[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [tor/master] crypto: Refactor (P)RNG functionality into new crypto_rand module.



commit fe3aca149191f2eac410caa7113fb6f7e0804d8c
Author: Isis Lovecruft <isis@xxxxxxxxxxxxxx>
Date:   Fri Apr 6 21:23:29 2018 +0000

    crypto: Refactor (P)RNG functionality into new crypto_rand module.
    
     * ADD new /src/common/crypto_rand.[ch] module.
     * ADD new /src/common/crypto_util.[ch] module (contains the memwipe()
       function, since all crypto_* modules need this).
     * FIXES part of #24658: https://bugs.torproject.org/24658
---
 src/common/address_set.c                           |   2 +-
 src/common/compat_libevent.c                       |   2 +-
 src/common/crypto.c                                | 602 +-------------------
 src/common/crypto.h                                |  36 --
 src/common/crypto_curve25519.c                     |   2 +
 src/common/crypto_digest.c                         |   9 +-
 src/common/crypto_ed25519.c                        |   2 +
 src/common/crypto_format.c                         |   1 +
 src/common/crypto_pwbox.c                          |   2 +
 src/common/crypto_rand.c                           | 609 +++++++++++++++++++++
 src/common/crypto_rand.h                           |  53 ++
 src/common/crypto_rsa.c                            |   2 +
 src/common/crypto_s2k.c                            |   2 +
 src/common/crypto_util.c                           | 105 ++++
 src/common/crypto_util.h                           |  27 +
 src/common/include.am                              |   4 +
 src/common/tortls.c                                |   2 +
 src/common/workqueue.c                             |   2 +-
 src/ext/ed25519/donna/ed25519-randombytes-custom.h |   2 +-
 src/ext/ed25519/donna/ed25519_tor.c                |   2 +
 src/ext/ed25519/ref10/blinding.c                   |   2 +-
 src/ext/ed25519/ref10/keypair.c                    |   3 +
 src/ext/keccak-tiny/keccak-tiny-unrolled.c         |   2 +-
 src/or/addressmap.c                                |   1 +
 src/or/channelpadding.c                            |   1 +
 src/or/circpathbias.c                              |   1 +
 src/or/circuitbuild.c                              |   2 +-
 src/or/circuitlist.c                               |   2 +
 src/or/circuitstats.c                              |   1 +
 src/or/command.c                                   |   1 +
 src/or/config.c                                    |   2 +
 src/or/connection.c                                |   1 +
 src/or/connection_edge.c                           |   1 +
 src/or/connection_or.c                             |   2 +
 src/or/conscache.c                                 |   1 +
 src/or/control.c                                   |   2 +
 src/or/cpuworker.c                                 |   2 +
 src/or/directory.c                                 |   2 +
 src/or/dns.c                                       |   1 +
 src/or/dos.c                                       |   1 +
 src/or/entrynodes.c                                |   1 +
 src/or/ext_orport.c                                |   2 +
 src/or/hibernate.c                                 |   1 +
 src/or/hs_cache.c                                  |   1 +
 src/or/hs_cell.c                                   |   1 +
 src/or/hs_circuit.c                                |   2 +
 src/or/hs_client.c                                 |   2 +
 src/or/hs_common.c                                 |   2 +
 src/or/hs_control.c                                |   1 +
 src/or/hs_descriptor.c                             |   2 +
 src/or/hs_descriptor.h                             |   1 +
 src/or/hs_ident.c                                  |   1 +
 src/or/hs_ntor.c                                   |   1 +
 src/or/hs_service.c                                |   2 +
 src/or/main.c                                      |   1 +
 src/or/networkstatus.c                             |   2 +
 src/or/onion.c                                     |   1 +
 src/or/onion_fast.c                                |   2 +
 src/or/onion_ntor.c                                |   1 +
 src/or/onion_tap.c                                 |   2 +
 src/or/proto_socks.c                               |   1 +
 src/or/relay.c                                     |   2 +
 src/or/rendclient.c                                |   2 +
 src/or/rendcommon.c                                |   2 +
 src/or/rendservice.c                               |   2 +
 src/or/rephist.c                                   |   1 +
 src/or/router.c                                    |   2 +
 src/or/routerkeys.c                                |   1 +
 src/or/routerlist.c                                |   1 +
 src/or/routerparse.c                               |   1 +
 src/or/shared_random.c                             |   2 +
 src/or/shared_random_state.c                       |   1 +
 src/or/torcert.c                                   |   2 +-
 src/test/bench.c                                   |   1 +
 src/test/rend_test_helpers.c                       |   1 +
 src/test/test-memwipe.c                            |   2 +-
 src/test/test-timers.c                             |   2 +-
 src/test/test.c                                    |   1 +
 src/test/test_address_set.c                        |   1 +
 src/test/test_buffers.c                            |   1 +
 src/test/test_cell_formats.c                       |   1 +
 src/test/test_channel.c                            |   1 +
 src/test/test_consdiffmgr.c                        |   1 +
 src/test/test_containers.c                         |   1 +
 src/test/test_crypto.c                             |   3 +-
 src/test/test_crypto_openssl.c                     |   4 +-
 src/test/test_crypto_slow.c                        |   1 +
 src/test/test_dir.c                                |   1 +
 src/test/test_dos.c                                |   1 +
 src/test/test_entrynodes.c                         |   1 +
 src/test/test_extorport.c                          |   1 +
 src/test/test_helpers.c                            |   1 +
 src/test/test_hs_cell.c                            |   1 +
 src/test/test_hs_common.c                          |   1 +
 src/test/test_hs_descriptor.c                      |   1 +
 src/test/test_hs_intropoint.c                      |   2 +-
 src/test/test_hs_service.c                         |   2 +-
 src/test/test_nodelist.c                           |   1 +
 src/test/test_oom.c                                |   1 +
 src/test/test_routerlist.c                         |   1 +
 src/test/test_shared_random.c                      |   1 +
 src/test/test_storagedir.c                         |   1 +
 src/test/test_util.c                               |   1 +
 src/test/test_util_format.c                        |   1 +
 src/test/test_workqueue.c                          |   2 +-
 src/test/testing_common.c                          |   1 +
 src/test/testing_rsakeys.c                         |   1 +
 src/tools/tor-gencert.c                            |   2 +
 src/trunnel/trunnel-local.h                        |   2 +-
 109 files changed, 939 insertions(+), 657 deletions(-)

diff --git a/src/common/address_set.c b/src/common/address_set.c
index f61fa294e..b2f4bb4c9 100644
--- a/src/common/address_set.c
+++ b/src/common/address_set.c
@@ -15,7 +15,7 @@
 #include "address.h"
 #include "compat.h"
 #include "container.h"
-#include "crypto.h"
+#include "crypto_rand.h"
 #include "util.h"
 #include "siphash.h"
 
diff --git a/src/common/compat_libevent.c b/src/common/compat_libevent.c
index 735385557..6d8cac70e 100644
--- a/src/common/compat_libevent.c
+++ b/src/common/compat_libevent.c
@@ -11,7 +11,7 @@
 #define COMPAT_LIBEVENT_PRIVATE
 #include "compat_libevent.h"
 
-#include "crypto.h"
+#include "crypto_rand.h"
 
 #include "util.h"
 #include "torlog.h"
diff --git a/src/common/crypto.c b/src/common/crypto.c
index 9fcd17742..8d5897e49 100644
--- a/src/common/crypto.c
+++ b/src/common/crypto.c
@@ -28,8 +28,10 @@
 #include "crypto_curve25519.h"
 #include "crypto_ed25519.h"
 #include "crypto_format.h"
+#include "crypto_rand.h"
 #include "crypto_rsa.h"
 #include "crypto_digest.h"
+#include "crypto_util.h"
 
 DISABLE_GCC_WARNING(redundant-decls)
 
@@ -38,7 +40,6 @@ DISABLE_GCC_WARNING(redundant-decls)
 #include <openssl/pem.h>
 #include <openssl/evp.h>
 #include <openssl/engine.h>
-#include <openssl/rand.h>
 #include <openssl/bn.h>
 #include <openssl/dh.h>
 #include <openssl/conf.h>
@@ -60,12 +61,6 @@ ENABLE_GCC_WARNING(redundant-decls)
 #ifdef HAVE_UNISTD_H
 #include <unistd.h>
 #endif
-#ifdef HAVE_FCNTL_H
-#include <fcntl.h>
-#endif
-#ifdef HAVE_SYS_FCNTL_H
-#include <sys/fcntl.h>
-#endif
 #ifdef HAVE_SYS_SYSCALL_H
 #include <sys/syscall.h>
 #endif
@@ -84,12 +79,6 @@ ENABLE_GCC_WARNING(redundant-decls)
 
 #include "keccak-tiny/keccak-tiny.h"
 
-/** Longest recognized */
-#define MAX_DNS_LABEL_SIZE 63
-
-/** Largest strong entropy request */
-#define MAX_STRONGEST_RAND_SIZE 256
-
 /** A structure to hold the first half (x, g^x) of a Diffie-Hellman handshake
  * while we're waiting for the second.*/
 struct crypto_dh_t {
@@ -162,23 +151,6 @@ try_load_engine(const char *path, const char *engine)
 }
 #endif /* !defined(DISABLE_ENGINES) */
 
-/** Make sure that openssl is using its default PRNG. Return 1 if we had to
- * adjust it; 0 otherwise. */
-STATIC int
-crypto_force_rand_ssleay(void)
-{
-  RAND_METHOD *default_method;
-  default_method = RAND_OpenSSL();
-  if (RAND_get_rand_method() != default_method) {
-    log_notice(LD_CRYPTO, "It appears that one of our engines has provided "
-               "a replacement the OpenSSL RNG. Resetting it to the default "
-               "implementation.");
-    RAND_set_rand_method(default_method);
-    return 1;
-  }
-  return 0;
-}
-
 static int have_seeded_siphash = 0;
 
 /** Set up the siphash key if we haven't already done so. */
@@ -1083,576 +1055,6 @@ crypto_dh_free_(crypto_dh_t *dh)
   tor_free(dh);
 }
 
