nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-24 12:23:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote branch fix_security_bug_021 into fix_security_bug_022

Browse Source 
Conflicts:
	src/common/memarea.c
	src/or/or.h
	src/or/rendclient.c
This commit is contained in:
Nick Mathewson 2010-12-15 22:47:28 -05:00
commit b5e293afe6
28 changed files with 166 additions and 122 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
changes/security_bug Normal file
View File

@ -0,0 +1,5 @@
o Major bugfixes:
- Fix a remotely exploitable bug that could be used to crash instances
of Tor remotely by overflowing on the heap. Remove-code execution
hasn't been confirmed, but can't be ruled out. Obviously, everyone
should upgrade. Bugfix on the 0.1.1 series and later.

15
src/common/compat.c
View File

@ -126,6 +126,7 @@ tor_mmap_file(const char *filename)
return NULL;
}
/* XXXX why not just do fstat here? */
size = filesize = (size_t) lseek(fd, 0, SEEK_END);
lseek(fd, 0, SEEK_SET);
/* ensure page alignment */
@ -299,7 +300,7 @@ tor_vsnprintf(char *str, size_t size, const char *format, va_list args)
int r;
if (size == 0)
return -1; /* no place for the NUL */
if (size > SSIZE_T_MAX-16)
if (size > SIZE_T_CEILING)
return -1;
#ifdef MS_WINDOWS
r = _vsnprintf(str, size, format, args);
@ -560,7 +561,7 @@ tor_fix_source_file(const char *fname)
* unaligned memory access.
*/
uint16_t
get_uint16(const char *cp)
get_uint16(const void *cp)
{
uint16_t v;
memcpy(&v,cp,2);
@ -572,7 +573,7 @@ get_uint16(const char *cp)
* unaligned memory access.
*/
uint32_t
get_uint32(const char *cp)
get_uint32(const void *cp)
{
uint32_t v;
memcpy(&v,cp,4);
@ -584,7 +585,7 @@ get_uint32(const char *cp)
* unaligned memory access.
*/
uint64_t
get_uint64(const char *cp)
get_uint64(const void *cp)
{
uint64_t v;
memcpy(&v,cp,8);
@ -596,7 +597,7 @@ get_uint64(const char *cp)
* *(uint16_t*)(cp) = v, but will not cause segfaults on platforms that forbid
* unaligned memory access. */
void
set_uint16(char *cp, uint16_t v)
set_uint16(void *cp, uint16_t v)
{
memcpy(cp,&v,2);
}
@ -605,7 +606,7 @@ set_uint16(char *cp, uint16_t v)
* *(uint32_t*)(cp) = v, but will not cause segfaults on platforms that forbid
* unaligned memory access. */
void
set_uint32(char *cp, uint32_t v)
set_uint32(void *cp, uint32_t v)
{
memcpy(cp,&v,4);
}
@ -614,7 +615,7 @@ set_uint32(char *cp, uint32_t v)
* *(uint64_t*)(cp) = v, but will not cause segfaults on platforms that forbid
* unaligned memory access. */
void
set_uint64(char *cp, uint64_t v)
set_uint64(void *cp, uint64_t v)
{
memcpy(cp,&v,8);
}

16
src/common/compat.h
View File

@ -488,18 +488,18 @@ long tor_weak_random(void);
/* ===== OS compatibility */
const char *get_uname(void);
uint16_t get_uint16(const char *cp) ATTR_PURE ATTR_NONNULL((1));
uint32_t get_uint32(const char *cp) ATTR_PURE ATTR_NONNULL((1));
uint64_t get_uint64(const char *cp) ATTR_PURE ATTR_NONNULL((1));
void set_uint16(char *cp, uint16_t v) ATTR_NONNULL((1));
void set_uint32(char *cp, uint32_t v) ATTR_NONNULL((1));
void set_uint64(char *cp, uint64_t v) ATTR_NONNULL((1));
uint16_t get_uint16(const void *cp) ATTR_PURE ATTR_NONNULL((1));
uint32_t get_uint32(const void *cp) ATTR_PURE ATTR_NONNULL((1));
uint64_t get_uint64(const void *cp) ATTR_PURE ATTR_NONNULL((1));
void set_uint16(void *cp, uint16_t v) ATTR_NONNULL((1));
void set_uint32(void *cp, uint32_t v) ATTR_NONNULL((1));
void set_uint64(void *cp, uint64_t v) ATTR_NONNULL((1));
/* These uint8 variants are defined to make the code more uniform. */
#define get_uint8(cp) (*(const uint8_t*)(cp))
static void set_uint8(char *cp, uint8_t v);
static void set_uint8(void *cp, uint8_t v);
static INLINE void
set_uint8(char *cp, uint8_t v)
set_uint8(void *cp, uint8_t v)
{
*(uint8_t*)cp = v;
}

