -172,9 +174,11 @@ COMMONHEADERS = \
src/common/crypto_ed25519.h \
src/common/crypto_format.h \
src/common/crypto_openssl_mgt.h \
src/common/crypto_rsa.h \
src/common/crypto_pwbox.h \
src/common/crypto_rand.h \
src/common/crypto_rsa.h \
src/common/crypto_s2k.h \
src/common/crypto_util.h \
src/common/di_ops.h \
src/common/handles.h \
src/common/memarea.h \

2
src/common/tortls.c
View file

@ -26,6 +26,8 @@
#endif
#include "crypto.h"
#include "crypto_rand.h"
#include "crypto_util.h"
#include "compat.h"
/* Some versions of OpenSSL declare SSL_get_selected_srtp_profile twice in

2
src/common/workqueue.c
View file

@ -27,7 +27,7 @@
#include "compat.h"
#include "compat_libevent.h"
#include "compat_threads.h"
#include "crypto.h"
#include "crypto_rand.h"
#include "util.h"
#include "workqueue.h"
#include "tor_queue.h"

2
src/ext/ed25519/donna/ed25519-randombytes-custom.h
View file

@ -8,7 +8,7 @@
*/
/* Tor: Instead of calling OpenSSL's CSPRNG directly, call the wrapper. */
#include "crypto.h"
#include "crypto_rand.h"
static void
ED25519_FN(ed25519_randombytes_unsafe) (void *p, size_t len)

2
src/ext/ed25519/donna/ed25519_tor.c
View file

@ -40,6 +40,8 @@
#include "ed25519-randombytes.h"
#include "ed25519-hash.h"
#include "crypto_util.h"
typedef unsigned char ed25519_signature[64];
typedef unsigned char ed25519_public_key[32];
typedef unsigned char ed25519_secret_key[32];

2
src/ext/ed25519/ref10/blinding.c
View file

@ -7,7 +7,7 @@
#include "ed25519_ref10.h"
#include <string.h>
#include "crypto.h"
#include "crypto_util.h"
static void
ed25519_ref10_gettweak(unsigned char *out, const unsigned char *param)

3
src/ext/ed25519/ref10/keypair.c
View file

@ -6,6 +6,9 @@
#include "crypto_hash_sha512.h"
#include "ge.h"
#include "crypto_rand.h"
#include "crypto_util.h"
int
crypto_sign_seckey(unsigned char *sk)
{

2
src/ext/ed25519/ref10/randombytes.h
View file

@ -1,4 +1,4 @@
/* Added for Tor. */
#include "crypto.h"
#include "crypto_rand.h"
#define randombytes(b, n) \
(crypto_strongest_rand((b), (n)), 0)

2
src/ext/keccak-tiny/keccak-tiny-unrolled.c
View file

@ -9,7 +9,7 @@
#include "keccak-tiny.h"
#include <string.h>
#include "crypto.h"
#include "crypto_util.h"
#include "byteorder.h"
/******** Endianness conversion helpers ********/

3
src/or/addressmap.c
View file

@ -21,9 +21,10 @@
#include "config.h"
#include "connection_edge.h"
#include "control.h"
#include "crypto_rand.h"
#include "dns.h"
#include "routerset.h"
#include "nodelist.h"
#include "routerset.h"
/** A client-side struct to remember requests to rewrite addresses
* to new addresses. These structs are stored in the hash table

1
src/or/channelpadding.c
View file

@ -16,6 +16,7 @@
#include "networkstatus.h"
#include "connection.h"
#include "connection_or.h"
#include "crypto_rand.h"
#include "main.h"
#include "rephist.h"
#include "router.h"

1
src/or/circpathbias.c
View file

@ -30,6 +30,7 @@
#include "circuitstats.h"
#include "connection_edge.h"
#include "config.h"
#include "crypto_rand.h"
#include "entrynodes.h"
#include "networkstatus.h"
#include "relay.h"

2
src/or/circuitbuild.c
View file

@ -43,7 +43,7 @@
#include "connection_edge.h"
#include "connection_or.h"
#include "control.h"
#include "crypto.h"
#include "crypto_rand.h"
#include "directory.h"
#include "entrynodes.h"
#include "hs_ntor.h"

2
src/or/circuitlist.c
View file

@ -65,6 +65,8 @@
#include "connection_edge.h"
#include "connection_or.h"
#include "control.h"
#include "crypto_rand.h"
#include "crypto_util.h"
#include "entrynodes.h"
#include "main.h"
#include "hs_circuit.h"

