21 files changed, 240 insertions, 88 deletions
diff --git a/src/ext/byteorder.h b/src/ext/byteorder.h
new file mode 100644
index 0000000000..c8ba52184b
--- /dev/null
+++ b/src/ext/byteorder.h
@@ -0,0 +1,67 @@
+/* <MIT License>
+ Copyright (c) 2013-2014  Marek Majkowski <marek@popcount.org>
+
+ Permission is hereby granted, free of charge, to any person obtaining a copy
+ of this software and associated documentation files (the "Software"), to deal
+ in the Software without restriction, including without limitation the rights
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ copies of the Software, and to permit persons to whom the Software is
+ furnished to do so, subject to the following conditions:
+
+ The above copyright notice and this permission notice shall be included in
+ all copies or substantial portions of the Software.
+
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ THE SOFTWARE.
+ </MIT License>
+
+ Original location:
+    https://github.com/majek/csiphash/
+
+ Solution inspired by code from:
+    Samuel Neves (supercop/crypto_auth/siphash24/little)
+    djb (supercop/crypto_auth/siphash24/little2)
+    Jean-Philippe Aumasson (https://131002.net/siphash/siphash24.c)
+*/
+
+/* This code is extracted from csiphash.h */
+
+#if defined(__BYTE_ORDER__) && defined(__ORDER_LITTLE_ENDIAN__) &&      \
+	__BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
+#  define _le64toh(x) ((uint64_t)(x))
+#elif defined(_WIN32)
+/* Windows is always little endian, unless you're on xbox360
+   http://msdn.microsoft.com/en-us/library/b0084kay(v=vs.80).aspx */
+#  define _le64toh(x) ((uint64_t)(x))
+#elif defined(__APPLE__)
+#  include <libkern/OSByteOrder.h>
+#  define _le64toh(x) OSSwapLittleToHostInt64(x)
+#elif defined(sun) || defined(__sun)
+#  include <sys/byteorder.h>
+#  define _le64toh(x) LE_64(x)
+
+#else
+
+/* See: http://sourceforge.net/p/predef/wiki/Endianness/ */
+#  if defined(__FreeBSD__) || defined(__NetBSD__) || defined(OpenBSD)
+#    include <sys/endian.h>
+#  else
+#    include <endian.h>
+#  endif
+#  if defined(__BYTE_ORDER) && defined(__LITTLE_ENDIAN) && \
+	__BYTE_ORDER == __LITTLE_ENDIAN
+#    define _le64toh(x) ((uint64_t)(x))
+#  else
+#    if defined(OpenBSD)
+#      define _le64toh(x) letoh64(x)
+#    else
+#      define _le64toh(x) le64toh(x)
+#    endif
+#  endif
+
+#endif
diff --git a/src/ext/csiphash.c b/src/ext/csiphash.c
index 49a6dc4778..0427c87950 100644
--- a/src/ext/csiphash.c
+++ b/src/ext/csiphash.c
@@ -35,41 +35,7 @@
 #include "util.h"
 /* for memcpy */
 #include <string.h>
-
-#if defined(__BYTE_ORDER__) && defined(__ORDER_LITTLE_ENDIAN__) && \
-	__BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
-#  define _le64toh(x) ((uint64_t)(x))
-#elif defined(_WIN32)
-/* Windows is always little endian, unless you're on xbox360
-   http://msdn.microsoft.com/en-us/library/b0084kay(v=vs.80).aspx */
-#  define _le64toh(x) ((uint64_t)(x))
-#elif defined(__APPLE__)
-#  include <libkern/OSByteOrder.h>
-#  define _le64toh(x) OSSwapLittleToHostInt64(x)
-#elif defined(sun) || defined(__sun)
-#  include <sys/byteorder.h>
-#  define _le64toh(x) LE_64(x)
-
-#else
-
-/* See: http://sourceforge.net/p/predef/wiki/Endianness/ */
-#  if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__)
-#    include <sys/endian.h>
-#  else
-#    include <endian.h>
-#  endif
-#  if defined(__BYTE_ORDER) && defined(__LITTLE_ENDIAN) && \
-	__BYTE_ORDER == __LITTLE_ENDIAN
-#    define _le64toh(x) ((uint64_t)(x))
-#  else
-#    if defined(__OpenBSD__)
-#      define _le64toh(x) letoh64(x)
-#    else
-#      define _le64toh(x) le64toh(x)
-#    endif
-#  endif
-
-#endif
+#include "byteorder.h"
 