11
src/common/crypto.c
View File

@ -901,6 +901,8 @@ crypto_pk_public_checksig_digest(crypto_pk_env_t *env, const char *data,
tor_assert(env);
tor_assert(data);
tor_assert(sig);
tor_assert(datalen < SIZE_T_CEILING);
tor_assert(siglen < SIZE_T_CEILING);
if (crypto_digest(digest,data,datalen)<0) {
log_warn(LD_BUG, "couldn't compute digest");
@ -1001,6 +1003,7 @@ crypto_pk_public_hybrid_encrypt(crypto_pk_env_t *env,
tor_assert(env);
tor_assert(from);
tor_assert(to);
tor_assert(fromlen < SIZE_T_CEILING);
overhead = crypto_get_rsa_padding_overhead(crypto_get_rsa_padding(padding));
pkeylen = crypto_pk_keysize(env);
@ -1068,6 +1071,7 @@ crypto_pk_private_hybrid_decrypt(crypto_pk_env_t *env,
crypto_cipher_env_t *cipher = NULL;
char *buf = NULL;
tor_assert(fromlen < SIZE_T_CEILING);
pkeylen = crypto_pk_keysize(env);
if (fromlen <= pkeylen) {
@ -1117,7 +1121,7 @@ crypto_pk_asn1_encode(crypto_pk_env_t *pk, char *dest, size_t dest_len)
int len;
unsigned char *buf, *cp;
len = i2d_RSAPublicKey(pk->key, NULL);
if (len < 0 || (size_t)len > dest_len)
if (len < 0 || (size_t)len > dest_len || dest_len > SIZE_T_CEILING)
return -1;
cp = buf = tor_malloc(len+1);
len = i2d_RSAPublicKey(pk->key, &cp);
@ -1192,6 +1196,8 @@ add_spaces_to_fp(char *out, size_t outlen, const char *in)
{
int n = 0;
char *end = out+outlen;
tor_assert(outlen < SIZE_T_CEILING);
while (*in && out<end) {
*out++ = *in++;
if (++n == 4 && *in && out<end) {
@ -1337,6 +1343,7 @@ crypto_cipher_encrypt(crypto_cipher_env_t *env, char *to,
tor_assert(from);
tor_assert(fromlen);
tor_assert(to);
tor_assert(fromlen < SIZE_T_CEILING);
aes_crypt(env->cipher, from, fromlen, to);
return 0;
@ -1353,6 +1360,7 @@ crypto_cipher_decrypt(crypto_cipher_env_t *env, char *to,
tor_assert(env);
tor_assert(from);
tor_assert(to);
tor_assert(fromlen < SIZE_T_CEILING);
aes_crypt(env->cipher, from, fromlen, to);
return 0;
@ -1364,6 +1372,7 @@ crypto_cipher_decrypt(crypto_cipher_env_t *env, char *to,
int
crypto_cipher_crypt_inplace(crypto_cipher_env_t *env, char *buf, size_t len)
{
tor_assert(len < SIZE_T_CEILING);
aes_crypt_inplace(env->cipher, buf, len);
return 0;
}