-/* random numbers */
-
-/** How many bytes of entropy we add at once.
- *
- * This is how much entropy OpenSSL likes to add right now, so maybe it will
- * work for us too. */
-#define ADD_ENTROPY 32
-
-/** Set the seed of the weak RNG to a random value. */
-void
-crypto_seed_weak_rng(tor_weak_rng_t *rng)
-{
-  unsigned seed;
-  crypto_rand((void*)&seed, sizeof(seed));
-  tor_init_weak_random(rng, seed);
-}
-
-#ifdef TOR_UNIT_TESTS
-int break_strongest_rng_syscall = 0;
-int break_strongest_rng_fallback = 0;
-#endif
-
-/** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
- * via system calls, storing it into <b>out</b>. Return 0 on success, -1 on
- * failure.  A maximum request size of 256 bytes is imposed.
- */
-static int
-crypto_strongest_rand_syscall(uint8_t *out, size_t out_len)
-{
-  tor_assert(out_len <= MAX_STRONGEST_RAND_SIZE);
-
-  /* We only log at notice-level here because in the case that this function
-   * fails the crypto_strongest_rand_raw() caller will log with a warning-level
-   * message and let crypto_strongest_rand() error out and finally terminating
-   * Tor with an assertion error.
-   */
-
-#ifdef TOR_UNIT_TESTS
-  if (break_strongest_rng_syscall)
-    return -1;
-#endif
-
-#if defined(_WIN32)
-  static int provider_set = 0;
-  static HCRYPTPROV provider;
-
-  if (!provider_set) {
-    if (!CryptAcquireContext(&provider, NULL, NULL, PROV_RSA_FULL,
-                             CRYPT_VERIFYCONTEXT)) {
-      log_notice(LD_CRYPTO, "Unable to set Windows CryptoAPI provider [1].");
-      return -1;
-    }
-    provider_set = 1;
-  }
-  if (!CryptGenRandom(provider, out_len, out)) {
-    log_notice(LD_CRYPTO, "Unable get entropy from the Windows CryptoAPI.");
-    return -1;
-  }
-
-  return 0;
-#elif defined(__linux__) && defined(SYS_getrandom)
-  static int getrandom_works = 1; /* Be optimistic about our chances... */
-
-  /* getrandom() isn't as straightforward as getentropy(), and has
-   * no glibc wrapper.
-   *
-   * As far as I can tell from getrandom(2) and the source code, the
-   * requests we issue will always succeed (though it will block on the
-   * call if /dev/urandom isn't seeded yet), since we are NOT specifying
-   * GRND_NONBLOCK and the request is <= 256 bytes.
-   *
-   * The manpage is unclear on what happens if a signal interrupts the call
-   * while the request is blocked due to lack of entropy....
-   *
-   * We optimistically assume that getrandom() is available and functional
-   * because it is the way of the future, and 2 branch mispredicts pale in
-   * comparison to the overheads involved with failing to open
-   * /dev/srandom followed by opening and reading from /dev/urandom.
-   */
-  if (PREDICT_LIKELY(getrandom_works)) {
-    long ret;
-    /* A flag of '0' here means to read from '/dev/urandom', and to
-     * block if insufficient entropy is available to service the
-     * request.
-     */
-    const unsigned int flags = 0;
-    do {
-      ret = syscall(SYS_getrandom, out, out_len, flags);
-    } while (ret == -1 && ((errno == EINTR) ||(errno == EAGAIN)));
-
-    if (PREDICT_UNLIKELY(ret == -1)) {
-      /* LCOV_EXCL_START we can't actually make the syscall fail in testing. */
-      tor_assert(errno != EAGAIN);
-      tor_assert(errno != EINTR);
-
-      /* Useful log message for errno. */
-      if (errno == ENOSYS) {
-        log_notice(LD_CRYPTO, "Can't get entropy from getrandom()."
-                   " You are running a version of Tor built to support"
-                   " getrandom(), but the kernel doesn't implement this"
-                   " function--probably because it is too old?"
-                   " Trying fallback method instead.");
-      } else {
-        log_notice(LD_CRYPTO, "Can't get entropy from getrandom(): %s."
-                              " Trying fallback method instead.",
-                   strerror(errno));
-      }
-
-      getrandom_works = 0; /* Don't bother trying again. */
-      return -1;
-      /* LCOV_EXCL_STOP */
-    }
-
-    tor_assert(ret == (long)out_len);
-    return 0;
-  }
-
-  return -1; /* getrandom() previously failed unexpectedly. */
-#elif defined(HAVE_GETENTROPY)
-  /* getentropy() is what Linux's getrandom() wants to be when it grows up.
-   * the only gotcha is that requests are limited to 256 bytes.
-   */
-  return getentropy(out, out_len);
-#else
-  (void) out;
-#endif /* defined(_WIN32) || ... */
-
-  /* This platform doesn't have a supported syscall based random. */
-  return -1;
-}
-
-/** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
- * via the per-platform fallback mechanism, storing it into <b>out</b>.
- * Return 0 on success, -1 on failure.  A maximum request size of 256 bytes
- * is imposed.
- */
-static int
-crypto_strongest_rand_fallback(uint8_t *out, size_t out_len)
-{
-#ifdef TOR_UNIT_TESTS
-  if (break_strongest_rng_fallback)
-    return -1;
-#endif
-
-#ifdef _WIN32
-  /* Windows exclusively uses crypto_strongest_rand_syscall(). */
-  (void)out;
-  (void)out_len;
-  return -1;
-#else /* !(defined(_WIN32)) */
-  static const char *filenames[] = {
-    "/dev/srandom", "/dev/urandom", "/dev/random", NULL
-  };
-  int fd, i;
-  size_t n;
-
-  for (i = 0; filenames[i]; ++i) {
-    log_debug(LD_FS, "Considering %s as entropy source", filenames[i]);
-    fd = open(sandbox_intern_string(filenames[i]), O_RDONLY, 0);
-    if (fd<0) continue;
-    log_info(LD_CRYPTO, "Reading entropy from \"%s\"", filenames[i]);
-    n = read_all(fd, (char*)out, out_len, 0);
-    close(fd);
-    if (n != out_len) {
-      /* LCOV_EXCL_START
-       * We can't make /dev/foorandom actually fail. */
-      log_notice(LD_CRYPTO,
-                 "Error reading from entropy source %s (read only %lu bytes).",
-                 filenames[i],
-                 (unsigned long)n);
-      return -1;
-      /* LCOV_EXCL_STOP */
-    }
-
-    return 0;
-  }
-
-  return -1;
-#endif /* defined(_WIN32) */
-}
-
-/** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
- * storing it into <b>out</b>. Return 0 on success, -1 on failure.  A maximum
- * request size of 256 bytes is imposed.
- */
-STATIC int
-crypto_strongest_rand_raw(uint8_t *out, size_t out_len)
-{
-  static const size_t sanity_min_size = 16;
-  static const int max_attempts = 3;
-  tor_assert(out_len <= MAX_STRONGEST_RAND_SIZE);
-
-  /* For buffers >= 16 bytes (128 bits), we sanity check the output by
-   * zero filling the buffer and ensuring that it actually was at least
-   * partially modified.
-   *
-   * Checking that any individual byte is non-zero seems like it would
-   * fail too often (p = out_len * 1/256) for comfort, but this is an
-   * "adjust according to taste" sort of check.
-   */
-  memwipe(out, 0, out_len);
-  for (int i = 0; i < max_attempts; i++) {
-    /* Try to use the syscall/OS favored mechanism to get strong entropy. */
-    if (crypto_strongest_rand_syscall(out, out_len) != 0) {
-      /* Try to use the less-favored mechanism to get strong entropy. */
-      if (crypto_strongest_rand_fallback(out, out_len) != 0) {
-        /* Welp, we tried.  Hopefully the calling code terminates the process
-         * since we're basically boned without good entropy.
-         */
-        log_warn(LD_CRYPTO,
-                 "Cannot get strong entropy: no entropy source found.");
-        return -1;
-      }
-    }
-
-    if ((out_len < sanity_min_size) || !tor_mem_is_zero((char*)out, out_len))
-      return 0;
-  }
-
-  /* LCOV_EXCL_START
-   *
-   * We tried max_attempts times to fill a buffer >= 128 bits long,
-   * and each time it returned all '0's.  Either the system entropy
-   * source is busted, or the user should go out and buy a ticket to
-   * every lottery on the planet.
-   */
-  log_warn(LD_CRYPTO, "Strong OS entropy returned all zero buffer.");
-
-  return -1;
-  /* LCOV_EXCL_STOP */
-}
-
-/** Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
- * storing it into <b>out</b>.
- */
-void
-crypto_strongest_rand(uint8_t *out, size_t out_len)
-{
-#define DLEN SHA512_DIGEST_LENGTH
-  /* We're going to hash DLEN bytes from the system RNG together with some
-   * bytes from the openssl PRNG, in order to yield DLEN bytes.
-   */
-  uint8_t inp[DLEN*2];
-  uint8_t tmp[DLEN];
-  tor_assert(out);
-  while (out_len) {
-    crypto_rand((char*) inp, DLEN);
-    if (crypto_strongest_rand_raw(inp+DLEN, DLEN) < 0) {
-      // LCOV_EXCL_START
-      log_err(LD_CRYPTO, "Failed to load strong entropy when generating an "
-              "important key. Exiting.");
-      /* Die with an assertion so we get a stack trace. */
-      tor_assert(0);
-      // LCOV_EXCL_STOP
-    }
-    if (out_len >= DLEN) {
-      SHA512(inp, sizeof(inp), out);
-      out += DLEN;
-      out_len -= DLEN;
-    } else {
-      SHA512(inp, sizeof(inp), tmp);
-      memcpy(out, tmp, out_len);
-      break;
-    }
-  }
-  memwipe(tmp, 0, sizeof(tmp));
-  memwipe(inp, 0, sizeof(inp));
-#undef DLEN
-}
-
-/** Seed OpenSSL's random number generator with bytes from the operating
- * system.  Return 0 on success, -1 on failure.
- */
-int
-crypto_seed_rng(void)
-{
-  int rand_poll_ok = 0, load_entropy_ok = 0;
-  uint8_t buf[ADD_ENTROPY];
-
-  /* OpenSSL has a RAND_poll function that knows about more kinds of
-   * entropy than we do.  We'll try calling that, *and* calling our own entropy
-   * functions.  If one succeeds, we'll accept the RNG as seeded. */
-  rand_poll_ok = RAND_poll();
-  if (rand_poll_ok == 0)
-    log_warn(LD_CRYPTO, "RAND_poll() failed."); // LCOV_EXCL_LINE
-
-  load_entropy_ok = !crypto_strongest_rand_raw(buf, sizeof(buf));
-  if (load_entropy_ok) {
-    RAND_seed(buf, sizeof(buf));
-  }
-
-  memwipe(buf, 0, sizeof(buf));
-
-  if ((rand_poll_ok || load_entropy_ok) && RAND_status() == 1)
-    return 0;
-  else
-    return -1;
-}
-
-/** Write <b>n</b> bytes of strong random data to <b>to</b>. Supports mocking
- * for unit tests.
- *
- * This function is not allowed to fail; if it would fail to generate strong
- * entropy, it must terminate the process instead.
- */
-MOCK_IMPL(void,
-crypto_rand, (char *to, size_t n))
-{
-  crypto_rand_unmocked(to, n);
-}
-
-/** Write <b>n</b> bytes of strong random data to <b>to</b>.  Most callers
- * will want crypto_rand instead.
- *
- * This function is not allowed to fail; if it would fail to generate strong
- * entropy, it must terminate the process instead.
- */
-void
-crypto_rand_unmocked(char *to, size_t n)
-{
-  int r;
-  if (n == 0)
-    return;
-
-  tor_assert(n < INT_MAX);
-  tor_assert(to);
-  r = RAND_bytes((unsigned char*)to, (int)n);
-  /* We consider a PRNG failure non-survivable. Let's assert so that we get a
-   * stack trace about where it happened.
-   */
-  tor_assert(r >= 0);
-}
-
-/** Return a pseudorandom integer, chosen uniformly from the values
- * between 0 and <b>max</b>-1 inclusive.  <b>max</b> must be between 1 and
- * INT_MAX+1, inclusive. */
-int
-crypto_rand_int(unsigned int max)
-{
-  unsigned int val;
-  unsigned int cutoff;
-  tor_assert(max <= ((unsigned int)INT_MAX)+1);
-  tor_assert(max > 0); /* don't div by 0 */
-
-  /* We ignore any values that are >= 'cutoff,' to avoid biasing the
-   * distribution with clipping at the upper end of unsigned int's
-   * range.
-   */
-  cutoff = UINT_MAX - (UINT_MAX%max);
-  while (1) {
-    crypto_rand((char*)&val, sizeof(val));
-    if (val < cutoff)
-      return val % max;
-  }
-}
-
-/** Return a pseudorandom integer, chosen uniformly from the values i such
- * that min <= i < max.
- *
- * <b>min</b> MUST be in range [0, <b>max</b>).
- * <b>max</b> MUST be in range (min, INT_MAX].
- */
-int
-crypto_rand_int_range(unsigned int min, unsigned int max)
-{
-  tor_assert(min < max);
-  tor_assert(max <= INT_MAX);
-
-  /* The overflow is avoided here because crypto_rand_int() returns a value
-   * between 0 and (max - min) inclusive. */
-  return min + crypto_rand_int(max - min);
-}
-
-/** As crypto_rand_int_range, but supports uint64_t. */
-uint64_t
-crypto_rand_uint64_range(uint64_t min, uint64_t max)
-{
-  tor_assert(min < max);
-  return min + crypto_rand_uint64(max - min);
-}
-
-/** As crypto_rand_int_range, but supports time_t. */
-time_t
-crypto_rand_time_range(time_t min, time_t max)
-{
-  tor_assert(min < max);
-  return min + (time_t)crypto_rand_uint64(max - min);
-}
-
-/** Return a pseudorandom 64-bit integer, chosen uniformly from the values
- * between 0 and <b>max</b>-1 inclusive. */
-uint64_t
-crypto_rand_uint64(uint64_t max)
-{
-  uint64_t val;
-  uint64_t cutoff;
-  tor_assert(max < UINT64_MAX);
-  tor_assert(max > 0); /* don't div by 0 */
-
-  /* We ignore any values that are >= 'cutoff,' to avoid biasing the
-   * distribution with clipping at the upper end of unsigned int's
-   * range.
-   */
-  cutoff = UINT64_MAX - (UINT64_MAX%max);
-  while (1) {
-    crypto_rand((char*)&val, sizeof(val));
-    if (val < cutoff)
-      return val % max;
-  }
-}
-
-/** Return a pseudorandom double d, chosen uniformly from the range
- * 0.0 <= d < 1.0.
- */
-double
-crypto_rand_double(void)
-{
-  /* We just use an unsigned int here; we don't really care about getting
-   * more than 32 bits of resolution */
-  unsigned int u;
-  crypto_rand((char*)&u, sizeof(u));
-#if SIZEOF_INT == 4
-#define UINT_MAX_AS_DOUBLE 4294967296.0
-#elif SIZEOF_INT == 8
-#define UINT_MAX_AS_DOUBLE 1.8446744073709552e+19
-#else
-#error SIZEOF_INT is neither 4 nor 8
-#endif /* SIZEOF_INT == 4 || ... */
-  return ((double)u) / UINT_MAX_AS_DOUBLE;
-}
-
-/** Generate and return a new random hostname starting with <b>prefix</b>,
- * ending with <b>suffix</b>, and containing no fewer than
- * <b>min_rand_len</b> and no more than <b>max_rand_len</b> random base32
- * characters. Does not check for failure.
- *
- * Clip <b>max_rand_len</b> to MAX_DNS_LABEL_SIZE.
- **/
-char *
-crypto_random_hostname(int min_rand_len, int max_rand_len, const char *prefix,
-                       const char *suffix)
-{
-  char *result, *rand_bytes;
-  int randlen, rand_bytes_len;
-  size_t resultlen, prefixlen;
-
-  if (max_rand_len > MAX_DNS_LABEL_SIZE)
-    max_rand_len = MAX_DNS_LABEL_SIZE;
-  if (min_rand_len > max_rand_len)
-    min_rand_len = max_rand_len;
-
-  randlen = crypto_rand_int_range(min_rand_len, max_rand_len+1);
-
-  prefixlen = strlen(prefix);
-  resultlen = prefixlen + strlen(suffix) + randlen + 16;
-
-  rand_bytes_len = ((randlen*5)+7)/8;
-  if (rand_bytes_len % 5)
-    rand_bytes_len += 5 - (rand_bytes_len%5);
-  rand_bytes = tor_malloc(rand_bytes_len);
-  crypto_rand(rand_bytes, rand_bytes_len);
-
-  result = tor_malloc(resultlen);
-  memcpy(result, prefix, prefixlen);
-  base32_encode(result+prefixlen, resultlen-prefixlen,
-                rand_bytes, rand_bytes_len);
-  tor_free(rand_bytes);
-  strlcpy(result+prefixlen+randlen, suffix, resultlen-(prefixlen+randlen));
-
-  return result;
-}
-
-/** Return a randomly chosen element of <b>sl</b>; or NULL if <b>sl</b>
- * is empty. */
-void *
-smartlist_choose(const smartlist_t *sl)
-{
-  int len = smartlist_len(sl);
-  if (len)
-    return smartlist_get(sl,crypto_rand_int(len));
-  return NULL; /* no elements to choose from */
-}
-
-/** Scramble the elements of <b>sl</b> into a random order. */
-void
-smartlist_shuffle(smartlist_t *sl)
-{
-  int i;
-  /* From the end of the list to the front, choose at random from the
-     positions we haven't looked at yet, and swap that position into the
-     current position.  Remember to give "no swap" the same probability as
-     any other swap. */
-  for (i = smartlist_len(sl)-1; i > 0; --i) {
-    int j = crypto_rand_int(i+1);
-    smartlist_swap(sl, i, j);
-  }
-}
-
-/**
- * Destroy the <b>sz</b> bytes of data stored at <b>mem</b>, setting them to
- * the value <b>byte</b>.
- * If <b>mem</b> is NULL or <b>sz</b> is zero, nothing happens.
- *
- * This function is preferable to memset, since many compilers will happily
- * optimize out memset() when they can convince themselves that the data being
- * cleared will never be read.
- *
- * Right now, our convention is to use this function when we are wiping data
- * that's about to become inaccessible, such as stack buffers that are about
- * to go out of scope or structures that are about to get freed.  (In
- * practice, it appears that the compilers we're currently using will optimize
- * out the memset()s for stack-allocated buffers, but not those for
- * about-to-be-freed structures. That could change, though, so we're being
- * wary.)  If there are live reads for the data, then you can just use
- * memset().
- */
-void
-memwipe(void *mem, uint8_t byte, size_t sz)
-{
-  if (sz == 0) {
-    return;
-  }
-  /* If sz is nonzero, then mem must not be NULL. */
-  tor_assert(mem != NULL);
-
-  /* Data this large is likely to be an underflow. */
-  tor_assert(sz < SIZE_T_CEILING);
-
-  /* Because whole-program-optimization exists, we may not be able to just
-   * have this function call "memset".  A smart compiler could inline it, then
-   * eliminate dead memsets, and declare itself to be clever. */
-
-#if defined(SecureZeroMemory) || defined(HAVE_SECUREZEROMEMORY)
-  /* Here's what you do on windows. */
-  SecureZeroMemory(mem,sz);
-#elif defined(HAVE_RTLSECUREZEROMEMORY)
-  RtlSecureZeroMemory(mem,sz);
-#elif defined(HAVE_EXPLICIT_BZERO)
-  /* The BSDs provide this. */
-  explicit_bzero(mem, sz);
-#elif defined(HAVE_MEMSET_S)
-  /* This is in the C99 standard. */
-  memset_s(mem, sz, 0, sz);
-#else
-  /* This is a slow and ugly function from OpenSSL that fills 'mem' with junk
-   * based on the pointer value, then uses that junk to update a global
-   * variable.  It's an elaborate ruse to trick the compiler into not
-   * optimizing out the "wipe this memory" code.  Read it if you like zany
-   * programming tricks! In later versions of Tor, we should look for better
-   * not-optimized-out memory wiping stuff...
-   *
-   * ...or maybe not.  In practice, there are pure-asm implementations of
-   * OPENSSL_cleanse() on most platforms, which ought to do the job.
-   **/
-
-  OPENSSL_cleanse(mem, sz);
-#endif /* defined(SecureZeroMemory) || defined(HAVE_SECUREZEROMEMORY) || ... */
-
-  /* Just in case some caller of memwipe() is relying on getting a buffer
-   * filled with a particular value, fill the buffer.
-   *
-   * If this function gets inlined, this memset might get eliminated, but
-   * that's okay: We only care about this particular memset in the case where
-   * the caller should have been using memset(), and the memset() wouldn't get
-   * eliminated.  In other words, this is here so that we won't break anything
-   * if somebody accidentally calls memwipe() instead of memset().
-   **/
-  memset(mem, byte, sz);
-}
-
 /** @{ */
 /** Uninitialize the crypto library. Return 0 on success. Does not detect
  * failure.
diff --git a/src/common/crypto.h b/src/common/crypto.h
index b58679032..61a2952d2 100644
--- a/src/common/crypto.h
+++ b/src/common/crypto.h
@@ -105,31 +105,6 @@ int crypto_expand_key_material_rfc5869_sha256(
                                     const uint8_t *info_in, size_t info_in_len,
                                     uint8_t *key_out, size_t key_out_len);
 