1
src/or/circuitmux_ewma.c
View file

@ -37,6 +37,7 @@
#include "or.h"
#include "circuitmux.h"
#include "circuitmux_ewma.h"
#include "crypto_rand.h"
#include "networkstatus.h"
/*** EWMA parameter #defines ***/

1
src/or/circuitstats.c
View file

@ -31,6 +31,7 @@
#include "config.h"
#include "confparse.h"
#include "control.h"
#include "crypto_rand.h"
#include "main.h"
#include "networkstatus.h"
#include "rendclient.h"

1
src/or/command.c
View file

@ -46,6 +46,7 @@
#include "config.h"
#include "control.h"
#include "cpuworker.h"
#include "crypto_util.h"
#include "dos.h"
#include "hibernate.h"
#include "nodelist.h"

2
src/or/config.c
View file

@ -79,6 +79,8 @@
#include "control.h"
#include "confparse.h"
#include "cpuworker.h"
#include "crypto_rand.h"
#include "crypto_util.h"
#include "dirserv.h"
#include "dns.h"
#include "dos.h"

1
src/or/connection.c
View file

@ -76,6 +76,7 @@
#include "connection_edge.h"
#include "connection_or.h"
#include "control.h"
#include "crypto_util.h"
#include "directory.h"
#include "dirserv.h"
#include "dns.h"

1
src/or/connection_edge.c
View file

@ -70,6 +70,7 @@
#include "connection_edge.h"
#include "connection_or.h"
#include "control.h"
#include "crypto_util.h"
#include "dns.h"
#include "dnsserv.h"
#include "directory.h"

2
src/or/connection_or.c
View file

@ -39,6 +39,8 @@
#include "connection.h"
#include "connection_or.h"
#include "control.h"
#include "crypto_rand.h"
#include "crypto_util.h"
#include "dirserv.h"
#include "entrynodes.h"
#include "geoip.h"

1
src/or/conscache.c
View file

@ -5,6 +5,7 @@
#include "config.h"
#include "conscache.h"
#include "crypto_util.h"
#include "storagedir.h"
#define CCE_MAGIC 0x17162253

2
src/or/control.c
View file

@ -52,6 +52,8 @@
#include "connection_edge.h"
#include "connection_or.h"
#include "control.h"
#include "crypto_rand.h"
#include "crypto_util.h"
#include "directory.h"
#include "dirserv.h"
#include "dnsserv.h"

2
src/or/cpuworker.c
View file

@ -24,6 +24,8 @@
#include "connection_or.h"
#include "config.h"
#include "cpuworker.h"
#include "crypto_rand.h"
#include "crypto_util.h"
#include "main.h"
#include "onion.h"
#include "rephist.h"

6
src/or/dirauth/shared_random.c
View file

@ -91,12 +91,14 @@
#include "shared_random.h"
#include "config.h"
#include "confparse.h"
#include "crypto_rand.h"
#include "crypto_util.h"
#include "networkstatus.h"
#include "routerkeys.h"
#include "router.h"
#include "routerkeys.h"
#include "routerlist.h"
#include "shared_random_state.h"
#include "shared_random_client.h"
#include "shared_random_state.h"
#include "util.h"
#include "voting_schedule.h"

10
src/or/dirauth/shared_random_state.c
View file

@ -11,16 +11,16 @@
#define SHARED_RANDOM_STATE_PRIVATE
#include "or.h"
#include "shared_random.h"
#include "config.h"
#include "confparse.h"
#include "voting_schedule.h"
#include "crypto_util.h"
#include "dirauth/dirvote.h"
#include "networkstatus.h"
#include "router.h"
#include "shared_random_state.h"
#include "shared_random.h"
#include "shared_random_client.h"
#include "dirauth/dirvote.h"
#include "shared_random_state.h"
#include "voting_schedule.h"
/* Default filename of the shared random state on disk. */
static const char default_fname[] = "sr-state";

2
src/or/directory.c
View file

@ -18,6 +18,8 @@
#include "consdiffmgr.h"
#include "control.h"
#include "compat.h"
#include "crypto_rand.h"
#include "crypto_util.h"
#include "directory.h"
#include "dirserv.h"
#include "entrynodes.h"

1
src/or/dns.c
View file

@ -56,6 +56,7 @@
#include "connection.h"
#include "connection_edge.h"
#include "control.h"
#include "crypto_rand.h"
#include "dns.h"
#include "main.h"
#include "policies.h"

1
src/or/dos.c
View file

@ -11,6 +11,7 @@
#include "or.h"
#include "channel.h"
#include "config.h"
#include "crypto_rand.h"
#include "geoip.h"
#include "main.h"
#include "networkstatus.h"