3
src/common/memarea.c
View File

@ -95,6 +95,7 @@ static memarea_chunk_t *freelist = NULL;
static memarea_chunk_t *
alloc_chunk(size_t sz, int freelist_ok)
{
tor_assert(sz < SIZE_T_CEILING);
if (freelist && freelist_ok) {
memarea_chunk_t *res = freelist;
freelist = res->next_chunk;
@ -211,6 +212,7 @@ memarea_alloc(memarea_t *area, size_t sz)
char *result;
tor_assert(chunk);
CHECK_SENTINEL(chunk);
tor_assert(sz < SIZE_T_CEILING);
if (sz == 0)
sz = 1;
if (chunk->next_mem+sz > chunk->u.mem+chunk->mem_size) {
@ -269,6 +271,7 @@ memarea_strndup(memarea_t *area, const char *s, size_t n)
size_t ln;
char *result;
const char *cp, *end = s+n;
tor_assert(n < SIZE_T_CEILING);
for (cp = s; cp < end && *cp; ++cp)
;
/* cp now points to s+n, or to the 0 in the string. */

4
src/common/mempool.c
View File

@ -357,6 +357,10 @@ mp_pool_new(size_t item_size, size_t chunk_capacity)
mp_pool_t *pool;
size_t alloc_size, new_chunk_cap;
tor_assert(item_size < SIZE_T_CEILING);
tor_assert(chunk_capacity < SIZE_T_CEILING);
tor_assert(SIZE_T_CEILING / item_size > chunk_capacity);
pool = ALLOC(sizeof(mp_pool_t));
CHECK_ALLOC(pool);
memset(pool, 0, sizeof(mp_pool_t));

2
src/common/torint.h
View File

@ -330,7 +330,7 @@ typedef uint32_t uintptr_t;
#endif
/* Any size_t larger than this amount is likely to be an underflow. */
#define SIZE_T_CEILING (sizeof(char)<<(sizeof(size_t)*8 - 1))
#define SIZE_T_CEILING (SSIZE_T_MAX-16)
#endif /* __TORINT_H */

11
src/common/util.c
View File

@ -122,6 +122,8 @@ _tor_malloc(size_t size DMALLOC_PARAMS)
{
void *result;
tor_assert(size < SIZE_T_CEILING);
#ifndef MALLOC_ZERO_WORKS
/* Some libc mallocs don't work when size==0. Override them. */
if (size==0) {
@ -218,6 +220,7 @@ _tor_strndup(const char *s, size_t n DMALLOC_PARAMS)
{
char *dup;
tor_assert(s);
tor_assert(n < SIZE_T_CEILING);
dup = _tor_malloc((n+1) DMALLOC_FN_ARGS);
/* Performance note: Ordinarily we prefer strlcpy to strncpy. But
* this function gets called a whole lot, and platform strncpy is
@ -234,6 +237,7 @@ void *
_tor_memdup(const void *mem, size_t len DMALLOC_PARAMS)
{
char *dup;
tor_assert(len < SIZE_T_CEILING);
tor_assert(mem);
dup = _tor_malloc(len DMALLOC_FN_ARGS);
memcpy(dup, mem, len);
@ -263,12 +267,15 @@ void *
_tor_malloc_roundup(size_t *sizep DMALLOC_PARAMS)
{
#ifdef HAVE_MALLOC_GOOD_SIZE
tor_assert(*sizep < SIZE_T_CEILING);
*sizep = malloc_good_size(*sizep);
return _tor_malloc(*sizep DMALLOC_FN_ARGS);
#elif 0 && defined(HAVE_MALLOC_USABLE_SIZE) && !defined(USE_DMALLOC)
/* Never use malloc_usable_size(); it makes valgrind really unhappy,
* and doesn't win much in terms of usable space where it exists. */
void *result = _tor_malloc(*sizep DMALLOC_FN_ARGS);
void *result;
tor_assert(*sizep < SIZE_T_CEILING);
result = _tor_malloc(*sizep DMALLOC_FN_ARGS);
*sizep = malloc_usable_size(result);
return result;
#else
@ -2131,7 +2138,7 @@ read_file_to_str(const char *filename, int flags, struct stat *stat_out)
return NULL;
}
if ((uint64_t)(statbuf.st_size)+1 > SIZE_T_MAX)
if ((uint64_t)(statbuf.st_size)+1 > SIZE_T_CEILING)
return NULL;
string = tor_malloc((size_t)(statbuf.st_size+1));