-/* random numbers */
-int crypto_seed_rng(void) ATTR_WUR;
-MOCK_DECL(void,crypto_rand,(char *to, size_t n));
-void crypto_rand_unmocked(char *to, size_t n);
-void crypto_strongest_rand(uint8_t *out, size_t out_len);
-int crypto_rand_int(unsigned int max);
-int crypto_rand_int_range(unsigned int min, unsigned int max);
-uint64_t crypto_rand_uint64_range(uint64_t min, uint64_t max);
-time_t crypto_rand_time_range(time_t min, time_t max);
-uint64_t crypto_rand_uint64(uint64_t max);
-double crypto_rand_double(void);
-struct tor_weak_rng_t;
-void crypto_seed_weak_rng(struct tor_weak_rng_t *rng);
-int crypto_init_siphash_key(void);
-
-char *crypto_random_hostname(int min_rand_len, int max_rand_len,
-                             const char *prefix, const char *suffix);
-
-struct smartlist_t;
-void *smartlist_choose(const struct smartlist_t *sl);
-void smartlist_shuffle(struct smartlist_t *sl);
-
-/** OpenSSL-based utility functions. */
-void memwipe(void *mem, uint8_t byte, size_t sz);
-
 /* Prototypes for private functions only used by tortls.c, crypto.c, and the
  * unit tests. */
 struct dh_st;
@@ -137,16 +112,5 @@ struct dh_st *crypto_dh_get_dh_(crypto_dh_t *dh);
 
 void crypto_add_spaces_to_fp(char *out, size_t outlen, const char *in);
 
-#ifdef CRYPTO_PRIVATE
-
-STATIC int crypto_force_rand_ssleay(void);
-STATIC int crypto_strongest_rand_raw(uint8_t *out, size_t out_len);
-
-#ifdef TOR_UNIT_TESTS
-extern int break_strongest_rng_syscall;
-extern int break_strongest_rng_fallback;
-#endif
-#endif /* defined(CRYPTO_PRIVATE) */
-
 #endif /* !defined(TOR_CRYPTO_H) */
 
diff --git a/src/common/crypto_curve25519.c b/src/common/crypto_curve25519.c
index ccf12d00f..0719c2f85 100644
--- a/src/common/crypto_curve25519.c
+++ b/src/common/crypto_curve25519.c
@@ -25,6 +25,8 @@
 #include "crypto_curve25519.h"
 #include "crypto_format.h"
 #include "crypto_digest.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "util.h"
 #include "torlog.h"
 
diff --git a/src/common/crypto_digest.c b/src/common/crypto_digest.c
index cdcc1828c..f7163de13 100644
--- a/src/common/crypto_digest.c
+++ b/src/common/crypto_digest.c
@@ -10,10 +10,13 @@
  * operations.
  **/
 
+#include "container.h"
 #include "crypto_digest.h"
-
-#include "crypto.h" /* common functions */
 #include "crypto_openssl_mgt.h"
+#include "crypto_util.h"
+#include "torlog.h"
+
+#include "keccak-tiny/keccak-tiny.h"
 
 DISABLE_GCC_WARNING(redundant-decls)
 
@@ -22,8 +25,6 @@ DISABLE_GCC_WARNING(redundant-decls)
 
 ENABLE_GCC_WARNING(redundant-decls)
 