1
src/or/entrynodes.c
View file

@ -123,6 +123,7 @@
#include "confparse.h"
#include "connection.h"
#include "control.h"
#include "crypto_rand.h"
#include "directory.h"
#include "entrynodes.h"
#include "main.h"

4
src/or/ext_orport.c
View file

@ -20,9 +20,11 @@
#include "or.h"
#include "connection.h"
#include "connection_or.h"
#include "ext_orport.h"
#include "control.h"
#include "config.h"
#include "crypto_rand.h"
#include "crypto_util.h"
#include "ext_orport.h"
#include "main.h"
#include "proto_ext_or.h"
#include "util.h"

1
src/or/hibernate.c
View file

@ -36,6 +36,7 @@ hibernating, phase 2:
#include "connection_edge.h"
#include "connection_or.h"
#include "control.h"
#include "crypto_rand.h"
#include "hibernate.h"
#include "main.h"
#include "router.h"

1
src/or/hs_cache.c
View file

@ -11,6 +11,7 @@
#include "or.h"
#include "config.h"
#include "crypto_util.h"
#include "hs_ident.h"
#include "hs_common.h"
#include "hs_client.h"

1
src/or/hs_cache.h
View file

@ -11,7 +11,6 @@
#include <stdint.h>
#include "crypto.h"
#include "crypto_ed25519.h"
#include "hs_common.h"
#include "hs_descriptor.h"

1
src/or/hs_cell.c
View file

@ -8,6 +8,7 @@
#include "or.h"
#include "config.h"
#include "crypto_util.h"
#include "rendservice.h"
#include "replaycache.h"
#include "util.h"

2
src/or/hs_circuit.c
View file

@ -13,6 +13,8 @@
#include "circuitlist.h"
#include "circuituse.h"
#include "config.h"
#include "crypto_rand.h"
#include "crypto_util.h"
#include "nodelist.h"
#include "policies.h"
#include "relay.h"

1
src/or/hs_circuit.h
View file

@ -10,7 +10,6 @@
#define TOR_HS_CIRCUIT_H
#include "or.h"
#include "crypto.h"
#include "crypto_ed25519.h"
#include "hs_service.h"

36
src/or/hs_client.c
View file

@ -9,29 +9,31 @@
#define HS_CLIENT_PRIVATE
#include "or.h"
#include "hs_circuit.h"
#include "hs_ident.h"
#include "connection_edge.h"
#include "container.h"
#include "rendclient.h"
#include "hs_descriptor.h"
#include "hs_cache.h"
#include "hs_cell.h"
#include "config.h"
#include "directory.h"
#include "hs_client.h"
#include "hs_control.h"
#include "router.h"
#include "routerset.h"
#include "circpathbias.h"
#include "circuitbuild.h"
#include "circuitlist.h"
#include "circuituse.h"
#include "config.h"
#include "connection.h"
#include "nodelist.h"
#include "circpathbias.h"
#include "connection_edge.h"
#include "container.h"
#include "crypto_rand.h"
#include "crypto_util.h"
#include "directory.h"
#include "hs_cache.h"
#include "hs_cell.h"
#include "hs_circuit.h"
#include "hs_client.h"
#include "hs_control.h"
#include "hs_descriptor.h"
#include "hs_ident.h"
#include "hs_ntor.h"
#include "circuitbuild.h"
#include "networkstatus.h"
#include "nodelist.h"
#include "reasons.h"
#include "rendclient.h"
#include "router.h"
#include "routerset.h"
/* Return a human-readable string for the client fetch status code. */
static const char *

2
src/or/hs_common.c
View file

@ -15,6 +15,8 @@
#include "config.h"
#include "circuitbuild.h"
#include "crypto_rand.h"
#include "crypto_util.h"
#include "networkstatus.h"
#include "nodelist.h"
#include "hs_cache.h"

1
src/or/hs_control.c
View file

@ -8,6 +8,7 @@
#include "or.h"
#include "control.h"
#include "crypto_util.h"
#include "hs_common.h"
#include "hs_control.h"
#include "hs_descriptor.h"

2
src/or/hs_descriptor.c
View file

@ -59,6 +59,8 @@
#include "ed25519_cert.h" /* Trunnel interface. */
#include "hs_descriptor.h"
#include "circuitbuild.h"
#include "crypto_rand.h"
#include "crypto_util.h"
#include "parsecommon.h"
#include "rendcache.h"
#include "hs_cache.h"