2
src/or/buffers.c
View File

@ -1048,7 +1048,7 @@ fetch_var_cell_from_buf(buf_t *buf, var_cell_t **out, int linkproto)
result->circ_id = ntohs(get_uint16(hdr));
buf_remove_from_front(buf, VAR_CELL_HEADER_SIZE);
peek_from_buf(result->payload, length, buf);
peek_from_buf((char*) result->payload, length, buf);
buf_remove_from_front(buf, length);
check();

13
src/or/circuitbuild.c
View File

@ -1902,7 +1902,7 @@ circuit_send_next_onion_skin(origin_circuit_t *circ)
* and a DH operation. */
cell_type = CELL_CREATE_FAST;
memset(payload, 0, sizeof(payload));
crypto_rand(circ->cpath->fast_handshake_state,
crypto_rand((char*) circ->cpath->fast_handshake_state,
sizeof(circ->cpath->fast_handshake_state));
memcpy(payload, circ->cpath->fast_handshake_state,
sizeof(circ->cpath->fast_handshake_state));
@ -2081,8 +2081,8 @@ circuit_extend(cell_t *cell, circuit_t *circ)
n_addr32 = ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE));
n_port = ntohs(get_uint16(cell->payload+RELAY_HEADER_SIZE+4));
onionskin = cell->payload+RELAY_HEADER_SIZE+4+2;
id_digest = cell->payload+RELAY_HEADER_SIZE+4+2+ONIONSKIN_CHALLENGE_LEN;
onionskin = (char*) cell->payload+RELAY_HEADER_SIZE+4+2;
id_digest = (char*) cell->payload+RELAY_HEADER_SIZE+4+2+ONIONSKIN_CHALLENGE_LEN;
tor_addr_from_ipv4h(&n_addr, n_addr32);
if (!n_port || !n_addr32) {
@ -2220,7 +2220,7 @@ circuit_init_cpath_crypto(crypt_path_t *cpath, const char *key_data,
*/
int
circuit_finish_handshake(origin_circuit_t *circ, uint8_t reply_type,
const char *reply)
const uint8_t *reply)
{
char keys[CPATH_KEY_MATERIAL_LEN];
crypt_path_t *hop;
@ -2237,7 +2237,7 @@ circuit_finish_handshake(origin_circuit_t *circ, uint8_t reply_type,
tor_assert(hop->state == CPATH_STATE_AWAITING_KEYS);
if (reply_type == CELL_CREATED && hop->dh_handshake_state) {
if (onion_skin_client_handshake(hop->dh_handshake_state, reply, keys,
if (onion_skin_client_handshake(hop->dh_handshake_state, (char*)reply, keys,
DIGEST_LEN*2+CIPHER_KEY_LEN*2) < 0) {
log_warn(LD_CIRC,"onion_skin_client_handshake failed.");
return -END_CIRC_REASON_TORPROTOCOL;
@ -2245,7 +2245,8 @@ circuit_finish_handshake(origin_circuit_t *circ, uint8_t reply_type,
/* Remember hash of g^xy */
memcpy(hop->handshake_digest, reply+DH_KEY_LEN, DIGEST_LEN);
} else if (reply_type == CELL_CREATED_FAST && !hop->dh_handshake_state) {
if (fast_client_handshake(hop->fast_handshake_state, reply, keys,
if (fast_client_handshake(hop->fast_handshake_state, reply,
(uint8_t*)keys,
DIGEST_LEN*2+CIPHER_KEY_LEN*2) < 0) {
log_warn(LD_CIRC,"fast_client_handshake failed.");
return -END_CIRC_REASON_TORPROTOCOL;

2
src/or/circuitbuild.h
View File

@ -31,7 +31,7 @@ int circuit_extend(cell_t *cell, circuit_t *circ);
int circuit_init_cpath_crypto(crypt_path_t *cpath, const char *key_data,
int reverse);
int circuit_finish_handshake(origin_circuit_t *circ, uint8_t cell_type,
const char *reply);
const uint8_t *reply);
int circuit_truncated(origin_circuit_t *circ, crypt_path_t *layer);
int onionskin_answer(or_circuit_t *circ, uint8_t cell_type,
const char *payload, const char *keys);