-#include "container.h"
-
 /* Crypto digest functions */
 
 /** Compute the SHA1 digest of the <b>len</b> bytes on data stored in
diff --git a/src/common/crypto_ed25519.c b/src/common/crypto_ed25519.c
index f1cc0cb18..baddb77dd 100644
--- a/src/common/crypto_ed25519.c
+++ b/src/common/crypto_ed25519.c
@@ -27,6 +27,8 @@
 #include "crypto_curve25519.h"
 #include "crypto_ed25519.h"
 #include "crypto_format.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "torlog.h"
 #include "util.h"
 #include "util_format.h"
diff --git a/src/common/crypto_format.c b/src/common/crypto_format.c
index 3f6fb9f54..c0cade2f5 100644
--- a/src/common/crypto_format.c
+++ b/src/common/crypto_format.c
@@ -20,6 +20,7 @@
 #include "crypto_ed25519.h"
 #include "crypto_format.h"
 #include "crypto_digest.h"
+#include "crypto_util.h"
 #include "util.h"
 #include "util_format.h"
 #include "torlog.h"
diff --git a/src/common/crypto_pwbox.c b/src/common/crypto_pwbox.c
index 604fc68e9..e49ca226e 100644
--- a/src/common/crypto_pwbox.c
+++ b/src/common/crypto_pwbox.c
@@ -12,6 +12,8 @@
 #include "crypto_s2k.h"
 #include "crypto_pwbox.h"
 #include "crypto_digest.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "di_ops.h"
 #include "util.h"
 #include "pwbox.h"
diff --git a/src/common/crypto_rand.c b/src/common/crypto_rand.c
new file mode 100644
index 000000000..66506235a
--- /dev/null
+++ b/src/common/crypto_rand.c
@@ -0,0 +1,609 @@
+/* Copyright (c) 2001, Matej Pfajfar.
+ * Copyright (c) 2001-2004, Roger Dingledine.
+ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
+ * Copyright (c) 2007-2018, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file crypto_rand.c
+ *
+ * \brief Functions for initialising and seeding (pseudo-)random
+ * number generators, and working with randomness.
+ **/
+
+#ifndef CRYPTO_RAND_PRIVATE
+#define CRYPTO_RAND_PRIVATE
+
+#ifdef _WIN32
+#include <windows.h>
+#include <wincrypt.h>
+#endif /* defined(_WIN32) */
+
+#include "crypto_rand.h"
+
+#include "container.h"
+#include "compat.h"
+#include "compat_openssl.h"
+#include "crypto_util.h"
+#include "sandbox.h"
+#include "testsupport.h"
+#include "torlog.h"
+#include "util.h"
+#include "util_format.h"
+
+DISABLE_GCC_WARNING(redundant-decls)
+#include <openssl/rand.h>
+ENABLE_GCC_WARNING(redundant-decls)
+
+#if __GNUC__ && GCC_VERSION >= 402
+#if GCC_VERSION >= 406
+#pragma GCC diagnostic pop
+#else
+#pragma GCC diagnostic warning "-Wredundant-decls"
+#endif
+#endif /* __GNUC__ && GCC_VERSION >= 402 */
+
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_SYS_FCNTL_H
+#include <sys/fcntl.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+/**
+ * How many bytes of entropy we add at once.
+ *
+ * This is how much entropy OpenSSL likes to add right now, so maybe it will
+ * work for us too.
+ **/
+#define ADD_ENTROPY 32
+
+/**
+ * Longest recognized DNS query.
+ **/
+#define MAX_DNS_LABEL_SIZE 63
+
+/**
+ * Largest strong entropy request permitted.
+ **/
+#define MAX_STRONGEST_RAND_SIZE 256
+
+/**
+ * Set the seed of the weak RNG to a random value.
+ **/
+void
+crypto_seed_weak_rng(tor_weak_rng_t *rng)
+{
+  unsigned seed;
+  crypto_rand((void*)&seed, sizeof(seed));
+  tor_init_weak_random(rng, seed);
+}
+
+#ifdef TOR_UNIT_TESTS
+int break_strongest_rng_syscall = 0;
+int break_strongest_rng_fallback = 0;
+#endif
+
+/**
+ * Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
+ * via system calls, storing it into <b>out</b>. Return 0 on success, -1 on
+ * failure.  A maximum request size of 256 bytes is imposed.
+ **/
+static int
+crypto_strongest_rand_syscall(uint8_t *out, size_t out_len)
+{
+  tor_assert(out_len <= MAX_STRONGEST_RAND_SIZE);
+
+  /* We only log at notice-level here because in the case that this function
+   * fails the crypto_strongest_rand_raw() caller will log with a warning-level
+   * message and let crypto_strongest_rand() error out and finally terminating
+   * Tor with an assertion error.
+   */
+
+#ifdef TOR_UNIT_TESTS
+  if (break_strongest_rng_syscall)
+    return -1;
+#endif
+
+#if defined(_WIN32)
+  static int provider_set = 0;
+  static HCRYPTPROV provider;
+
+  if (!provider_set) {
+    if (!CryptAcquireContext(&provider, NULL, NULL, PROV_RSA_FULL,
+                             CRYPT_VERIFYCONTEXT)) {
+      log_notice(LD_CRYPTO, "Unable to set Windows CryptoAPI provider [1].");
+      return -1;
+    }
+    provider_set = 1;
+  }
+  if (!CryptGenRandom(provider, out_len, out)) {
+    log_notice(LD_CRYPTO, "Unable get entropy from the Windows CryptoAPI.");
+    return -1;
+  }
+
+  return 0;
+#elif defined(__linux__) && defined(SYS_getrandom)
+  static int getrandom_works = 1; /* Be optimistic about our chances... */
+
+  /* getrandom() isn't as straightforward as getentropy(), and has
+   * no glibc wrapper.
+   *
+   * As far as I can tell from getrandom(2) and the source code, the
+   * requests we issue will always succeed (though it will block on the
+   * call if /dev/urandom isn't seeded yet), since we are NOT specifying
+   * GRND_NONBLOCK and the request is <= 256 bytes.
+   *
+   * The manpage is unclear on what happens if a signal interrupts the call
+   * while the request is blocked due to lack of entropy....
+   *
+   * We optimistically assume that getrandom() is available and functional
+   * because it is the way of the future, and 2 branch mispredicts pale in
+   * comparison to the overheads involved with failing to open
+   * /dev/srandom followed by opening and reading from /dev/urandom.
+   */
+  if (PREDICT_LIKELY(getrandom_works)) {
+    long ret;
+    /* A flag of '0' here means to read from '/dev/urandom', and to
+     * block if insufficient entropy is available to service the
+     * request.
+     */
+    const unsigned int flags = 0;
+    do {
+      ret = syscall(SYS_getrandom, out, out_len, flags);
+    } while (ret == -1 && ((errno == EINTR) ||(errno == EAGAIN)));
+
+    if (PREDICT_UNLIKELY(ret == -1)) {
+      /* LCOV_EXCL_START we can't actually make the syscall fail in testing. */
+      tor_assert(errno != EAGAIN);
+      tor_assert(errno != EINTR);
+
+      /* Useful log message for errno. */
+      if (errno == ENOSYS) {
+        log_notice(LD_CRYPTO, "Can't get entropy from getrandom()."
+                   " You are running a version of Tor built to support"
+                   " getrandom(), but the kernel doesn't implement this"
+                   " function--probably because it is too old?"
+                   " Trying fallback method instead.");
+      } else {
+        log_notice(LD_CRYPTO, "Can't get entropy from getrandom(): %s."
+                              " Trying fallback method instead.",
+                   strerror(errno));
+      }
+
+      getrandom_works = 0; /* Don't bother trying again. */
+      return -1;
+      /* LCOV_EXCL_STOP */
+    }
+
+    tor_assert(ret == (long)out_len);
+    return 0;
+  }
+
+  return -1; /* getrandom() previously failed unexpectedly. */
+#elif defined(HAVE_GETENTROPY)
+  /* getentropy() is what Linux's getrandom() wants to be when it grows up.
+   * the only gotcha is that requests are limited to 256 bytes.
+   */
+  return getentropy(out, out_len);
+#else
+  (void) out;
+#endif /* defined(_WIN32) || ... */
+
+  /* This platform doesn't have a supported syscall based random. */
+  return -1;
+}
+
+/**
+ * Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
+ * via the per-platform fallback mechanism, storing it into <b>out</b>.
+ * Return 0 on success, -1 on failure.  A maximum request size of 256 bytes
+ * is imposed.
+ **/
+static int
+crypto_strongest_rand_fallback(uint8_t *out, size_t out_len)
+{
+#ifdef TOR_UNIT_TESTS
+  if (break_strongest_rng_fallback)
+    return -1;
+#endif
+
+#ifdef _WIN32
+  /* Windows exclusively uses crypto_strongest_rand_syscall(). */
+  (void)out;
+  (void)out_len;
+  return -1;
+#else /* !(defined(_WIN32)) */
+  static const char *filenames[] = {
+    "/dev/srandom", "/dev/urandom", "/dev/random", NULL
+  };
+  int fd, i;
+  size_t n;
+
+  for (i = 0; filenames[i]; ++i) {
+    log_debug(LD_FS, "Considering %s as entropy source", filenames[i]);
+    fd = open(sandbox_intern_string(filenames[i]), O_RDONLY, 0);
+    if (fd<0) continue;
+    log_info(LD_CRYPTO, "Reading entropy from \"%s\"", filenames[i]);
+    n = read_all(fd, (char*)out, out_len, 0);
+    close(fd);
+    if (n != out_len) {
+      /* LCOV_EXCL_START
+       * We can't make /dev/foorandom actually fail. */
+      log_notice(LD_CRYPTO,
+                 "Error reading from entropy source %s (read only %lu bytes).",
+                 filenames[i],
+                 (unsigned long)n);
+      return -1;
+      /* LCOV_EXCL_STOP */
+    }
+
+    return 0;
+  }
+
+  return -1;
+#endif /* defined(_WIN32) */
+}
+
+/**
+ * Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
+ * storing it into <b>out</b>. Return 0 on success, -1 on failure.  A maximum
+ * request size of 256 bytes is imposed.
+ **/
+STATIC int
+crypto_strongest_rand_raw(uint8_t *out, size_t out_len)
+{
+  static const size_t sanity_min_size = 16;
+  static const int max_attempts = 3;
+  tor_assert(out_len <= MAX_STRONGEST_RAND_SIZE);
+
+  /* For buffers >= 16 bytes (128 bits), we sanity check the output by
+   * zero filling the buffer and ensuring that it actually was at least
+   * partially modified.
+   *
+   * Checking that any individual byte is non-zero seems like it would
+   * fail too often (p = out_len * 1/256) for comfort, but this is an
+   * "adjust according to taste" sort of check.
+   */
+  memwipe(out, 0, out_len);
+  for (int i = 0; i < max_attempts; i++) {
+    /* Try to use the syscall/OS favored mechanism to get strong entropy. */
+    if (crypto_strongest_rand_syscall(out, out_len) != 0) {
+      /* Try to use the less-favored mechanism to get strong entropy. */
+      if (crypto_strongest_rand_fallback(out, out_len) != 0) {
+        /* Welp, we tried.  Hopefully the calling code terminates the process
+         * since we're basically boned without good entropy.
+         */
+        log_warn(LD_CRYPTO,
+                 "Cannot get strong entropy: no entropy source found.");
+        return -1;
+      }
+    }
+
+    if ((out_len < sanity_min_size) || !tor_mem_is_zero((char*)out, out_len))
+      return 0;
+  }
+
+  /* LCOV_EXCL_START
+   *
+   * We tried max_attempts times to fill a buffer >= 128 bits long,
+   * and each time it returned all '0's.  Either the system entropy
+   * source is busted, or the user should go out and buy a ticket to
+   * every lottery on the planet.
+   */
+  log_warn(LD_CRYPTO, "Strong OS entropy returned all zero buffer.");
+
+  return -1;
+  /* LCOV_EXCL_STOP */
+}
+
+/**
+ * Try to get <b>out_len</b> bytes of the strongest entropy we can generate,
+ * storing it into <b>out</b>.
+ **/
+void
+crypto_strongest_rand(uint8_t *out, size_t out_len)
+{
+#define DLEN SHA512_DIGEST_LENGTH
+  /* We're going to hash DLEN bytes from the system RNG together with some
+   * bytes from the openssl PRNG, in order to yield DLEN bytes.
+   */
+  uint8_t inp[DLEN*2];
+  uint8_t tmp[DLEN];
+  tor_assert(out);
+  while (out_len) {
+    crypto_rand((char*) inp, DLEN);
+    if (crypto_strongest_rand_raw(inp+DLEN, DLEN) < 0) {
+      // LCOV_EXCL_START
+      log_err(LD_CRYPTO, "Failed to load strong entropy when generating an "
+              "important key. Exiting.");
+      /* Die with an assertion so we get a stack trace. */
+      tor_assert(0);
+      // LCOV_EXCL_STOP
+    }
+    if (out_len >= DLEN) {
+      SHA512(inp, sizeof(inp), out);
+      out += DLEN;
+      out_len -= DLEN;
+    } else {
+      SHA512(inp, sizeof(inp), tmp);
+      memcpy(out, tmp, out_len);
+      break;
+    }
+  }
+  memwipe(tmp, 0, sizeof(tmp));
+  memwipe(inp, 0, sizeof(inp));
+#undef DLEN
+}
+
+/**
+ * Seed OpenSSL's random number generator with bytes from the operating
+ * system.  Return 0 on success, -1 on failure.
+ **/
+int
+crypto_seed_rng(void)
+{
+  int rand_poll_ok = 0, load_entropy_ok = 0;
+  uint8_t buf[ADD_ENTROPY];
+
+  /* OpenSSL has a RAND_poll function that knows about more kinds of
+   * entropy than we do.  We'll try calling that, *and* calling our own entropy
+   * functions.  If one succeeds, we'll accept the RNG as seeded. */
+  rand_poll_ok = RAND_poll();
+  if (rand_poll_ok == 0)
+    log_warn(LD_CRYPTO, "RAND_poll() failed."); // LCOV_EXCL_LINE
+
+  load_entropy_ok = !crypto_strongest_rand_raw(buf, sizeof(buf));
+  if (load_entropy_ok) {
+    RAND_seed(buf, sizeof(buf));
+  }
+
+  memwipe(buf, 0, sizeof(buf));
+
+  if ((rand_poll_ok || load_entropy_ok) && RAND_status() == 1)
+    return 0;
+  else
+    return -1;
+}
+
+/**
+ * Write <b>n</b> bytes of strong random data to <b>to</b>. Supports mocking
+ * for unit tests.
+ *
+ * This function is not allowed to fail; if it would fail to generate strong
+ * entropy, it must terminate the process instead.
+ **/
+MOCK_IMPL(void,
+crypto_rand, (char *to, size_t n))
+{
+  crypto_rand_unmocked(to, n);
+}
+
+/**
+ * Write <b>n</b> bytes of strong random data to <b>to</b>.  Most callers
+ * will want crypto_rand instead.
+ *
+ * This function is not allowed to fail; if it would fail to generate strong
+ * entropy, it must terminate the process instead.
+ **/
+void
+crypto_rand_unmocked(char *to, size_t n)
+{
+  int r;
+  if (n == 0)
+    return;
+
+  tor_assert(n < INT_MAX);
+  tor_assert(to);
+  r = RAND_bytes((unsigned char*)to, (int)n);
+  /* We consider a PRNG failure non-survivable. Let's assert so that we get a
+   * stack trace about where it happened.
+   */
+  tor_assert(r >= 0);
+}
+
+/**
+ * Return a pseudorandom integer, chosen uniformly from the values
+ * between 0 and <b>max</b>-1 inclusive.  <b>max</b> must be between 1 and
+ * INT_MAX+1, inclusive.
+ */
+int
+crypto_rand_int(unsigned int max)
+{
+  unsigned int val;
+  unsigned int cutoff;
+  tor_assert(max <= ((unsigned int)INT_MAX)+1);
+  tor_assert(max > 0); /* don't div by 0 */
+
+  /* We ignore any values that are >= 'cutoff,' to avoid biasing the
+   * distribution with clipping at the upper end of unsigned int's
+   * range.
+   */
+  cutoff = UINT_MAX - (UINT_MAX%max);
+  while (1) {
+    crypto_rand((char*)&val, sizeof(val));
+    if (val < cutoff)
+      return val % max;
+  }
+}
+
+/**
+ * Return a pseudorandom integer, chosen uniformly from the values i such
+ * that min <= i < max.
+ *
+ * <b>min</b> MUST be in range [0, <b>max</b>).
+ * <b>max</b> MUST be in range (min, INT_MAX].
+ **/
+int
+crypto_rand_int_range(unsigned int min, unsigned int max)
+{
+  tor_assert(min < max);
+  tor_assert(max <= INT_MAX);
+
+  /* The overflow is avoided here because crypto_rand_int() returns a value
+   * between 0 and (max - min) inclusive. */
+  return min + crypto_rand_int(max - min);
+}
+
+/**
+ * As crypto_rand_int_range, but supports uint64_t.
+ **/
+uint64_t
+crypto_rand_uint64_range(uint64_t min, uint64_t max)
+{
+  tor_assert(min < max);
+  return min + crypto_rand_uint64(max - min);
+}
+
+/**
+ * As crypto_rand_int_range, but supports time_t.
+ **/
+time_t
+crypto_rand_time_range(time_t min, time_t max)
+{
+  tor_assert(min < max);
+  return min + (time_t)crypto_rand_uint64(max - min);
+}
+
+/**
+ * Return a pseudorandom 64-bit integer, chosen uniformly from the values
+ * between 0 and <b>max</b>-1 inclusive.
+ **/
+uint64_t
+crypto_rand_uint64(uint64_t max)
+{
+  uint64_t val;
+  uint64_t cutoff;
+  tor_assert(max < UINT64_MAX);
+  tor_assert(max > 0); /* don't div by 0 */
+
+  /* We ignore any values that are >= 'cutoff,' to avoid biasing the
+   * distribution with clipping at the upper end of unsigned int's
+   * range.
+   */
+  cutoff = UINT64_MAX - (UINT64_MAX%max);
+  while (1) {
+    crypto_rand((char*)&val, sizeof(val));
+    if (val < cutoff)
+      return val % max;
+  }
+}
+
+/**
+ * Return a pseudorandom double d, chosen uniformly from the range
+ * 0.0 <= d < 1.0.
+ **/
+double
+crypto_rand_double(void)
+{
+  /* We just use an unsigned int here; we don't really care about getting
+   * more than 32 bits of resolution */
+  unsigned int u;
+  crypto_rand((char*)&u, sizeof(u));
+#if SIZEOF_INT == 4
+#define UINT_MAX_AS_DOUBLE 4294967296.0
+#elif SIZEOF_INT == 8
+#define UINT_MAX_AS_DOUBLE 1.8446744073709552e+19
+#else
+#error SIZEOF_INT is neither 4 nor 8
+#endif /* SIZEOF_INT == 4 || ... */
+  return ((double)u) / UINT_MAX_AS_DOUBLE;
+}
+
+/**
+ * Generate and return a new random hostname starting with <b>prefix</b>,
+ * ending with <b>suffix</b>, and containing no fewer than
+ * <b>min_rand_len</b> and no more than <b>max_rand_len</b> random base32
+ * characters. Does not check for failure.
+ *
+ * Clip <b>max_rand_len</b> to MAX_DNS_LABEL_SIZE.
+ **/
+char *
+crypto_random_hostname(int min_rand_len, int max_rand_len, const char *prefix,
+                       const char *suffix)
+{
+  char *result, *rand_bytes;
+  int randlen, rand_bytes_len;
+  size_t resultlen, prefixlen;
+
+  if (max_rand_len > MAX_DNS_LABEL_SIZE)
+    max_rand_len = MAX_DNS_LABEL_SIZE;
+  if (min_rand_len > max_rand_len)
+    min_rand_len = max_rand_len;
+
+  randlen = crypto_rand_int_range(min_rand_len, max_rand_len+1);
+
+  prefixlen = strlen(prefix);
+  resultlen = prefixlen + strlen(suffix) + randlen + 16;
+
+  rand_bytes_len = ((randlen*5)+7)/8;
+  if (rand_bytes_len % 5)
+    rand_bytes_len += 5 - (rand_bytes_len%5);
+  rand_bytes = tor_malloc(rand_bytes_len);
+  crypto_rand(rand_bytes, rand_bytes_len);
+
+  result = tor_malloc(resultlen);
+  memcpy(result, prefix, prefixlen);
+  base32_encode(result+prefixlen, resultlen-prefixlen,
+                rand_bytes, rand_bytes_len);
+  tor_free(rand_bytes);
+  strlcpy(result+prefixlen+randlen, suffix, resultlen-(prefixlen+randlen));
+
+  return result;
+}
+
+/**
+ * Return a randomly chosen element of <b>sl</b>; or NULL if <b>sl</b>
+ * is empty.
+ **/
+void *
+smartlist_choose(const smartlist_t *sl)
+{
+  int len = smartlist_len(sl);
+  if (len)
+    return smartlist_get(sl,crypto_rand_int(len));
+  return NULL; /* no elements to choose from */
+}
+
+/**
+ * Scramble the elements of <b>sl</b> into a random order.
+ **/
+void
+smartlist_shuffle(smartlist_t *sl)
+{
+  int i;
+  /* From the end of the list to the front, choose at random from the
+     positions we haven't looked at yet, and swap that position into the
+     current position.  Remember to give "no swap" the same probability as
+     any other swap. */
+  for (i = smartlist_len(sl)-1; i > 0; --i) {
+    int j = crypto_rand_int(i+1);
+    smartlist_swap(sl, i, j);
+  }
+}
+
+/** Make sure that openssl is using its default PRNG. Return 1 if we had to
+ * adjust it; 0 otherwise. */
+int
+crypto_force_rand_ssleay(void)
+{
+  RAND_METHOD *default_method;
+  default_method = RAND_OpenSSL();
+  if (RAND_get_rand_method() != default_method) {
+    log_notice(LD_CRYPTO, "It appears that one of our engines has provided "
+               "a replacement the OpenSSL RNG. Resetting it to the default "
+               "implementation.");
+    RAND_set_rand_method(default_method);
+    return 1;
+  }
+  return 0;
+}
+
+#endif /* !defined(CRYPTO_RAND_PRIVATE) */
+
diff --git a/src/common/crypto_rand.h b/src/common/crypto_rand.h
new file mode 100644
index 000000000..c78195633
--- /dev/null
+++ b/src/common/crypto_rand.h
@@ -0,0 +1,53 @@
+/* Copyright (c) 2001, Matej Pfajfar.
+ * Copyright (c) 2001-2004, Roger Dingledine.
+ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
+ * Copyright (c) 2007-2018, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file crypto_rand.h
+ *
+ * \brief Common functions for using (psuedo-)random number generators.
+ **/
+
+#ifndef TOR_CRYPTO_RAND_H
+#define TOR_CRYPTO_RAND_H
+
+#include "torint.h"
+#include "util.h"
+
+/* random numbers */
+int crypto_seed_rng(void) ATTR_WUR;
+MOCK_DECL(void,crypto_rand,(char *to, size_t n));
+void crypto_rand_unmocked(char *to, size_t n);
+void crypto_strongest_rand(uint8_t *out, size_t out_len);
+int crypto_rand_int(unsigned int max);
+int crypto_rand_int_range(unsigned int min, unsigned int max);
+uint64_t crypto_rand_uint64_range(uint64_t min, uint64_t max);
+time_t crypto_rand_time_range(time_t min, time_t max);
+uint64_t crypto_rand_uint64(uint64_t max);
+double crypto_rand_double(void);
+struct tor_weak_rng_t;
+void crypto_seed_weak_rng(struct tor_weak_rng_t *rng);
+int crypto_init_siphash_key(void);
+
+char *crypto_random_hostname(int min_rand_len, int max_rand_len,
+                             const char *prefix, const char *suffix);
+
+struct smartlist_t;
+void *smartlist_choose(const struct smartlist_t *sl);
+void smartlist_shuffle(struct smartlist_t *sl);
+int crypto_force_rand_ssleay(void);
+
+#ifdef CRYPTO_RAND_PRIVATE
+
+STATIC int crypto_strongest_rand_raw(uint8_t *out, size_t out_len);
+
+#ifdef TOR_UNIT_TESTS
+extern int break_strongest_rng_syscall;
+extern int break_strongest_rng_fallback;
+#endif
+#endif /* defined(CRYPTO_RAND_PRIVATE) */
+
+#endif /* !defined(TOR_CRYPTO_RAND_H) */
+
diff --git a/src/common/crypto_rsa.c b/src/common/crypto_rsa.c
index 986ccb0ee..0e006b0eb 100644
--- a/src/common/crypto_rsa.c
+++ b/src/common/crypto_rsa.c
@@ -15,6 +15,8 @@
 #include "crypto_curve25519.h"
 #include "crypto_format.h"
 #include "crypto_digest.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 
 DISABLE_GCC_WARNING(redundant-decls)
 