 #define ROTATE(x, b) (uint64_t)( ((x) << (b)) | ( (x) >> (64 - (b))) )
 
@@ -157,3 +123,9 @@ void siphash_set_global_key(const struct sipkey *key)
 	the_siphash_key.k1 = key->k1;
 	the_siphash_key_is_set = 1;
 }
+
+void siphash_unset_global_key(void)
+{
+	the_siphash_key_is_set = 0;
+	memset(&the_siphash_key, 0, sizeof(the_siphash_key));
+}
diff --git a/src/ext/ed25519/donna/ed25519-hash-custom.h b/src/ext/ed25519/donna/ed25519-hash-custom.h
index 7dc249129d..cdeab3e45b 100644
--- a/src/ext/ed25519/donna/ed25519-hash-custom.h
+++ b/src/ext/ed25519/donna/ed25519-hash-custom.h
@@ -9,3 +9,34 @@
 	void ed25519_hash(uint8_t *hash, const uint8_t *in, size_t inlen);
 */
 
+#include "crypto_digest.h"
+
+typedef struct ed25519_hash_context {
+  crypto_digest_t *ctx;
+} ed25519_hash_context;
+
+
+static void
+ed25519_hash_init(ed25519_hash_context *ctx)
+{
+  ctx->ctx = crypto_digest512_new(DIGEST_SHA512);
+}
+static void
+ed25519_hash_update(ed25519_hash_context *ctx, const uint8_t *in, size_t inlen)
+{
+  crypto_digest_add_bytes(ctx->ctx, (const char *)in, inlen);
+}
+static void
+ed25519_hash_final(ed25519_hash_context *ctx, uint8_t *hash)
+{
+  crypto_digest_get_digest(ctx->ctx, (char *)hash, DIGEST512_LEN);
+  crypto_digest_free(ctx->ctx);
+  ctx->ctx = NULL;
+}
+static void
+ed25519_hash(uint8_t *hash, const uint8_t *in, size_t inlen)
+{
+  crypto_digest512((char *)hash, (const char *)in, inlen,
+		   DIGEST_SHA512);
+}
+
diff --git a/src/ext/ed25519/donna/ed25519-randombytes-custom.h b/src/ext/ed25519/donna/ed25519-randombytes-custom.h
index 3fb0959fc4..27eade4f95 100644
--- a/src/ext/ed25519/donna/ed25519-randombytes-custom.h
+++ b/src/ext/ed25519/donna/ed25519-randombytes-custom.h
@@ -8,7 +8,7 @@
 */
 
 /* Tor: Instead of calling OpenSSL's CSPRNG directly, call the wrapper. */
-#include "crypto.h"
+#include "crypto_rand.h"
 
 static void
 ED25519_FN(ed25519_randombytes_unsafe) (void *p, size_t len)
diff --git a/src/ext/ed25519/donna/ed25519_donna_tor.h b/src/ext/ed25519/donna/ed25519_donna_tor.h
index d225407b1c..7d7b8c0625 100644
--- a/src/ext/ed25519/donna/ed25519_donna_tor.h
+++ b/src/ext/ed25519/donna/ed25519_donna_tor.h
@@ -30,4 +30,9 @@ int ed25519_donna_blind_public_key(unsigned char *out, const unsigned char *inp,
 int ed25519_donna_pubkey_from_curve25519_pubkey(unsigned char *out,
   const unsigned char *inp, int signbit);
 
+
+int
+ed25519_donna_scalarmult_with_group_order(unsigned char *out,
+                                          const unsigned char *pubkey);
+
 #endif
diff --git a/src/ext/ed25519/donna/ed25519_tor.c b/src/ext/ed25519/donna/ed25519_tor.c
index 9537ae66a1..43de9faaea 100644
--- a/src/ext/ed25519/donna/ed25519_tor.c
+++ b/src/ext/ed25519/donna/ed25519_tor.c
@@ -40,6 +40,8 @@
 #include "ed25519-randombytes.h"
 #include "ed25519-hash.h"
 