17
src/or/command.c
View File

@ -306,7 +306,8 @@ command_process_create_cell(cell_t *cell, or_connection_t *conn)
char keys[CPATH_KEY_MATERIAL_LEN];
char reply[DIGEST_LEN*2];
tor_assert(cell->command == CELL_CREATE_FAST);
if (fast_server_handshake(cell->payload, reply, keys, sizeof(keys))<0) {
if (fast_server_handshake(cell->payload, (uint8_t*)reply,
(uint8_t*)keys, sizeof(keys))<0) {
log_warn(LD_OR,"Failed to generate key material. Closing.");
circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_INTERNAL);
return;
@ -353,7 +354,7 @@ command_process_created_cell(cell_t *cell, or_connection_t *conn)
int err_reason = 0;
log_debug(LD_OR,"at OP. Finishing handshake.");
if ((err_reason = circuit_finish_handshake(origin_circ, cell->command,
cell->payload)) < 0) {
cell->payload)) < 0) {
log_warn(LD_OR,"circuit_finish_handshake failed.");
circuit_mark_for_close(circ, -err_reason);
return;
@ -369,7 +370,7 @@ command_process_created_cell(cell_t *cell, or_connection_t *conn)
log_debug(LD_OR,
"Converting created cell to extended relay cell, sending.");
relay_send_command_from_edge(0, circ, RELAY_COMMAND_EXTENDED,
cell->payload, ONIONSKIN_REPLY_LEN,
(char*)cell->payload, ONIONSKIN_REPLY_LEN,
NULL);
}
}
@ -499,7 +500,7 @@ static void
command_process_versions_cell(var_cell_t *cell, or_connection_t *conn)
{
int highest_supported_version = 0;
const char *cp, *end;
const uint8_t *cp, *end;
if (conn->link_proto != 0 ||
conn->_base.state != OR_CONN_STATE_OR_HANDSHAKING ||
(conn->handshake_state && conn->handshake_state->received_versions)) {
@ -553,8 +554,8 @@ command_process_netinfo_cell(cell_t *cell, or_connection_t *conn)
time_t timestamp;
uint8_t my_addr_type;
uint8_t my_addr_len;
const char *my_addr_ptr;
const char *cp, *end;
const uint8_t *my_addr_ptr;
const uint8_t *cp, *end;
uint8_t n_other_addrs;
time_t now = time(NULL);
@ -582,7 +583,7 @@ command_process_netinfo_cell(cell_t *cell, or_connection_t *conn)
my_addr_type = (uint8_t) cell->payload[4];
my_addr_len = (uint8_t) cell->payload[5];
my_addr_ptr = cell->payload + 6;
my_addr_ptr = (uint8_t*) cell->payload + 6;
end = cell->payload + CELL_PAYLOAD_SIZE;
cp = cell->payload + 6 + my_addr_len;
if (cp >= end) {
@ -599,7 +600,7 @@ command_process_netinfo_cell(cell_t *cell, or_connection_t *conn)
/* Consider all the other addresses; if any matches, this connection is
* "canonical." */
tor_addr_t addr;
const char *next = decode_address_from_payload(&addr, cp, (int)(end-cp));
const uint8_t *next = decode_address_from_payload(&addr, cp, (int)(end-cp));
if (next == NULL) {
log_fn(LOG_PROTOCOL_WARN, LD_OR,
"Bad address in netinfo cell; closing connection.");