diff --git a/src/common/crypto_s2k.c b/src/common/crypto_s2k.c
index 316445e40..7d7f475b6 100644
--- a/src/common/crypto_s2k.c
+++ b/src/common/crypto_s2k.c
@@ -17,6 +17,8 @@
 #include "compat.h"
 #include "crypto_s2k.h"
 #include "crypto_digest.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 
 #include <openssl/evp.h>
 
diff --git a/src/common/crypto_util.c b/src/common/crypto_util.c
new file mode 100644
index 000000000..c09afe6ee
--- /dev/null
+++ b/src/common/crypto_util.c
@@ -0,0 +1,105 @@
+/* Copyright (c) 2001, Matej Pfajfar.
+ * Copyright (c) 2001-2004, Roger Dingledine.
+ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
+ * Copyright (c) 2007-2018, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file crypto_util.c
+ *
+ * \brief Common cryptographic utilities.
+ **/
+
+#ifndef CRYPTO_UTIL_PRIVATE
+#define CRYPTO_UTIL_PRIVATE
+
+#include <string.h>
+
+#ifdef _WIN32
+#include <windows.h>
+#include <wincrypt.h>
+#endif /* defined(_WIN32) */
+
+#include "crypto_util.h"
+#include "util.h"
+
+DISABLE_GCC_WARNING(redundant-decls)
+
+#include <openssl/crypto.h>
+
+ENABLE_GCC_WARNING(redundant-decls)
+
+/**
+ * Destroy the <b>sz</b> bytes of data stored at <b>mem</b>, setting them to
+ * the value <b>byte</b>.
+ * If <b>mem</b> is NULL or <b>sz</b> is zero, nothing happens.
+ *
+ * This function is preferable to memset, since many compilers will happily
+ * optimize out memset() when they can convince themselves that the data being
+ * cleared will never be read.
+ *
+ * Right now, our convention is to use this function when we are wiping data
+ * that's about to become inaccessible, such as stack buffers that are about
+ * to go out of scope or structures that are about to get freed.  (In
+ * practice, it appears that the compilers we're currently using will optimize
+ * out the memset()s for stack-allocated buffers, but not those for
+ * about-to-be-freed structures. That could change, though, so we're being
+ * wary.)  If there are live reads for the data, then you can just use
+ * memset().
+ */
+void
+memwipe(void *mem, uint8_t byte, size_t sz)
+{
+  if (sz == 0) {
+    return;
+  }
+  /* If sz is nonzero, then mem must not be NULL. */
+  tor_assert(mem != NULL);
+
+  /* Data this large is likely to be an underflow. */
+  tor_assert(sz < SIZE_T_CEILING);
+
+  /* Because whole-program-optimization exists, we may not be able to just
+   * have this function call "memset".  A smart compiler could inline it, then
+   * eliminate dead memsets, and declare itself to be clever. */
+
+#if defined(SecureZeroMemory) || defined(HAVE_SECUREZEROMEMORY)
+  /* Here's what you do on windows. */
+  SecureZeroMemory(mem,sz);
+#elif defined(HAVE_RTLSECUREZEROMEMORY)
+  RtlSecureZeroMemory(mem,sz);
+#elif defined(HAVE_EXPLICIT_BZERO)
+  /* The BSDs provide this. */
+  explicit_bzero(mem, sz);
+#elif defined(HAVE_MEMSET_S)
+  /* This is in the C99 standard. */
+  memset_s(mem, sz, 0, sz);
+#else
+  /* This is a slow and ugly function from OpenSSL that fills 'mem' with junk
+   * based on the pointer value, then uses that junk to update a global
+   * variable.  It's an elaborate ruse to trick the compiler into not
+   * optimizing out the "wipe this memory" code.  Read it if you like zany
+   * programming tricks! In later versions of Tor, we should look for better
+   * not-optimized-out memory wiping stuff...
+   *
+   * ...or maybe not.  In practice, there are pure-asm implementations of
+   * OPENSSL_cleanse() on most platforms, which ought to do the job.
+   **/
+
+  OPENSSL_cleanse(mem, sz);
+#endif /* defined(SecureZeroMemory) || defined(HAVE_SECUREZEROMEMORY) || ... */
+
+  /* Just in case some caller of memwipe() is relying on getting a buffer
+   * filled with a particular value, fill the buffer.
+   *
+   * If this function gets inlined, this memset might get eliminated, but
+   * that's okay: We only care about this particular memset in the case where
+   * the caller should have been using memset(), and the memset() wouldn't get
+   * eliminated.  In other words, this is here so that we won't break anything
+   * if somebody accidentally calls memwipe() instead of memset().
+   **/
+  memset(mem, byte, sz);
+}
+
+#endif /* !defined(CRYPTO_UTIL_PRIVATE) */
+
diff --git a/src/common/crypto_util.h b/src/common/crypto_util.h
new file mode 100644
index 000000000..922942b37
--- /dev/null
+++ b/src/common/crypto_util.h
@@ -0,0 +1,27 @@
+/* Copyright (c) 2001, Matej Pfajfar.
+ * Copyright (c) 2001-2004, Roger Dingledine.
+ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
+ * Copyright (c) 2007-2018, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file crypto_util.h
+ *
+ * \brief Common functions for cryptographic routines.
+ **/
+
+#ifndef TOR_CRYPTO_UTIL_H
+#define TOR_CRYPTO_UTIL_H
+
+#include "torint.h"
+
+/** OpenSSL-based utility functions. */
+void memwipe(void *mem, uint8_t byte, size_t sz);
+
+#ifdef CRYPTO_UTIL_PRIVATE
+#ifdef TOR_UNIT_TESTS
+#endif /* defined(TOR_UNIT_TESTS) */
+#endif /* defined(CRYPTO_UTIL_PRIVATE) */
+
+#endif /* !defined(TOR_CRYPTO_UTIL_H) */
+
diff --git a/src/common/include.am b/src/common/include.am
index 73c51ff0b..f0cbd0e1d 100644
--- a/src/common/include.am
+++ b/src/common/include.am
@@ -118,8 +118,10 @@ LIBOR_CRYPTO_A_SRC = \
   src/common/crypto_rsa.c     \
   src/common/crypto_openssl_mgt.c    \
   src/common/crypto_pwbox.c     \
+  src/common/crypto_rand.c     \
   src/common/crypto_s2k.c	\
   src/common/crypto_format.c	\
+  src/common/crypto_util.c	\
   src/common/tortls.c		\
   src/common/crypto_curve25519.c \
   src/common/crypto_ed25519.c
@@ -173,7 +175,9 @@ COMMONHEADERS = \
   src/common/crypto_openssl_mgt.h         \
   src/common/crypto_rsa.h           \
   src/common/crypto_pwbox.h			\
+  src/common/crypto_rand.h          \
   src/common/crypto_s2k.h			\
+  src/common/crypto_util.h			\
   src/common/di_ops.h				\
   src/common/handles.h				\
   src/common/memarea.h				\
diff --git a/src/common/tortls.c b/src/common/tortls.c
index 05e29e22f..e58afd9a9 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -26,6 +26,8 @@
 #endif
 