+#include "crypto_util.h"
+
 typedef unsigned char ed25519_signature[64];
 typedef unsigned char ed25519_public_key[32];
 typedef unsigned char ed25519_secret_key[32];
@@ -132,7 +134,7 @@ ED25519_FN(curved25519_scalarmult_basepoint) (curved25519_key pk, const curved25
 }
 
 /*
-   Tor has a specific idea of how an Ed25519 implementaion should behave.
+   Tor has a specific idea of how an Ed25519 implementation should behave.
    Implement such a beast using the ed25519-donna primitives/internals.
 
     * Private key generation using Tor's CSPRNG.
@@ -245,13 +247,7 @@ ed25519_donna_sign(unsigned char *sig, const unsigned char *m, size_t mlen,
 static void
 ed25519_donna_gettweak(unsigned char *out, const unsigned char *param)
 {
-  static const char str[] = "Derive temporary signing key";
-  ed25519_hash_context ctx;
-
-  ed25519_hash_init(&ctx);
-  ed25519_hash_update(&ctx, (const unsigned char*)str, strlen(str));
-  ed25519_hash_update(&ctx, param, 32);
-  ed25519_hash_final(&ctx, out);
+  memcpy(out, param, 32);
 
   out[0] &= 248;  /* Is this necessary ? */
   out[31] &= 63;
@@ -304,7 +300,9 @@ ed25519_donna_blind_public_key(unsigned char *out, const unsigned char *inp,
   /* No "ge25519_unpack", negate the public key. */
   memcpy(pkcopy, inp, 32);
   pkcopy[31] ^= (1<<7);
-  ge25519_unpack_negative_vartime(&A, pkcopy);
+  if (!ge25519_unpack_negative_vartime(&A, pkcopy)) {
+    return -1;
+  }
 
   /* A' = [tweak] * A + [0] * basepoint. */
   ge25519_double_scalarmult_vartime(&Aprime, &A, t, zero);
@@ -340,5 +338,32 @@ ed25519_donna_pubkey_from_curve25519_pubkey(unsigned char *out,
   return 0;
 }
 
+/* Do the scalar multiplication of <b>pubkey</b> with the group order
+ * <b>modm_m</b>.  Place the result in <b>out</b> which must be at least 32
+ * bytes long. */
+int
+ed25519_donna_scalarmult_with_group_order(unsigned char *out,
+                                          const unsigned char *pubkey)
+{
+  static const bignum256modm ALIGN(16) zero = { 0 };
+  unsigned char pkcopy[32];
+  ge25519 ALIGN(16) Point, Result;
+
+  /* No "ge25519_unpack", negate the public key and unpack it back.
+   * See ed25519_donna_blind_public_key() */
+  memcpy(pkcopy, pubkey, 32);
+  pkcopy[31] ^= (1<<7);
+  if (!ge25519_unpack_negative_vartime(&Point, pkcopy)) {
+    return -1; /* error: bail out */
+  }
+
+  /* There is no regular scalarmult function so we have to do:
+   * Result = l*P + 0*B */
+  ge25519_double_scalarmult_vartime(&Result, &Point, modm_m, zero);
+  ge25519_pack(out, &Result);
+
+  return 0;
+}
+
 #include "test-internals.c"
 
diff --git a/src/ext/ed25519/ref10/blinding.c b/src/ext/ed25519/ref10/blinding.c
index ee3e8666fa..88e84cac20 100644
--- a/src/ext/ed25519/ref10/blinding.c
+++ b/src/ext/ed25519/ref10/blinding.c
@@ -7,13 +7,13 @@
 #include "ed25519_ref10.h"
 
 #include <string.h>
-#include "crypto.h"
+#include "crypto_util.h"
 
 static void
 ed25519_ref10_gettweak(unsigned char *out, const unsigned char *param)
 {
-  const char str[] = "Derive temporary signing key";
-  crypto_hash_sha512_2(out, (const unsigned char*)str, strlen(str), param, 32);
+  memcpy(out, param, 32);
+
   out[0] &= 248;  /* Is this necessary necessary ? */
   out[31] &= 63;
   out[31] |= 64;
@@ -49,6 +49,7 @@ int ed25519_ref10_blind_public_key(unsigned char *out,
   unsigned char pkcopy[32];
   ge_p3 A;
   ge_p2 Aprime;
+  int retval = -1;
 
   ed25519_ref10_gettweak(tweak, param);
 