1
src/or/hs_descriptor.h
View file

@ -16,6 +16,7 @@
#include "container.h"
#include "crypto.h"
#include "crypto_ed25519.h"
#include "ed25519_cert.h" /* needed for trunnel */
#include "torcert.h"
/* Trunnel */

1
src/or/hs_ident.c
View file

@ -7,6 +7,7 @@
* subsytem.
**/
#include "crypto_util.h"
#include "hs_ident.h"
/* Return a newly allocated circuit identifier. The given public key is copied

1
src/or/hs_ident.h
View file

@ -21,7 +21,6 @@
#ifndef TOR_HS_IDENT_H
#define TOR_HS_IDENT_H
#include "crypto.h"
#include "crypto_ed25519.h"
#include "hs_common.h"

1
src/or/hs_ntor.c
View file

@ -25,6 +25,7 @@
*/
#include "or.h"
#include "crypto_util.h"
#include "hs_ntor.h"
/* String constants used by the ntor HS protocol */

2
src/or/hs_service.c
View file

@ -15,6 +15,8 @@
#include "circuituse.h"
#include "config.h"
#include "connection.h"
#include "crypto_rand.h"
#include "crypto_util.h"
#include "directory.h"
#include "main.h"
#include "networkstatus.h"

1
src/or/main.c
View file

@ -71,6 +71,7 @@
#include "control.h"
#include "cpuworker.h"
#include "crypto_s2k.h"
#include "crypto_rand.h"
#include "directory.h"
#include "dirserv.h"
#include "dns.h"

2
src/or/networkstatus.c
View file

@ -48,6 +48,8 @@
#include "connection_or.h"
#include "consdiffmgr.h"
#include "control.h"
#include "crypto_rand.h"
#include "crypto_util.h"
#include "directory.h"
#include "dirserv.h"
#include "dos.h"

1
src/or/onion.c
View file

@ -67,6 +67,7 @@
#include "circuitlist.h"
#include "config.h"
#include "cpuworker.h"
#include "crypto_util.h"
#include "networkstatus.h"
#include "onion.h"
#include "onion_fast.h"

2
src/or/onion_fast.c
View file

@ -29,6 +29,8 @@
#include "or.h"
#include "onion_fast.h"
#include "crypto_rand.h"
#include "crypto_util.h"
/** Release all state held in <b>victim</b>. */
void

1
src/or/onion_ntor.c
View file

@ -23,6 +23,7 @@
#define ONION_NTOR_PRIVATE
#include "crypto.h"
#include "crypto_digest.h"
#include "crypto_util.h"
#include "onion_ntor.h"
#include "torlog.h"
#include "util.h"

2
src/or/onion_tap.c
View file

@ -29,6 +29,8 @@
#include "or.h"
#include "config.h"
#include "crypto_rand.h"
#include "crypto_util.h"
#include "onion_tap.h"
#include "rephist.h"

1
src/or/proto_socks.c
View file

@ -9,6 +9,7 @@
#include "buffers.h"
#include "control.h"
#include "config.h"
#include "crypto_util.h"
#include "ext_orport.h"
#include "proto_socks.h"
#include "reasons.h"

2
src/or/relay.c
View file

@ -61,6 +61,8 @@
#include "connection_edge.h"
#include "connection_or.h"
#include "control.h"
#include "crypto_rand.h"
#include "crypto_util.h"
#include "geoip.h"
#include "hs_cache.h"
#include "main.h"

3
src/or/relay_crypto.c
View file

@ -6,9 +6,10 @@
#include "or.h"
#include "config.h"
#include "crypto_util.h"
#include "hs_ntor.h" // for HS_NTOR_KEY_EXPANSION_KDF_OUT_LEN
#include "relay_crypto.h"
#include "relay.h"
#include "relay_crypto.h"
/** Update digest from the payload of cell. Assign integrity part to
* cell.

6
src/or/rendclient.c
View file

@ -15,10 +15,13 @@
#include "config.h"
#include "connection.h"
#include "connection_edge.h"
#include "control.h"
#include "crypto_rand.h"
#include "crypto_util.h"
#include "directory.h"
#include "hs_common.h"
#include "hs_circuit.h"
#include "hs_client.h"
#include "hs_common.h"
#include "main.h"
#include "networkstatus.h"
#include "nodelist.h"
@ -29,7 +32,6 @@
#include "router.h"
#include "routerlist.h"
#include "routerset.h"
#include "control.h"
static extend_info_t *rend_client_get_random_intro_impl(
const rend_cache_entry_t *rend_query,