 #include "crypto.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "compat.h"
 
 /* Some versions of OpenSSL declare SSL_get_selected_srtp_profile twice in
diff --git a/src/common/workqueue.c b/src/common/workqueue.c
index ec96959b7..de0079b75 100644
--- a/src/common/workqueue.c
+++ b/src/common/workqueue.c
@@ -25,7 +25,7 @@
 #include "orconfig.h"
 #include "compat.h"
 #include "compat_threads.h"
-#include "crypto.h"
+#include "crypto_rand.h"
 #include "util.h"
 #include "workqueue.h"
 #include "tor_queue.h"
diff --git a/src/ext/ed25519/donna/ed25519-randombytes-custom.h b/src/ext/ed25519/donna/ed25519-randombytes-custom.h
index 3fb0959fc..27eade4f9 100644
--- a/src/ext/ed25519/donna/ed25519-randombytes-custom.h
+++ b/src/ext/ed25519/donna/ed25519-randombytes-custom.h
@@ -8,7 +8,7 @@
 */
 
 /* Tor: Instead of calling OpenSSL's CSPRNG directly, call the wrapper. */
-#include "crypto.h"
+#include "crypto_rand.h"
 
 static void
 ED25519_FN(ed25519_randombytes_unsafe) (void *p, size_t len)
diff --git a/src/ext/ed25519/donna/ed25519_tor.c b/src/ext/ed25519/donna/ed25519_tor.c
index 84fc3850a..43de9faae 100644
--- a/src/ext/ed25519/donna/ed25519_tor.c
+++ b/src/ext/ed25519/donna/ed25519_tor.c
@@ -40,6 +40,8 @@
 #include "ed25519-randombytes.h"
 #include "ed25519-hash.h"
 
+#include "crypto_util.h"
+
 typedef unsigned char ed25519_signature[64];
 typedef unsigned char ed25519_public_key[32];
 typedef unsigned char ed25519_secret_key[32];
diff --git a/src/ext/ed25519/ref10/blinding.c b/src/ext/ed25519/ref10/blinding.c
index a3b32fa80..88e84cac2 100644
--- a/src/ext/ed25519/ref10/blinding.c
+++ b/src/ext/ed25519/ref10/blinding.c
@@ -7,7 +7,7 @@
 #include "ed25519_ref10.h"
 
 #include <string.h>
-#include "crypto.h"
+#include "crypto_util.h"
 
 static void
 ed25519_ref10_gettweak(unsigned char *out, const unsigned char *param)
diff --git a/src/ext/ed25519/ref10/keypair.c b/src/ext/ed25519/ref10/keypair.c
index 68a88f9ad..c437f0a4f 100644
--- a/src/ext/ed25519/ref10/keypair.c
+++ b/src/ext/ed25519/ref10/keypair.c
@@ -6,6 +6,9 @@
 #include "crypto_hash_sha512.h"
 #include "ge.h"
 
+#include "crypto_rand.h"
+#include "crypto_util.h"
+
 int
 crypto_sign_seckey(unsigned char *sk)
 {
diff --git a/src/ext/keccak-tiny/keccak-tiny-unrolled.c b/src/ext/keccak-tiny/keccak-tiny-unrolled.c
index d8d7fe335..07e8c95bc 100644
--- a/src/ext/keccak-tiny/keccak-tiny-unrolled.c
+++ b/src/ext/keccak-tiny/keccak-tiny-unrolled.c
@@ -9,7 +9,7 @@
 #include "keccak-tiny.h"
 
 #include <string.h>
-#include "crypto.h"
+#include "crypto_util.h"
 #include "byteorder.h"
 
 /******** Endianness conversion helpers ********/
diff --git a/src/or/addressmap.c b/src/or/addressmap.c
index 96ce27557..f691ef9aa 100644
--- a/src/or/addressmap.c
+++ b/src/or/addressmap.c
@@ -21,6 +21,7 @@
 #include "config.h"
 #include "connection_edge.h"
 #include "control.h"
+#include "crypto_rand.h"
 #include "dns.h"
 #include "routerset.h"
 #include "nodelist.h"
diff --git a/src/or/channelpadding.c b/src/or/channelpadding.c
index 5da3009e6..0c20d6dd3 100644
--- a/src/or/channelpadding.c
+++ b/src/or/channelpadding.c
@@ -16,6 +16,7 @@
 #include "networkstatus.h"
 #include "connection.h"
 #include "connection_or.h"
+#include "crypto_rand.h"
 #include "main.h"
 #include "rephist.h"
 #include "router.h"
diff --git a/src/or/circpathbias.c b/src/or/circpathbias.c
index c1c1ca31b..ff42bf91e 100644
--- a/src/or/circpathbias.c
+++ b/src/or/circpathbias.c
@@ -30,6 +30,7 @@
 #include "circuitstats.h"
 #include "connection_edge.h"
 #include "config.h"
+#include "crypto_rand.h"
 #include "entrynodes.h"
 #include "networkstatus.h"
 #include "relay.h"
diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c
index 8b7990e5f..fbc4fc4ac 100644
--- a/src/or/circuitbuild.c
+++ b/src/or/circuitbuild.c
@@ -43,7 +43,7 @@
 #include "connection_edge.h"
 #include "connection_or.h"
 #include "control.h"
-#include "crypto.h"
+#include "crypto_rand.h"
 #include "directory.h"
 #include "entrynodes.h"
 #include "hs_ntor.h"
diff --git a/src/or/circuitlist.c b/src/or/circuitlist.c
index f362b8e97..02e218134 100644
--- a/src/or/circuitlist.c
+++ b/src/or/circuitlist.c
@@ -65,6 +65,8 @@
 #include "connection_edge.h"
 #include "connection_or.h"
 #include "control.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "entrynodes.h"
 #include "main.h"
 #include "hs_circuit.h"
diff --git a/src/or/circuitstats.c b/src/or/circuitstats.c
index 643831927..0dfde67f8 100644
--- a/src/or/circuitstats.c
+++ b/src/or/circuitstats.c
@@ -31,6 +31,7 @@
 #include "config.h"
 #include "confparse.h"
 #include "control.h"
+#include "crypto_rand.h"
 #include "main.h"
 #include "networkstatus.h"
 #include "rendclient.h"
diff --git a/src/or/command.c b/src/or/command.c
index 4f99462f3..aa792a006 100644
--- a/src/or/command.c
+++ b/src/or/command.c
@@ -46,6 +46,7 @@
 #include "config.h"
 #include "control.h"
 #include "cpuworker.h"
+#include "crypto_util.h"
 #include "dos.h"
 #include "hibernate.h"
 #include "nodelist.h"
diff --git a/src/or/config.c b/src/or/config.c
index 212c6c6b9..18298937e 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -78,6 +78,8 @@
 #include "control.h"
 #include "confparse.h"
 #include "cpuworker.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "dirserv.h"
 #include "dirvote.h"
 #include "dns.h"
diff --git a/src/or/connection.c b/src/or/connection.c
index 5532551cf..69a8d24c9 100644
--- a/src/or/connection.c
+++ b/src/or/connection.c
@@ -76,6 +76,7 @@
 #include "connection_edge.h"
 #include "connection_or.h"
 #include "control.h"
+#include "crypto_util.h"
 #include "directory.h"
 #include "dirserv.h"
 #include "dns.h"
diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c
index 948c8722b..d74512c45 100644
--- a/src/or/connection_edge.c
+++ b/src/or/connection_edge.c
@@ -70,6 +70,7 @@
 #include "connection_edge.h"
 #include "connection_or.h"
 #include "control.h"
+#include "crypto_util.h"
 #include "dns.h"
 #include "dnsserv.h"
 #include "directory.h"
diff --git a/src/or/connection_or.c b/src/or/connection_or.c
index 267463312..ad5ee6a2b 100644
--- a/src/or/connection_or.c
+++ b/src/or/connection_or.c
@@ -39,6 +39,8 @@
 #include "connection.h"
 #include "connection_or.h"
 #include "control.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "dirserv.h"
 #include "entrynodes.h"
 #include "geoip.h"
diff --git a/src/or/conscache.c b/src/or/conscache.c
index e25ac5f40..51dc9d621 100644
--- a/src/or/conscache.c
+++ b/src/or/conscache.c
@@ -5,6 +5,7 @@
 
 #include "config.h"
 #include "conscache.h"
+#include "crypto_util.h"
 #include "storagedir.h"
 
 #define CCE_MAGIC 0x17162253
diff --git a/src/or/control.c b/src/or/control.c
index 5cac0e172..ee4f02cb2 100644
--- a/src/or/control.c
+++ b/src/or/control.c
@@ -52,6 +52,8 @@
 #include "connection_edge.h"
 #include "connection_or.h"
 #include "control.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "directory.h"
 #include "dirserv.h"
 #include "dnsserv.h"
diff --git a/src/or/cpuworker.c b/src/or/cpuworker.c
index 7da7dc5f8..8f03d654a 100644
--- a/src/or/cpuworker.c
+++ b/src/or/cpuworker.c
@@ -24,6 +24,8 @@
 #include "connection_or.h"
 #include "config.h"
 #include "cpuworker.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "main.h"
 #include "onion.h"
 #include "rephist.h"
diff --git a/src/or/directory.c b/src/or/directory.c
index c419b61d0..44e3d2f2a 100644
--- a/src/or/directory.c
+++ b/src/or/directory.c
@@ -18,6 +18,8 @@
 #include "consdiffmgr.h"
 #include "control.h"
 #include "compat.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "directory.h"
 #include "dirserv.h"
 #include "dirvote.h"
diff --git a/src/or/dns.c b/src/or/dns.c
index e4dc8048e..34f28252f 100644
--- a/src/or/dns.c
+++ b/src/or/dns.c
@@ -56,6 +56,7 @@
 #include "connection.h"
 #include "connection_edge.h"
 #include "control.h"
+#include "crypto_rand.h"
 #include "dns.h"
 #include "main.h"
 #include "policies.h"
diff --git a/src/or/dos.c b/src/or/dos.c
index 4d1797eec..f78409a7b 100644
--- a/src/or/dos.c
+++ b/src/or/dos.c
@@ -11,6 +11,7 @@
 #include "or.h"
 #include "channel.h"
 #include "config.h"
+#include "crypto_rand.h"
 #include "geoip.h"
 #include "main.h"
 #include "networkstatus.h"
diff --git a/src/or/entrynodes.c b/src/or/entrynodes.c
index 2b6ff38c9..42a776fe4 100644
--- a/src/or/entrynodes.c
+++ b/src/or/entrynodes.c
@@ -123,6 +123,7 @@
 #include "confparse.h"
 #include "connection.h"
 #include "control.h"
+#include "crypto_rand.h"
 #include "directory.h"
 #include "entrynodes.h"
 #include "main.h"
diff --git a/src/or/ext_orport.c b/src/or/ext_orport.c
index 16a250fa5..8fff0f955 100644
--- a/src/or/ext_orport.c
+++ b/src/or/ext_orport.c
@@ -23,6 +23,8 @@
 #include "ext_orport.h"
 #include "control.h"
 #include "config.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "main.h"
 #include "proto_ext_or.h"
 #include "util.h"
diff --git a/src/or/hibernate.c b/src/or/hibernate.c
index 7261cf800..2b50aa5f0 100644
--- a/src/or/hibernate.c
+++ b/src/or/hibernate.c
@@ -36,6 +36,7 @@ hibernating, phase 2:
 #include "connection_edge.h"
 #include "connection_or.h"
 #include "control.h"
+#include "crypto_rand.h"
 #include "hibernate.h"
 #include "main.h"
 #include "router.h"
diff --git a/src/or/hs_cache.c b/src/or/hs_cache.c
index df53efd32..ecc845d17 100644
--- a/src/or/hs_cache.c
+++ b/src/or/hs_cache.c
@@ -11,6 +11,7 @@
 
 #include "or.h"
 #include "config.h"
+#include "crypto_util.h"
 #include "hs_ident.h"
 #include "hs_common.h"
 #include "hs_client.h"
diff --git a/src/or/hs_cell.c b/src/or/hs_cell.c
index ad92521d3..03273a44f 100644
--- a/src/or/hs_cell.c
+++ b/src/or/hs_cell.c
@@ -8,6 +8,7 @@
 
 #include "or.h"
 #include "config.h"
+#include "crypto_util.h"
 #include "rendservice.h"
 #include "replaycache.h"
 #include "util.h"
diff --git a/src/or/hs_circuit.c b/src/or/hs_circuit.c
index 3a674f622..38434fba3 100644
--- a/src/or/hs_circuit.c
+++ b/src/or/hs_circuit.c
@@ -13,6 +13,8 @@
 #include "circuitlist.h"
 #include "circuituse.h"
 #include "config.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "nodelist.h"
 #include "policies.h"
 #include "relay.h"
diff --git a/src/or/hs_client.c b/src/or/hs_client.c
index 20963cd45..f07426052 100644
--- a/src/or/hs_client.c
+++ b/src/or/hs_client.c
@@ -13,6 +13,8 @@
 #include "hs_ident.h"
 #include "connection_edge.h"
 #include "container.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "rendclient.h"
 #include "hs_descriptor.h"
 #include "hs_cache.h"
diff --git a/src/or/hs_common.c b/src/or/hs_common.c
index aa34b0e8f..5b0c4c07f 100644
--- a/src/or/hs_common.c
+++ b/src/or/hs_common.c
@@ -15,6 +15,8 @@
 