@@ -62,15 +63,57 @@ int ed25519_ref10_blind_public_key(unsigned char *out,
    * "ge_frombytes", we'd use that, but there isn't. */
   memcpy(pkcopy, inp, 32);
   pkcopy[31] ^= (1<<7);
-  ge_frombytes_negate_vartime(&A, pkcopy);
+  if (ge_frombytes_negate_vartime(&A, pkcopy) != 0) {
+    goto done;
+  }
   /* There isn't a regular ge_scalarmult -- we have to do tweak*A + zero*B. */
   ge_double_scalarmult_vartime(&Aprime, tweak, &A, zero);
   ge_tobytes(out, &Aprime);
 
+  retval = 0;
+
+ done:
   memwipe(tweak, 0, sizeof(tweak));
   memwipe(&A, 0, sizeof(A));
   memwipe(&Aprime, 0, sizeof(Aprime));
   memwipe(pkcopy, 0, sizeof(pkcopy));
 
+  return retval;
+}
+
+/* This is the group order encoded in a format that
+ * ge_double_scalarmult_vartime() understands. The group order m is:
+ * m = 	 2^252 +  27742317777372353535851937790883648493 =
+ *       0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed
+ */
+static const uint8_t modm_m[32] = {0xed,0xd3,0xf5,0x5c,0x1a,0x63,0x12,0x58,
+                                   0xd6,0x9c,0xf7,0xa2,0xde,0xf9,0xde,0x14,
+                                   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+                                   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x10};
+
+/* Do the scalar multiplication of <b>pubkey</b> with the group order
+ * <b>modm_m</b>.  Place the result in <b>out</b> which must be at least 32
+ * bytes long. */
+int
+ed25519_ref10_scalarmult_with_group_order(unsigned char *out,
+                                          const unsigned char *pubkey)
+{
+  unsigned char pkcopy[32];
+  unsigned char zero[32] = {0};
+  ge_p3 Point;
+  ge_p2 Result;
+
+  /* All this is done to fit 'pubkey' in 'Point' so that it can be used by
+   * ed25519 ref code. Same thing as in blinding function */
+  memcpy(pkcopy, pubkey, 32);
+  pkcopy[31] ^= (1<<7);
+  if (ge_frombytes_negate_vartime(&Point, pkcopy) != 0) {
+    return -1; /* error: bail out */
+  }
+
+  /* There isn't a regular scalarmult -- we have to do r = l*P + 0*B */
+  ge_double_scalarmult_vartime(&Result, modm_m, &Point, zero);
+  ge_tobytes(out, &Result);
+
   return 0;
 }
diff --git a/src/ext/ed25519/ref10/crypto_hash_sha512.h b/src/ext/ed25519/ref10/crypto_hash_sha512.h
index 0278571522..7faddb1597 100644
--- a/src/ext/ed25519/ref10/crypto_hash_sha512.h
+++ b/src/ext/ed25519/ref10/crypto_hash_sha512.h
@@ -1,30 +1,32 @@
 /* Added for Tor. */
-#include <openssl/sha.h>
+#include "crypto_digest.h"
 
 /* Set 'out' to the 512-bit SHA512 hash of the 'len'-byte string in 'inp' */
 #define crypto_hash_sha512(out, inp, len) \
-  SHA512((inp), (len), (out))
+  crypto_digest512((char *)(out), (const char *)(inp), (len), DIGEST_SHA512)
 