8
src/or/rendcommon.c
View file

@ -14,18 +14,20 @@
#include "circuitbuild.h"
#include "config.h"
#include "control.h"
#include "crypto_rand.h"
#include "crypto_util.h"
#include "hs_client.h"
#include "hs_common.h"
#include "hs_intropoint.h"
#include "networkstatus.h"
#include "rendclient.h"
#include "rendcommon.h"
#include "rendmid.h"
#include "hs_intropoint.h"
#include "hs_client.h"
#include "rendservice.h"
#include "rephist.h"
#include "router.h"
#include "routerlist.h"
#include "routerparse.h"
#include "networkstatus.h"
/** Return 0 if one and two are the same service ids, else -1 or 1 */
int

2
src/or/rendservice.c
View file

@ -16,6 +16,8 @@
#include "circuituse.h"
#include "config.h"
#include "control.h"
#include "crypto_rand.h"
#include "crypto_util.h"
#include "directory.h"
#include "hs_common.h"
#include "hs_config.h"

1
src/or/rephist.c
View file

@ -78,6 +78,7 @@
#include "circuitlist.h"
#include "circuituse.h"
#include "config.h"
#include "crypto_rand.h"
#include "networkstatus.h"
#include "nodelist.h"
#include "rephist.h"

2
src/or/router.c
View file

@ -13,6 +13,8 @@
#include "config.h"
#include "connection.h"
#include "control.h"
#include "crypto_rand.h"
#include "crypto_util.h"
#include "crypto_curve25519.h"
#include "directory.h"
#include "dirserv.h"

1
src/or/routerkeys.c
View file

@ -16,6 +16,7 @@
#include "or.h"
#include "config.h"
#include "crypto_util.h"
#include "router.h"
#include "crypto_pwbox.h"
#include "routerkeys.h"

1
src/or/routerlist.c
View file

@ -99,6 +99,7 @@
#include "config.h"
#include "connection.h"
#include "control.h"
#include "crypto_rand.h"
#include "directory.h"
#include "dirserv.h"
#include "entrynodes.h"

19
src/or/routerparse.c
View file

@ -56,27 +56,28 @@
#define ROUTERPARSE_PRIVATE
#include "or.h"
#include "config.h"
#include "circuitstats.h"
#include "config.h"
#include "crypto_util.h"
#include "dirauth/shared_random.h"
#include "dirserv.h"
#include "entrynodes.h"
#include "memarea.h"
#include "microdesc.h"
#include "networkstatus.h"
#include "parsecommon.h"
#include "policies.h"
#include "protover.h"
#include "rendcommon.h"
#include "router.h"
#include "routerlist.h"
#include "memarea.h"
#include "microdesc.h"
#include "networkstatus.h"
#include "rephist.h"
#include "router.h"
#include "routerkeys.h"
#include "routerlist.h"
#include "routerparse.h"
#include "entrynodes.h"
#include "torcert.h"
#include "sandbox.h"
#include "shared_random_client.h"
#include "torcert.h"
#include "voting_schedule.h"
#include "dirauth/shared_random.h"
#undef log
#include <math.h>

2
src/or/torcert.c
View file

@ -27,7 +27,7 @@
#include "or.h"
#include "config.h"
#include "crypto.h"
#include "crypto_util.h"
#include "torcert.h"
#include "ed25519_cert.h"
#include "torlog.h"

30
src/rust/Cargo.lock generated
View file

@ -22,6 +22,35 @@ dependencies = [
"tor_util 0.0.1",
]
[[package]]
name = "rand"
version = "0.0.1"
dependencies = [
"external 0.0.1",
"libc 0.2.39 (registry+https://github.com/rust-lang/crates.io-index)",
"rand 0.5.0-pre.0",
"rand_core 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
"tor_allocate 0.0.1",
"tor_log 0.1.0",
"tor_util 0.0.1",
]
[[package]]
name = "rand"
version = "0.5.0-pre.0"
dependencies = [
"rand_core 0.1.0",
]
[[package]]
name = "rand_core"
version = "0.1.0"
[[package]]
name = "rand_core"
version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
[[package]]
name = "smartlist"
version = "0.0.1"
@ -63,3 +92,4 @@ dependencies = [
[metadata]
"checksum libc 0.2.39 (registry+https://github.com/rust-lang/crates.io-index)" = "f54263ad99207254cf58b5f701ecb432c717445ea2ee8af387334bdd1a03fdff"
"checksum rand_core 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "0224284424a4b818387b58d59336c288f99b48f69681aa60cc681fe038bbca5d"

4
src/rust/Cargo.toml
View file

@ -1,6 +1,8 @@
[workspace]
members = ["tor_util", "protover", "smartlist", "external", "tor_allocate",
"tor_rust", "tor_log"]
"tor_rust", "tor_log",
"rand",
]
[profile.release]
debug = true