 #include "config.h"
 #include "circuitbuild.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "networkstatus.h"
 #include "nodelist.h"
 #include "hs_cache.h"
diff --git a/src/or/hs_control.c b/src/or/hs_control.c
index 87b4e3fca..87c41bf96 100644
--- a/src/or/hs_control.c
+++ b/src/or/hs_control.c
@@ -8,6 +8,7 @@
 
 #include "or.h"
 #include "control.h"
+#include "crypto_util.h"
 #include "hs_common.h"
 #include "hs_control.h"
 #include "hs_descriptor.h"
diff --git a/src/or/hs_descriptor.c b/src/or/hs_descriptor.c
index 7388807bc..eb48cb060 100644
--- a/src/or/hs_descriptor.c
+++ b/src/or/hs_descriptor.c
@@ -59,6 +59,8 @@
 #include "ed25519_cert.h" /* Trunnel interface. */
 #include "hs_descriptor.h"
 #include "circuitbuild.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "parsecommon.h"
 #include "rendcache.h"
 #include "hs_cache.h"
diff --git a/src/or/hs_descriptor.h b/src/or/hs_descriptor.h
index 09979410e..8195c6efb 100644
--- a/src/or/hs_descriptor.h
+++ b/src/or/hs_descriptor.h
@@ -16,6 +16,7 @@
 #include "container.h"
 #include "crypto.h"
 #include "crypto_ed25519.h"
+#include "ed25519_cert.h" /* needed for trunnel */
 #include "torcert.h"
 
 /* Trunnel */
diff --git a/src/or/hs_ident.c b/src/or/hs_ident.c
index 0bce2f625..3603e329d 100644
--- a/src/or/hs_ident.c
+++ b/src/or/hs_ident.c
@@ -7,6 +7,7 @@
  *        subsytem.
  **/
 
+#include "crypto_util.h"
 #include "hs_ident.h"
 
 /* Return a newly allocated circuit identifier. The given public key is copied
diff --git a/src/or/hs_ntor.c b/src/or/hs_ntor.c
index a416bc46c..809fa83bb 100644
--- a/src/or/hs_ntor.c
+++ b/src/or/hs_ntor.c
@@ -25,6 +25,7 @@
  */
 
 #include "or.h"
+#include "crypto_util.h"
 #include "hs_ntor.h"
 
 /* String constants used by the ntor HS protocol */
diff --git a/src/or/hs_service.c b/src/or/hs_service.c
index ba8abc423..fdd5e449c 100644
--- a/src/or/hs_service.c
+++ b/src/or/hs_service.c
@@ -15,6 +15,8 @@
 #include "circuituse.h"
 #include "config.h"
 #include "connection.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "directory.h"
 #include "main.h"
 #include "networkstatus.h"
diff --git a/src/or/main.c b/src/or/main.c
index a0d2ae075..b3f0a85cd 100644
--- a/src/or/main.c
+++ b/src/or/main.c
@@ -70,6 +70,7 @@
 #include "control.h"
 #include "cpuworker.h"
 #include "crypto_s2k.h"
+#include "crypto_rand.h"
 #include "directory.h"
 #include "dirserv.h"
 #include "dirvote.h"
diff --git a/src/or/networkstatus.c b/src/or/networkstatus.c
index 235b95b70..e223b6f1b 100644
--- a/src/or/networkstatus.c
+++ b/src/or/networkstatus.c
@@ -48,6 +48,8 @@
 #include "connection_or.h"
 #include "consdiffmgr.h"
 #include "control.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "directory.h"
 #include "dirserv.h"
 #include "dirvote.h"
diff --git a/src/or/onion.c b/src/or/onion.c
index 0c88c4d7e..829be12ba 100644
--- a/src/or/onion.c
+++ b/src/or/onion.c
@@ -67,6 +67,7 @@
 #include "circuitlist.h"
 #include "config.h"
 #include "cpuworker.h"
+#include "crypto_util.h"
 #include "networkstatus.h"
 #include "onion.h"
 #include "onion_fast.h"
diff --git a/src/or/onion_fast.c b/src/or/onion_fast.c
index de9103b1f..9f9b2199d 100644
--- a/src/or/onion_fast.c
+++ b/src/or/onion_fast.c
@@ -29,6 +29,8 @@
 
 #include "or.h"
 #include "onion_fast.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 
 /** Release all state held in <b>victim</b>. */
 void
diff --git a/src/or/onion_ntor.c b/src/or/onion_ntor.c
index 8ad876a58..02d43cb72 100644
--- a/src/or/onion_ntor.c
+++ b/src/or/onion_ntor.c
@@ -23,6 +23,7 @@
 #define ONION_NTOR_PRIVATE
 #include "crypto.h"
 #include "crypto_digest.h"
+#include "crypto_util.h"
 #include "onion_ntor.h"
 #include "torlog.h"
 #include "util.h"
diff --git a/src/or/onion_tap.c b/src/or/onion_tap.c
index c71fa236e..44737034f 100644
--- a/src/or/onion_tap.c
+++ b/src/or/onion_tap.c
@@ -29,6 +29,8 @@
 
 #include "or.h"
 #include "config.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "onion_tap.h"
 #include "rephist.h"
 
diff --git a/src/or/proto_socks.c b/src/or/proto_socks.c
index 8700fe126..57a7d1cd6 100644
--- a/src/or/proto_socks.c
+++ b/src/or/proto_socks.c
@@ -9,6 +9,7 @@
 #include "buffers.h"
 #include "control.h"
 #include "config.h"
+#include "crypto_util.h"
 #include "ext_orport.h"
 #include "proto_socks.h"
 #include "reasons.h"
diff --git a/src/or/relay.c b/src/or/relay.c
index 5651579c3..96f43ca60 100644
--- a/src/or/relay.c
+++ b/src/or/relay.c
@@ -61,6 +61,8 @@
 #include "connection_edge.h"
 #include "connection_or.h"
 #include "control.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "geoip.h"
 #include "hs_cache.h"
 #include "main.h"
diff --git a/src/or/rendclient.c b/src/or/rendclient.c
index 9a1b97c6d..61dde8869 100644
--- a/src/or/rendclient.c
+++ b/src/or/rendclient.c
@@ -15,6 +15,8 @@
 #include "config.h"
 #include "connection.h"
 #include "connection_edge.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "directory.h"
 #include "hs_common.h"
 #include "hs_circuit.h"
diff --git a/src/or/rendcommon.c b/src/or/rendcommon.c
index 230da4be5..50ca04838 100644
--- a/src/or/rendcommon.c
+++ b/src/or/rendcommon.c
@@ -14,6 +14,8 @@
 #include "circuitbuild.h"
 #include "config.h"
 #include "control.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "hs_common.h"
 #include "rendclient.h"
 #include "rendcommon.h"
diff --git a/src/or/rendservice.c b/src/or/rendservice.c
index cc2242977..91ee321bc 100644
--- a/src/or/rendservice.c
+++ b/src/or/rendservice.c
@@ -16,6 +16,8 @@
 #include "circuituse.h"
 #include "config.h"
 #include "control.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "directory.h"
 #include "hs_common.h"
 #include "hs_config.h"
diff --git a/src/or/rephist.c b/src/or/rephist.c
index ac3e9f502..fe52d206c 100644
--- a/src/or/rephist.c
+++ b/src/or/rephist.c
@@ -78,6 +78,7 @@
 #include "circuitlist.h"
 #include "circuituse.h"
 #include "config.h"
+#include "crypto_rand.h"
 #include "networkstatus.h"
 #include "nodelist.h"
 #include "rephist.h"
diff --git a/src/or/router.c b/src/or/router.c
index e5996f665..c52831348 100644
--- a/src/or/router.c
+++ b/src/or/router.c
@@ -13,6 +13,8 @@
 #include "config.h"
 #include "connection.h"
 #include "control.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "crypto_curve25519.h"
 #include "directory.h"
 #include "dirserv.h"
diff --git a/src/or/routerkeys.c b/src/or/routerkeys.c
index 1933aaf4b..43460da8c 100644
--- a/src/or/routerkeys.c
+++ b/src/or/routerkeys.c
@@ -16,6 +16,7 @@
 
 #include "or.h"
 #include "config.h"
+#include "crypto_util.h"
 #include "router.h"
 #include "crypto_pwbox.h"
 #include "routerkeys.h"
diff --git a/src/or/routerlist.c b/src/or/routerlist.c
index bc3abb236..8793c64ed 100644
--- a/src/or/routerlist.c
+++ b/src/or/routerlist.c
@@ -99,6 +99,7 @@
 #include "config.h"
 #include "connection.h"
 #include "control.h"
+#include "crypto_rand.h"
 #include "directory.h"
 #include "dirserv.h"
 #include "dirvote.h"
diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index 79499f2e6..9967e139f 100644
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -58,6 +58,7 @@
 #include "or.h"
 #include "config.h"
 #include "circuitstats.h"
+#include "crypto_util.h"
 #include "dirserv.h"
 #include "dirvote.h"
 #include "parsecommon.h"
diff --git a/src/or/shared_random.c b/src/or/shared_random.c
index 13416d6bc..745566877 100644
--- a/src/or/shared_random.c
+++ b/src/or/shared_random.c
@@ -91,6 +91,8 @@
 #include "shared_random.h"
 #include "config.h"
 #include "confparse.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "dirvote.h"
 #include "networkstatus.h"
 #include "routerkeys.h"
diff --git a/src/or/shared_random_state.c b/src/or/shared_random_state.c
index 53782af59..80470e4e9 100644
--- a/src/or/shared_random_state.c
+++ b/src/or/shared_random_state.c
@@ -14,6 +14,7 @@
 #include "shared_random.h"
 #include "config.h"
 #include "confparse.h"
+#include "crypto_util.h"
 #include "dirvote.h"
 #include "networkstatus.h"
 #include "router.h"
diff --git a/src/or/torcert.c b/src/or/torcert.c
index 51935ddf7..1c5afd965 100644
--- a/src/or/torcert.c
+++ b/src/or/torcert.c
@@ -27,7 +27,7 @@
 
 #include "or.h"
 #include "config.h"
-#include "crypto.h"
+#include "crypto_util.h"
 #include "torcert.h"
 #include "ed25519_cert.h"
 #include "torlog.h"
diff --git a/src/test/bench.c b/src/test/bench.c
index 92d7a244f..c99860acc 100644
--- a/src/test/bench.c
+++ b/src/test/bench.c
@@ -23,6 +23,7 @@
 #include "crypto_curve25519.h"
 #include "onion_ntor.h"
 #include "crypto_ed25519.h"
+#include "crypto_rand.h"
 #include "consdiff.h"
 
 #if defined(HAVE_CLOCK_GETTIME) && defined(CLOCK_PROCESS_CPUTIME_ID)
diff --git a/src/test/rend_test_helpers.c b/src/test/rend_test_helpers.c
index 095bfecf2..9ac3894b0 100644
--- a/src/test/rend_test_helpers.c
+++ b/src/test/rend_test_helpers.c
@@ -2,6 +2,7 @@
 /* See LICENSE for licensing information */
 
 #include "or.h"
+#include "crypto_rand.h"
 #include "test.h"
 #include "rendcommon.h"
 #include "rend_test_helpers.h"
diff --git a/src/test/test-memwipe.c b/src/test/test-memwipe.c
index 89d946d50..aaaf2e7f6 100644
--- a/src/test/test-memwipe.c
+++ b/src/test/test-memwipe.c
@@ -7,7 +7,7 @@
 #include <sys/types.h>
 #include <stdlib.h>
 
-#include "crypto.h"
+#include "crypto_util.h"
 #include "compat.h"
 #include "util.h"
 
diff --git a/src/test/test-timers.c b/src/test/test-timers.c
index a0b5b535c..a5c3a3b96 100644
--- a/src/test/test-timers.c
+++ b/src/test/test-timers.c
@@ -11,7 +11,7 @@
 
 #include "compat.h"
 #include "compat_libevent.h"
-#include "crypto.h"
+#include "crypto_rand.h"
 #include "timers.h"
 #include "util.h"
 
diff --git a/src/test/test.c b/src/test/test.c
index db70a24fc..6fe0dc7a3 100644
--- a/src/test/test.c
+++ b/src/test/test.c
@@ -9,6 +9,7 @@
  **/
 
 #include "orconfig.h"
+#include "crypto_rand.h"
 
 #include <stdio.h>
 #ifdef HAVE_FCNTL_H
diff --git a/src/test/test_address_set.c b/src/test/test_address_set.c
index df022f539..f7441a649 100644
--- a/src/test/test_address_set.c
+++ b/src/test/test_address_set.c
@@ -2,6 +2,7 @@
 /* See LICENSE for licensing information */
 