 /* Set 'out' to the 512-bit SHA512 hash of the 'len1'-byte string in 'inp1',
  * concatenated with the 'len2'-byte string in 'inp2'. */
 #define crypto_hash_sha512_2(out, inp1, len1, inp2, len2)               \
   do {                                                                  \
-      SHA512_CTX sha_ctx_;                                              \
-      SHA512_Init(&sha_ctx_);                                           \
-      SHA512_Update(&sha_ctx_, (inp1), (len1));                         \
-      SHA512_Update(&sha_ctx_, (inp2), (len2));                         \
-      SHA512_Final((out), &sha_ctx_);                                   \
- } while(0)
+    crypto_digest_t *sha_ctx_;						\
+    sha_ctx_ = crypto_digest512_new(DIGEST_SHA512);			\
+    crypto_digest_add_bytes(sha_ctx_, (const char *)(inp1), (len1));	\
+    crypto_digest_add_bytes(sha_ctx_, (const char *)(inp2), (len2));	\
+    crypto_digest_get_digest(sha_ctx_, (char *)out, DIGEST512_LEN);	\
+    crypto_digest_free(sha_ctx_);					\
+  } while (0)
 
 /* Set 'out' to the 512-bit SHA512 hash of the 'len1'-byte string in 'inp1',
  * concatenated with the 'len2'-byte string in 'inp2', concatenated with
  * the 'len3'-byte string in 'len3'. */
 #define crypto_hash_sha512_3(out, inp1, len1, inp2, len2, inp3, len3)   \
   do {                                                                  \
-      SHA512_CTX sha_ctx_;                                              \
-      SHA512_Init(&sha_ctx_);                                           \
-      SHA512_Update(&sha_ctx_, (inp1), (len1));                         \
-      SHA512_Update(&sha_ctx_, (inp2), (len2));                         \
-      SHA512_Update(&sha_ctx_, (inp3), (len3));                         \
-      SHA512_Final((out), &sha_ctx_);                                   \
+    crypto_digest_t *sha_ctx_;						\
+    sha_ctx_ = crypto_digest512_new(DIGEST_SHA512);			\
+    crypto_digest_add_bytes(sha_ctx_, (const char *)(inp1), (len1));	\
+    crypto_digest_add_bytes(sha_ctx_, (const char *)(inp2), (len2));	\
+    crypto_digest_add_bytes(sha_ctx_, (const char *)(inp3), (len3));	\
+    crypto_digest_get_digest(sha_ctx_, (char *)out, DIGEST512_LEN);	\
+    crypto_digest_free(sha_ctx_);					\
  } while(0)
diff --git a/src/ext/ed25519/ref10/ed25519_ref10.h b/src/ext/ed25519/ref10/ed25519_ref10.h
index af7e21a2ad..5965694977 100644
--- a/src/ext/ed25519/ref10/ed25519_ref10.h
+++ b/src/ext/ed25519/ref10/ed25519_ref10.h
@@ -27,4 +27,8 @@ int ed25519_ref10_blind_public_key(unsigned char *out,
                               const unsigned char *inp,
                               const unsigned char *param);
 
+int
+ed25519_ref10_scalarmult_with_group_order(unsigned char *out,
+                                          const unsigned char *pubkey);
+
 #endif
diff --git a/src/ext/ed25519/ref10/keypair.c b/src/ext/ed25519/ref10/keypair.c
index 68a88f9adc..c437f0a4f2 100644
--- a/src/ext/ed25519/ref10/keypair.c
+++ b/src/ext/ed25519/ref10/keypair.c
@@ -6,6 +6,9 @@
 #include "crypto_hash_sha512.h"
 #include "ge.h"
 
+#include "crypto_rand.h"
+#include "crypto_util.h"
+
 int
 crypto_sign_seckey(unsigned char *sk)
 {
diff --git a/src/ext/ed25519/ref10/randombytes.h b/src/ext/ed25519/ref10/randombytes.h
index 8bf31631f0..a21dde8540 100644
--- a/src/ext/ed25519/ref10/randombytes.h
+++ b/src/ext/ed25519/ref10/randombytes.h
@@ -1,4 +1,4 @@
 /* Added for Tor. */
-#include "crypto.h"
+#include "crypto_rand.h"
 #define randombytes(b, n) \
   (crypto_strongest_rand((b), (n)), 0)
diff --git a/src/ext/ht.h b/src/ext/ht.h
index a441d0b685..99da773faf 100644
--- a/src/ext/ht.h
+++ b/src/ext/ht.h
@@ -1,6 +1,6 @@
 /* Copyright (c) 2002, Christopher Clark.
  * Copyright (c) 2005-2006, Nick Mathewson.
- * Copyright (c) 2007-2015, The Tor Project, Inc. */
+ * Copyright (c) 2007-2017, The Tor Project, Inc. */
 /* See license at end. */
 
 /* Based on ideas by Christopher Clark and interfaces from Niels Provos. */
@@ -150,6 +150,8 @@
 #define HT_CLEAR(name, head)         name##_HT_CLEAR(head)
 #define HT_INIT(name, head)          name##_HT_INIT(head)
 #define HT_REP_IS_BAD_(name, head)    name##_HT_REP_IS_BAD_(head)
+#define HT_FOREACH_FN(name, head, fn, data) \
+   name##_HT_FOREACH_FN((head), (fn), (data))
 /* Helper: */
 static inline unsigned
 ht_improve_hash(unsigned h)
diff --git a/src/ext/include.am b/src/ext/include.am
index f00f3e031e..7ec2e43312 100644
--- a/src/ext/include.am
+++ b/src/ext/include.am
@@ -5,6 +5,7 @@ EXTRA_DIST += src/ext/README
 
 EXTHEADERS = \
   src/ext/ht.h		\
+  src/ext/byteorder.h   \
   src/ext/tinytest.h	\
   src/ext/tor_readpassphrase.h \
   src/ext/strlcat.c	\
@@ -100,6 +101,7 @@ noinst_LIBRARIES += $(LIBED25519_REF10)
 src_ext_ed25519_donna_libed25519_donna_a_CFLAGS=\
   @CFLAGS_CONSTTIME@ \
   -DED25519_CUSTOMRANDOM \
+  -DED25519_CUSTOMHASH \
   -DED25519_SUFFIX=_donna
 
 src_ext_ed25519_donna_libed25519_donna_a_SOURCES= \
diff --git a/src/ext/keccak-tiny/keccak-tiny-unrolled.c b/src/ext/keccak-tiny/keccak-tiny-unrolled.c
index d1342c3601..07e8c95bcf 100644
--- a/src/ext/keccak-tiny/keccak-tiny-unrolled.c
+++ b/src/ext/keccak-tiny/keccak-tiny-unrolled.c
@@ -9,29 +9,22 @@
 #include "keccak-tiny.h"
 
 #include <string.h>
-#include "crypto.h"
+#include "crypto_util.h"
+#include "byteorder.h"
 
 /******** Endianness conversion helpers ********/
 
 static inline uint64_t
 loadu64le(const unsigned char *x) {
-  uint64_t r = 0;
-  size_t i;
-
-  for (i = 0; i < 8; ++i) {
-    r |= (uint64_t)x[i] << 8 * i;
-  }
-  return r;
+  uint64_t r;
+  memcpy(&r, x, sizeof(r));
+  return _le64toh(r);
 }
 
 static inline void
 storeu64le(uint8_t *x, uint64_t u) {
-  size_t i;
-
-  for(i=0; i<8; ++i) {
-    x[i] = u;
-    u >>= 8;
-  }
+  uint64_t val = _le64toh(u);
+  memcpy(x, &val, sizeof(u));
 }
 
 /******** The Keccak-f[1600] permutation ********/
diff --git a/src/ext/rust b/src/ext/rust
new file mode 160000
+Subproject aa37fb84fb829902e83ca11a7244bbc6b86b809
diff --git a/src/ext/siphash.h b/src/ext/siphash.h
index d9b34b8980..730e49937d 100644
--- a/src/ext/siphash.h
+++ b/src/ext/siphash.h
@@ -9,5 +9,6 @@ uint64_t siphash24(const void *src, unsigned long src_sz, const struct sipkey *k
 
 void siphash_set_global_key(const struct sipkey *key);
 uint64_t siphash24g(const void *src, unsigned long src_sz);
+void siphash_unset_global_key(void);
 