87
src/rust/external/crypto_rand.rs vendored Normal file
View file

@ -0,0 +1,87 @@
// Copyright (c) 2018, The Tor Project, Inc.
// Copyright (c) 2018, isis agora lovecruft
// See LICENSE for licensing information
//! Bindings to external (P)RNG interfaces and utilities in
//! src/common/crypto_rand.[ch].
//!
//! We wrap our C implementations in src/common/crypto_rand.[ch] here in order
//! to provide wrappers with native Rust types, and then provide more Rusty
//! types and and trait implementations in src/rust/crypto/rand/.
use std::time::Duration;
use libc::c_double;
use libc::c_int;
use libc::size_t;
use libc::time_t;
use libc::uint8_t;
extern "C" {
fn crypto_seed_rng() -> c_int;
fn crypto_rand(out: *mut uint8_t, out_len: size_t);
fn crypto_strongest_rand(out: *mut uint8_t, out_len: size_t);
fn crypto_rand_time_range(min: time_t, max: time_t) -> time_t;
fn crypto_rand_double() -> c_double;
}
/// Seed OpenSSL's random number generator with bytes from the operating
/// system.
///
/// # Returns
///
/// `true` on success; `false` on failure.
pub fn c_tor_crypto_seed_rng() -> bool {
let ret: c_int;
unsafe {
ret = crypto_seed_rng();
}
match ret {
0 => return true,
_ => return false,
}
}
/// Fill the bytes of `dest` with random data.
pub fn c_tor_crypto_rand(dest: &mut [u8]) {
unsafe {
crypto_rand(dest.as_mut_ptr(), dest.len() as size_t);
}
}
/// Fill the bytes of `dest` with "strong" random data by hashing
/// together randomness obtained from OpenSSL's RNG and the operating
/// system.
pub fn c_tor_crypto_strongest_rand(dest: &mut [u8]) {
// We'll let the C side panic if the len is larger than
// MAX_STRONGEST_RAND_SIZE, rather than potentially panicking here. A
// paranoid caller should assert on the length of dest *before* calling this
// function.
unsafe {
crypto_strongest_rand(dest.as_mut_ptr(), dest.len() as size_t);
}
}
/// Get a random time, in seconds since the Unix Epoch.
///
/// # Returns
///
/// A `std::time::Duration` of seconds since the Unix Epoch.
pub fn c_tor_crypto_rand_time_range(min: &Duration, max: &Duration) -> Duration {
let ret: time_t;
unsafe {
ret = crypto_rand_time_range(min.as_secs() as time_t, max.as_secs() as time_t);
}
Duration::from_secs(ret as u64)
}
/// Return a pseudorandom 64-bit float, chosen uniformly from the range [0.0, 1.0).
pub fn c_tor_crypto_rand_double() -> f64 {
unsafe {
crypto_rand_double()
}
}

4
src/rust/external/lib.rs vendored
View file

@ -1,4 +1,4 @@
//! Copyright (c) 2016-2017, The Tor Project, Inc. */
//! Copyright (c) 2016-2018, The Tor Project, Inc. */
//! See LICENSE for licensing information */
//! Interface for external calls to tor C ABI
@ -9,6 +9,8 @@
extern crate libc;
mod crypto_rand;
mod external;
pub use crypto_rand::*;
pub use external::*;

27
src/rust/rand/Cargo.toml Normal file
View file

@ -0,0 +1,27 @@
# TODO: Note that this package should be merged into the "crypto" crate after #24659 is merged.
[package]
authors = ["The Tor Project"]
version = "0.0.1"
name = "rand"
publish = false
[features]
testing = ["tor_log/testing"]
[dependencies]
libc = "=0.2.39"
rand_core = "=0.1.0"
external = { path = "../external" }
tor_allocate = { path = "../tor_allocate" }
tor_log = { path = "../tor_log" }
tor_util = { path = "../tor_util" }
[dev-dependencies]
rand = { version = "=0.5.0-pre.0", default-features = false, path = "../../ext/rust/vendor/rand-8c5b0ac51d" }
[lib]
name = "rand"
path = "lib.rs"
crate_type = ["rlib", "staticlib"]

16
src/rust/rand/lib.rs Normal file
View file

@ -0,0 +1,16 @@
// Copyright (c) 2018, The Tor Project, Inc.
// Copyright (c) 2018, isis agora lovecruft
// See LICENSE for licensing information
// External dependencies
#[cfg(test)]
extern crate rand;
extern crate rand_core;
// Internal dependencies
extern crate external;
#[cfg(not(test))]
#[macro_use]
extern crate tor_log;
pub mod rng;