 #include "or.h"
+#include "crypto_rand.h"
 #include "address_set.h"
 #include "microdesc.h"
 #include "networkstatus.h"
diff --git a/src/test/test_buffers.c b/src/test/test_buffers.c
index 057d9fa2d..868f6a8ba 100644
--- a/src/test/test_buffers.c
+++ b/src/test/test_buffers.c
@@ -8,6 +8,7 @@
 #include "or.h"
 #include "buffers.h"
 #include "buffers_tls.h"
+#include "crypto_rand.h"
 #include "proto_http.h"
 #include "proto_socks.h"
 #include "test.h"
diff --git a/src/test/test_cell_formats.c b/src/test/test_cell_formats.c
index 88cdef383..54d971678 100644
--- a/src/test/test_cell_formats.c
+++ b/src/test/test_cell_formats.c
@@ -12,6 +12,7 @@
 #include "connection_edge.h"
 #include "connection_or.h"
 #include "config.h"
+#include "crypto_rand.h"
 #include "onion.h"
 #include "onion_tap.h"
 #include "onion_fast.h"
diff --git a/src/test/test_channel.c b/src/test/test_channel.c
index 812ec6c1a..d2ce94962 100644
--- a/src/test/test_channel.c
+++ b/src/test/test_channel.c
@@ -12,6 +12,7 @@
 #include "circuitmux_ewma.h"
 /* For var_cell_free */
 #include "connection_or.h"
+#include "crypto_rand.h"
 /* For packed_cell stuff */
 #define RELAY_PRIVATE
 #include "relay.h"
diff --git a/src/test/test_consdiffmgr.c b/src/test/test_consdiffmgr.c
index a9a4b6a98..3b91baca3 100644
--- a/src/test/test_consdiffmgr.c
+++ b/src/test/test_consdiffmgr.c
@@ -9,6 +9,7 @@
 #include "consdiff.h"
 #include "consdiffmgr.h"
 #include "cpuworker.h"
+#include "crypto_rand.h"
 #include "networkstatus.h"
 #include "routerparse.h"
 #include "workqueue.h"
diff --git a/src/test/test_containers.c b/src/test/test_containers.c
index c4dba7375..3fc3523af 100644
--- a/src/test/test_containers.c
+++ b/src/test/test_containers.c
@@ -5,6 +5,7 @@
 
 #include "orconfig.h"
 #include "or.h"
+#include "crypto_rand.h"
 #include "fp_pair.h"
 #include "test.h"
 
diff --git a/src/test/test_crypto.c b/src/test/test_crypto.c
index c8443fd3b..24eef156b 100644
--- a/src/test/test_crypto.c
+++ b/src/test/test_crypto.c
@@ -5,7 +5,7 @@
 
 #include "orconfig.h"
 #define CRYPTO_CURVE25519_PRIVATE
-#define CRYPTO_PRIVATE
+#define CRYPTO_RAND_PRIVATE
 #include "or.h"
 #include "test.h"
 #include "aes.h"
@@ -13,6 +13,7 @@
 #include "siphash.h"
 #include "crypto_curve25519.h"
 #include "crypto_ed25519.h"
+#include "crypto_rand.h"
 #include "ed25519_vectors.inc"
 
 /** Run unit tests for Diffie-Hellman functionality. */
diff --git a/src/test/test_crypto_openssl.c b/src/test/test_crypto_openssl.c
index 090cb4242..a01627750 100644
--- a/src/test/test_crypto_openssl.c
+++ b/src/test/test_crypto_openssl.c
@@ -5,9 +5,9 @@
 
 #include "orconfig.h"
 
-#define CRYPTO_PRIVATE
+#define CRYPTO_RAND_PRIVATE
 
-#include "crypto.h"
+#include "crypto_rand.h"
 #include "util.h"
 #include "util_format.h"
 #include "compat.h"
diff --git a/src/test/test_crypto_slow.c b/src/test/test_crypto_slow.c
index 2afb71ff5..0e1f5bd22 100644
--- a/src/test/test_crypto_slow.c
+++ b/src/test/test_crypto_slow.c
@@ -9,6 +9,7 @@
 #include "test.h"
 #include "crypto_s2k.h"
 #include "crypto_pwbox.h"
+#include "crypto_rand.h"
 
 #if defined(HAVE_LIBSCRYPT_H) && defined(HAVE_LIBSCRYPT_SCRYPT)
 #define HAVE_LIBSCRYPT
diff --git a/src/test/test_dir.c b/src/test/test_dir.c
index 5fac045b2..7d3b5344b 100644
--- a/src/test/test_dir.c
+++ b/src/test/test_dir.c
@@ -23,6 +23,7 @@
 #include "config.h"
 #include "control.h"
 #include "crypto_ed25519.h"
+#include "crypto_rand.h"
 #include "directory.h"
 #include "dirserv.h"
 #include "dirvote.h"
diff --git a/src/test/test_dos.c b/src/test/test_dos.c
index cb9d9e559..8ae967f3a 100644
--- a/src/test/test_dos.c
+++ b/src/test/test_dos.c
@@ -8,6 +8,7 @@
 #include "or.h"
 #include "dos.h"
 #include "circuitlist.h"
+#include "crypto_rand.h"
 #include "geoip.h"
 #include "channel.h"
 #include "microdesc.h"
diff --git a/src/test/test_entrynodes.c b/src/test/test_entrynodes.c
index 92a860360..85490d6bd 100644
--- a/src/test/test_entrynodes.c
+++ b/src/test/test_entrynodes.c
@@ -16,6 +16,7 @@
 #include "circuitlist.h"
 #include "config.h"
 #include "confparse.h"
+#include "crypto_rand.h"
 #include "directory.h"
 #include "entrynodes.h"
 #include "nodelist.h"
diff --git a/src/test/test_extorport.c b/src/test/test_extorport.c
index cadef257f..e05342cb8 100644
--- a/src/test/test_extorport.c
+++ b/src/test/test_extorport.c
@@ -10,6 +10,7 @@
 #include "connection_or.h"
 #include "config.h"
 #include "control.h"
+#include "crypto_rand.h"
 #include "ext_orport.h"
 #include "main.h"
 #include "test.h"
diff --git a/src/test/test_helpers.c b/src/test/test_helpers.c
index ab453d3bd..42e911431 100644
--- a/src/test/test_helpers.c
+++ b/src/test/test_helpers.c
@@ -18,6 +18,7 @@
 #include "config.h"
 #include "confparse.h"
 #include "connection.h"
+#include "crypto_rand.h"
 #include "main.h"
 #include "nodelist.h"
 #include "relay.h"
diff --git a/src/test/test_hs_cell.c b/src/test/test_hs_cell.c
index 1b3c788a6..5c5236b39 100644
--- a/src/test/test_hs_cell.c
+++ b/src/test/test_hs_cell.c
@@ -14,6 +14,7 @@
 #include "log_test_helpers.h"
 
 #include "crypto_ed25519.h"
+#include "crypto_rand.h"
 #include "hs_cell.h"
 #include "hs_intropoint.h"
 #include "hs_service.h"
diff --git a/src/test/test_hs_common.c b/src/test/test_hs_common.c
index 8c273c963..e5661ac86 100644
--- a/src/test/test_hs_common.c
+++ b/src/test/test_hs_common.c
@@ -17,6 +17,7 @@
 #include "hs_test_helpers.h"
 
 #include "connection_edge.h"
+#include "crypto_rand.h"
 #include "hs_common.h"
 #include "hs_client.h"
 #include "hs_service.h"
diff --git a/src/test/test_hs_descriptor.c b/src/test/test_hs_descriptor.c
index 388b85f97..988f77f2f 100644
--- a/src/test/test_hs_descriptor.c
+++ b/src/test/test_hs_descriptor.c
@@ -10,6 +10,7 @@
 
 #include "crypto_ed25519.h"
 #include "crypto_digest.h"
+#include "crypto_rand.h"
 #include "ed25519_cert.h"
 #include "or.h"
 #include "hs_descriptor.h"
diff --git a/src/test/test_hs_intropoint.c b/src/test/test_hs_intropoint.c
index fe3236c33..4253c9a38 100644
--- a/src/test/test_hs_intropoint.c
+++ b/src/test/test_hs_intropoint.c
@@ -13,7 +13,7 @@
 
 #include "test.h"
 #include "log_test_helpers.h"
-#include "crypto.h"
+#include "crypto_rand.h"
 
 #include "or.h"
 #include "circuitlist.h"
diff --git a/src/test/test_hs_service.c b/src/test/test_hs_service.c
index de74fdb30..cad12481c 100644
--- a/src/test/test_hs_service.c
+++ b/src/test/test_hs_service.c
@@ -33,7 +33,7 @@
 #include "circuitbuild.h"
 #include "circuitlist.h"
 #include "circuituse.h"
-#include "crypto.h"
+#include "crypto_rand.h"
 #include "dirvote.h"
 #include "networkstatus.h"
 #include "nodelist.h"
diff --git a/src/test/test_nodelist.c b/src/test/test_nodelist.c
index a873003d7..9499fd038 100644
--- a/src/test/test_nodelist.c
+++ b/src/test/test_nodelist.c
@@ -7,6 +7,7 @@
  **/
 
 #include "or.h"
+#include "crypto_rand.h"
 #include "networkstatus.h"
 #include "nodelist.h"
 #include "torcert.h"
diff --git a/src/test/test_oom.c b/src/test/test_oom.c
index c172fe60c..abf889645 100644
--- a/src/test/test_oom.c
+++ b/src/test/test_oom.c
@@ -13,6 +13,7 @@
 #include "compat_libevent.h"
 #include "connection.h"
 #include "config.h"
+#include "crypto_rand.h"
 #include "relay.h"
 #include "test.h"
 #include "test_helpers.h"
diff --git a/src/test/test_routerlist.c b/src/test/test_routerlist.c
index c19d66ef9..e56a868e0 100644
--- a/src/test/test_routerlist.c
+++ b/src/test/test_routerlist.c
@@ -18,6 +18,7 @@
 #include "connection.h"
 #include "container.h"
 #include "control.h"
+#include "crypto_rand.h"
 #include "directory.h"
 #include "dirvote.h"
 #include "entrynodes.h"
diff --git a/src/test/test_shared_random.c b/src/test/test_shared_random.c
index 4fe9ee45f..7928518ef 100644
--- a/src/test/test_shared_random.c
+++ b/src/test/test_shared_random.c
@@ -9,6 +9,7 @@
 #include "or.h"
 #include "test.h"
 #include "config.h"
+#include "crypto_rand.h"
 #include "dirvote.h"
 #include "shared_random.h"
 #include "shared_random_state.h"
diff --git a/src/test/test_storagedir.c b/src/test/test_storagedir.c
index a27074c21..26606f9b6 100644
--- a/src/test/test_storagedir.c
+++ b/src/test/test_storagedir.c
@@ -2,6 +2,7 @@
 /* See LICENSE for licensing information */
 
 #include "or.h"
+#include "crypto_rand.h"
 #include "storagedir.h"
 #include "test.h"
 
diff --git a/src/test/test_util.c b/src/test/test_util.c
index ce8567d9a..e3a9eca2d 100644
--- a/src/test/test_util.c
+++ b/src/test/test_util.c
@@ -12,6 +12,7 @@
 #include "buffers.h"
 #include "config.h"
 #include "control.h"
+#include "crypto_rand.h"
 #include "test.h"
 #include "memarea.h"
 #include "util_process.h"
diff --git a/src/test/test_util_format.c b/src/test/test_util_format.c
index 683d5fdac..10645fe11 100644
--- a/src/test/test_util_format.c
+++ b/src/test/test_util_format.c
@@ -6,6 +6,7 @@
 
 #include "test.h"
 
+#include "crypto_rand.h"
 #define UTIL_FORMAT_PRIVATE
 #include "util_format.h"
 
diff --git a/src/test/test_workqueue.c b/src/test/test_workqueue.c
index 2b0317371..972b655c1 100644
--- a/src/test/test_workqueue.c
+++ b/src/test/test_workqueue.c
@@ -7,8 +7,8 @@
 #include "compat_threads.h"
 #include "onion.h"
 #include "workqueue.h"
-#include "crypto.h"
 #include "crypto_curve25519.h"
+#include "crypto_rand.h"
 #include "compat_libevent.h"
 
 #include <stdio.h>
diff --git a/src/test/testing_common.c b/src/test/testing_common.c
index b9b36d96d..3e3b5a43f 100644
--- a/src/test/testing_common.c
+++ b/src/test/testing_common.c
@@ -12,6 +12,7 @@
 #include "or.h"
 #include "control.h"
 #include "config.h"
+#include "crypto_rand.h"
 #include "rephist.h"
 #include "backtrace.h"
 #include "test.h"
diff --git a/src/test/testing_rsakeys.c b/src/test/testing_rsakeys.c
index 7a24c0ed1..94d3db328 100644
--- a/src/test/testing_rsakeys.c
+++ b/src/test/testing_rsakeys.c
@@ -3,6 +3,7 @@
  * Copyright (c) 2007-2017, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 
+#include "crypto_rand.h"
 #include "orconfig.h"
 #include "or.h"
 #include "test.h"
diff --git a/src/tools/tor-gencert.c b/src/tools/tor-gencert.c
index 639a6fbc2..aafefdad7 100644
--- a/src/tools/tor-gencert.c
+++ b/src/tools/tor-gencert.c
@@ -40,6 +40,8 @@ ENABLE_GCC_WARNING(redundant-decls)
 #include "torlog.h"
 #include "crypto.h"
 #include "crypto_digest.h"
+#include "crypto_rand.h"
+#include "crypto_util.h"
 #include "address.h"
 #include "util_format.h"
 
diff --git a/src/trunnel/trunnel-local.h b/src/trunnel/trunnel-local.h
index b7c2ab98e..8aa6d0dda 100644
--- a/src/trunnel/trunnel-local.h
+++ b/src/trunnel/trunnel-local.h
@@ -4,7 +4,7 @@
 
 #include "util.h"
 #include "compat.h"
-#include "crypto.h"
+#include "crypto_util.h"
 
 #define trunnel_malloc tor_malloc
 #define trunnel_calloc tor_calloc



_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits