tor/changes/bug17983

  o Minor features (bug-finding):
    - Tor now builds with -ftrapv by default on compilers that support it.
      This option detects signed integer overflow, and turns it into a
      hard-failure.  We do not apply this option to code that needs to run
      in constant time to avoid side-channels; instead, we use -fwrapv.
      Closes ticket 17983.
    - When --enable-expensive-hardening is selected, stop applying the clang/gcc
      sanitizers to code that needs to run in constant-time to avoid side
      channels: although we are aware of no introduced side-channels, we
      are not able to prove that this is safe. Related to ticket 17983.
Add -ftrapv to gcc-hardening ... mostly! We know there are overflows in curve25519-donna-c32, so we'll have to have that one be fwrapv. Only apply the asan, ubsan, and trapv options to the code that does not need to run in constant time. Those options introduce branches to the code they instrument. (These introduced branches should never actually be taken, so it might _still_ be constant time after all, but branch predictors are complicated enough that I'm not really confident here. Let's aim for safety.) Closes 17983. 2016-04-13 00:59:40 +02:00			`o Minor features (bug-finding):`
			`- Tor now builds with -ftrapv by default on compilers that support it.`
			`This option detects signed integer overflow, and turns it into a`
			`hard-failure. We do not apply this option to code that needs to run`
			`in constant time to avoid side-channels; instead, we use -fwrapv.`
			`Closes ticket 17983.`
			`- When --enable-expensive-hardening is selected, stop applying the clang/gcc`
			`sanitizers to code that needs to run in constant-time to avoid side`
			`channels: although we are aware of no introduced side-channels, we`
			`are not able to prove that this is safe. Related to ticket 17983.`