140
src/rust/rand/rng.rs Normal file
View file

@ -0,0 +1,140 @@
// Copyright (c) 2018, The Tor Project, Inc.
// Copyright (c) 2018, isis agora lovecruft
// See LICENSE for licensing information
//! Wrappers for Tor's random number generators to provide implementations of
//! `rand_core` traits.
// This is the real implementation, in use in production, which calls into our C
// wrappers in /src/common/crypto_rand.c, which call into OpenSSL, system
// libraries, and make syscalls.
#[cfg(not(test))]
mod internal {
use std::u64;
use rand_core::CryptoRng;
use rand_core::Error;
use rand_core::RngCore;
use rand_core::impls::next_u32_via_fill;
use rand_core::impls::next_u64_via_fill;
use external::c_tor_crypto_rand;
use external::c_tor_crypto_strongest_rand;
use external::c_tor_crypto_seed_rng;
use tor_log::LogDomain;
use tor_log::LogSeverity;
/// Largest strong entropy request permitted.
//
// C_RUST_COUPLED: `MAX_STRONGEST_RAND_SIZE` /src/common/crypto_rand.c
const MAX_STRONGEST_RAND_SIZE: usize = 256;
/// A wrapper around OpenSSL's RNG.
pub struct TorRng {
// This private, zero-length field forces the struct to be treated the
// same as its opaque C couterpart.
_unused: [u8; 0],
}
/// Mark `TorRng` as being suitable for cryptographic purposes.
impl CryptoRng for TorRng {}
impl TorRng {
// C_RUST_COUPLED: `crypto_seed_rng()` /src/common/crypto_rand.c
#[allow(dead_code)]
fn new() -> Self {
if !c_tor_crypto_seed_rng() {
tor_log_msg!(LogSeverity::Warn, LogDomain::General,
"TorRng::from_seed()",
"The RNG could not be seeded!");
}
// XXX also log success at info level —isis
TorRng{ _unused: [0u8; 0] }
}
}
impl RngCore for TorRng {
// C_RUST_COUPLED: `crypto_strongest_rand()` /src/common/crypto_rand.c
fn next_u32(&mut self) -> u32 {
next_u32_via_fill(self)
}
// C_RUST_COUPLED: `crypto_strongest_rand()` /src/common/crypto_rand.c
fn next_u64(&mut self) -> u64 {
next_u64_via_fill(self)
}
// C_RUST_COUPLED: `crypto_strongest_rand()` /src/common/crypto_rand.c
fn fill_bytes(&mut self, dest: &mut [u8]) {
c_tor_crypto_rand(dest);
}
// C_RUST_COUPLED: `crypto_strongest_rand()` /src/common/crypto_rand.c
fn try_fill_bytes(&mut self, dest: &mut [u8]) -> Result<(), Error> {
Ok(self.fill_bytes(dest))
}
}
/// A CSPRNG which hashes together randomness from OpenSSL's RNG and entropy
/// obtained from the operating system.
pub struct TorStrongestRng {
// This private, zero-length field forces the struct to be treated the
// same as its opaque C couterpart.
_unused: [u8; 0],
}
/// Mark `TorRng` as being suitable for cryptographic purposes.
impl CryptoRng for TorStrongestRng {}
impl TorStrongestRng {
// C_RUST_COUPLED: `crypto_seed_rng()` /src/common/crypto_rand.c
#[allow(dead_code)]
fn new() -> Self {
if !c_tor_crypto_seed_rng() {
tor_log_msg!(LogSeverity::Warn, LogDomain::General,
"TorStrongestRng::from_seed()",
"The RNG could not be seeded!");
}
// XXX also log success at info level —isis
TorStrongestRng{ _unused: [0u8; 0] }
}
}
impl RngCore for TorStrongestRng {
// C_RUST_COUPLED: `crypto_strongest_rand()` /src/common/crypto_rand.c
fn next_u32(&mut self) -> u32 {
next_u32_via_fill(self)
}
// C_RUST_COUPLED: `crypto_strongest_rand()` /src/common/crypto_rand.c
fn next_u64(&mut self) -> u64 {
next_u64_via_fill(self)
}
// C_RUST_COUPLED: `crypto_strongest_rand()` /src/common/crypto_rand.c
fn fill_bytes(&mut self, dest: &mut [u8]) {
debug_assert!(dest.len() <= MAX_STRONGEST_RAND_SIZE);
c_tor_crypto_strongest_rand(dest);
}
// C_RUST_COUPLED: `crypto_strongest_rand()` /src/common/crypto_rand.c
fn try_fill_bytes(&mut self, dest: &mut [u8]) -> Result<(), Error> {
Ok(self.fill_bytes(dest))
}
}
}
// For testing, we expose a pure-Rust implementation.
#[cfg(test)]
mod internal {
// It doesn't matter if we pretend ChaCha is a CSPRNG in tests.
pub use rand::ChaChaRng as TorRng;
pub use rand::ChaChaRng as TorStrongestRng;
}
// Finally, expose the public functionality of whichever appropriate internal
// module.
pub use self::internal::*;