 #endif
diff --git a/src/ext/timeouts/timeout-bitops.c b/src/ext/timeouts/timeout-bitops.c
index 45466f6cb3..68db817933 100644
--- a/src/ext/timeouts/timeout-bitops.c
+++ b/src/ext/timeouts/timeout-bitops.c
@@ -231,7 +231,8 @@ main(int c, char **v)
 	int result = 0;
 
 	for (i = 0; i <= 63; ++i) {
-		uint64_t x = 1 << i;
+		uint64_t x = 1;
+		x <<= i;
 		if (!check(x))
 			result = 1;
 		--x;
diff --git a/src/ext/timeouts/timeout.c b/src/ext/timeouts/timeout.c
index 713ec219ce..d4b514d2c5 100644
--- a/src/ext/timeouts/timeout.c
+++ b/src/ext/timeouts/timeout.c
@@ -150,7 +150,7 @@
 #else
 #define ctz(n) ctz32(n)
 #define clz(n) clz32(n)
-#define fls(n) ((int)(32 - clz32(n)))
+#define fls(n) ((int)(32 - clz32((uint32_t)n)))
 #endif
 
 #if WHEEL_BIT == 6
@@ -432,7 +432,7 @@ TIMEOUT_PUBLIC void timeouts_update(struct timeouts *T, abstime_t curtime) {
 			 * or can be replaced with a simpler operation.
 			 */
 			oslot = WHEEL_MASK & (T->curtime >> (wheel * WHEEL_BIT));
-			pending = rotl(((UINT64_C(1) << _elapsed) - 1), oslot);
+			pending = rotl(((WHEEL_C(1) << _elapsed) - 1), oslot);
 
 			nslot = WHEEL_MASK & (curtime >> (wheel * WHEEL_BIT));
 			pending |= rotr(rotl(((WHEEL_C(1) << _elapsed) - 1), nslot), (int)_elapsed);
diff --git a/src/ext/trunnel/trunnel-impl.h b/src/ext/trunnel/trunnel-impl.h
index 3ffde6e09b..b233cf7631 100644
--- a/src/ext/trunnel/trunnel-impl.h
+++ b/src/ext/trunnel/trunnel-impl.h
@@ -1,11 +1,11 @@
-/* trunnel-impl.h -- copied from Trunnel v1.4.6
+/* trunnel-impl.h -- copied from Trunnel v1.5.2
  * https://gitweb.torproject.org/trunnel.git
  * You probably shouldn't edit this file.
  */
 /* trunnel-impl.h -- Implementation helpers for trunnel, included by
  * generated trunnel files
  *
- * Copyright 2014-2015, The Tor Project, Inc.
+ * Copyright 2014-2017, The Tor Project, Inc.
  * See license at the end of this file for copying information.
  */
 
@@ -17,6 +17,7 @@
 #include "trunnel.h"
 #include <assert.h>
 #include <string.h>
+#include <stdlib.h>
 
 #if defined(_MSC_VER) && (_MSC_VER < 1600)
 #define uint8_t unsigned char
diff --git a/src/ext/trunnel/trunnel.c b/src/ext/trunnel/trunnel.c
index 3994422643..b749d8136f 100644
--- a/src/ext/trunnel/trunnel.c
+++ b/src/ext/trunnel/trunnel.c
@@ -1,10 +1,10 @@
-/* trunnel.c -- copied from Trunnel v1.4.6
+/* trunnel.c -- copied from Trunnel v1.5.2
  * https://gitweb.torproject.org/trunnel.git
  * You probably shouldn't edit this file.
  */
 /* trunnel.c -- Helper functions to implement trunnel.
  *
- * Copyright 2014-2015, The Tor Project, Inc.
+ * Copyright 2014-2017, The Tor Project, Inc.
  * See license at the end of this file for copying information.
  *
  * See trunnel-impl.h for documentation of these functions.
diff --git a/src/ext/trunnel/trunnel.h b/src/ext/trunnel/trunnel.h
index 41068b8fb3..32c80bac23 100644
--- a/src/ext/trunnel/trunnel.h
+++ b/src/ext/trunnel/trunnel.h
@@ -1,11 +1,11 @@
-/* trunnel.h -- copied from Trunnel v1.4.6
+/* trunnel.h -- copied from Trunnel v1.5.2
  * https://gitweb.torproject.org/trunnel.git
  * You probably shouldn't edit this file.
  */
 /* trunnel.h -- Public declarations for trunnel, to be included
  * in trunnel header files.
 
- * Copyright 2014-2015, The Tor Project, Inc.
+ * Copyright 2014-2017, The Tor Project, Inc.
  * See license at the end of this file for copying information.
  */