1
src/test/bench.c
View file

@ -23,6 +23,7 @@
#include "crypto_curve25519.h"
#include "onion_ntor.h"
#include "crypto_ed25519.h"
#include "crypto_rand.h"
#include "consdiff.h"
#if defined(HAVE_CLOCK_GETTIME) && defined(CLOCK_PROCESS_CPUTIME_ID)

1
src/test/rend_test_helpers.c
View file

@ -2,6 +2,7 @@
/* See LICENSE for licensing information */
#include "or.h"
#include "crypto_rand.h"
#include "test.h"
#include "rendcommon.h"
#include "rend_test_helpers.h"

2
src/test/test-memwipe.c
View file

@ -7,7 +7,7 @@
#include <sys/types.h>
#include <stdlib.h>
#include "crypto.h"
#include "crypto_util.h"
#include "compat.h"
#include "util.h"

2
src/test/test-timers.c
View file

@ -9,7 +9,7 @@
#include "compat.h"
#include "compat_libevent.h"
#include "crypto.h"
#include "crypto_rand.h"
#include "timers.h"
#include "util.h"

1
src/test/test.c
View file

@ -9,6 +9,7 @@
**/
#include "orconfig.h"
#include "crypto_rand.h"
#include <stdio.h>
#ifdef HAVE_FCNTL_H

1
src/test/test_address_set.c
View file

@ -2,6 +2,7 @@
/* See LICENSE for licensing information */
#include "or.h"
#include "crypto_rand.h"
#include "address_set.h"
#include "microdesc.h"
#include "networkstatus.h"

1
src/test/test_buffers.c
View file

@ -8,6 +8,7 @@
#include "or.h"
#include "buffers.h"
#include "buffers_tls.h"
#include "crypto_rand.h"
#include "proto_http.h"
#include "proto_socks.h"
#include "test.h"

1
src/test/test_cell_formats.c
View file

@ -12,6 +12,7 @@
#include "connection_edge.h"
#include "connection_or.h"
#include "config.h"
#include "crypto_rand.h"
#include "onion.h"
#include "onion_tap.h"
#include "onion_fast.h"

1
src/test/test_channel.c
View file

@ -12,6 +12,7 @@
#include "circuitmux_ewma.h"
/* For var_cell_free */
#include "connection_or.h"
#include "crypto_rand.h"
/* For packed_cell stuff */
#define RELAY_PRIVATE
#include "relay.h"

1
src/test/test_consdiffmgr.c
View file

@ -9,6 +9,7 @@
#include "consdiff.h"
#include "consdiffmgr.h"
#include "cpuworker.h"
#include "crypto_rand.h"
#include "networkstatus.h"
#include "routerparse.h"
#include "workqueue.h"

1
src/test/test_containers.c
View file

@ -5,6 +5,7 @@
#include "orconfig.h"
#include "or.h"
#include "crypto_rand.h"
#include "fp_pair.h"
#include "test.h"

3
src/test/test_crypto.c
View file

@ -5,7 +5,7 @@
#include "orconfig.h"
#define CRYPTO_CURVE25519_PRIVATE
#define CRYPTO_PRIVATE
#define CRYPTO_RAND_PRIVATE
#include "or.h"
#include "test.h"
#include "aes.h"
@ -13,6 +13,7 @@
#include "siphash.h"
#include "crypto_curve25519.h"
#include "crypto_ed25519.h"
#include "crypto_rand.h"
#include "ed25519_vectors.inc"
/** Run unit tests for Diffie-Hellman functionality. */

4
src/test/test_crypto_openssl.c
View file

@ -5,9 +5,9 @@
#include "orconfig.h"
#define CRYPTO_PRIVATE
#define CRYPTO_RAND_PRIVATE
#include "crypto.h"
#include "crypto_rand.h"
#include "util.h"
#include "util_format.h"
#include "compat.h"

Some files were not shown because too many files have changed in this diff Show more