26
src/or/connection_edge.c
View File

@ -1492,7 +1492,8 @@ connection_ap_handshake_rewrite_and_attach(edge_connection_t *conn,
tor_snprintf(socks->address, sizeof(socks->address), "REVERSE[%s]",
orig_address);
connection_ap_handshake_socks_resolved(conn, RESOLVED_TYPE_HOSTNAME,
strlen(result), result, -1,
strlen(result), (uint8_t*)result,
-1,
map_expires);
connection_mark_unattached_ap(conn,
END_STREAM_REASON_DONE |
@ -1613,7 +1614,8 @@ connection_ap_handshake_rewrite_and_attach(edge_connection_t *conn,
/* remember _what_ is supposed to have been resolved. */
strlcpy(socks->address, orig_address, sizeof(socks->address));
connection_ap_handshake_socks_resolved(conn,RESOLVED_TYPE_IPV4,4,
(char*)&answer,-1,map_expires);
(uint8_t*)&answer,
-1,map_expires);
connection_mark_unattached_ap(conn,
END_STREAM_REASON_DONE |
END_STREAM_REASON_FLAG_ALREADY_SOCKS_REPLIED);
@ -2318,7 +2320,7 @@ void
connection_ap_handshake_socks_resolved(edge_connection_t *conn,
int answer_type,
size_t answer_len,
const char *answer,
const uint8_t *answer,
int ttl,
time_t expires)
{
@ -2332,7 +2334,7 @@ connection_ap_handshake_socks_resolved(edge_connection_t *conn,
client_dns_set_addressmap(conn->socks_request->address, a,
conn->chosen_exit_name, ttl);
} else if (answer_type == RESOLVED_TYPE_HOSTNAME && answer_len < 256) {
char *cp = tor_strndup(answer, answer_len);
char *cp = tor_strndup((char*)answer, answer_len);
client_dns_set_reverse_addressmap(conn->socks_request->address,
cp,
conn->chosen_exit_name, ttl);
@ -2343,14 +2345,14 @@ connection_ap_handshake_socks_resolved(edge_connection_t *conn,
if (conn->is_dns_request) {
if (conn->dns_server_request) {
/* We had a request on our DNS port: answer it. */
dnsserv_resolved(conn, answer_type, answer_len, answer, ttl);
dnsserv_resolved(conn, answer_type, answer_len, (char*)answer, ttl);
conn->socks_request->has_finished = 1;
return;
} else {
/* This must be a request from the controller. We already sent
* a mapaddress if there's a ttl. */
tell_controller_about_resolved_result(conn, answer_type, answer_len,
answer, ttl, expires);
(char*)answer, ttl, expires);
conn->socks_request->has_finished = 1;
return;
}
@ -2495,6 +2497,8 @@ connection_exit_begin_conn(cell_t *cell, circuit_t *circ)
or_circ = TO_OR_CIRCUIT(circ);
relay_header_unpack(&rh, cell->payload);
if (rh.length > RELAY_PAYLOAD_SIZE)
return -1;
/* Note: we have to use relay_send_command_from_edge here, not
* connection_edge_end or connection_edge_send_command, since those require
@ -2518,7 +2522,8 @@ connection_exit_begin_conn(cell_t *cell, circuit_t *circ)
END_STREAM_REASON_TORPROTOCOL, NULL);
return 0;
}
if (parse_addr_port(LOG_PROTOCOL_WARN, cell->payload+RELAY_HEADER_SIZE,
if (parse_addr_port(LOG_PROTOCOL_WARN,
(char*)(cell->payload+RELAY_HEADER_SIZE),
&address,NULL,&port)<0) {
log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
"Unable to parse addr:port in relay begin cell. Closing.");
@ -2683,6 +2688,8 @@ connection_exit_begin_resolve(cell_t *cell, or_circuit_t *circ)
assert_circuit_ok(TO_CIRCUIT(circ));
relay_header_unpack(&rh, cell->payload);
if (rh.length > RELAY_PAYLOAD_SIZE)
return -1;
/* This 'dummy_conn' only exists to remember the stream ID
* associated with the resolve request; and to make the
@ -2693,8 +2700,9 @@ connection_exit_begin_resolve(cell_t *cell, or_circuit_t *circ)
*/
dummy_conn = edge_connection_new(CONN_TYPE_EXIT, AF_INET);
dummy_conn->stream_id = rh.stream_id;
dummy_conn->_base.address = tor_strndup(cell->payload+RELAY_HEADER_SIZE,
rh.length);
dummy_conn->_base.address = tor_strndup(
(char*)cell->payload+RELAY_HEADER_SIZE,
rh.length);
dummy_conn->_base.port = 0;
dummy_conn->_base.state = EXIT_CONN_STATE_RESOLVEFAILED;
dummy_conn->_base.purpose = EXIT_PURPOSE_RESOLVE;

2
src/or/connection_edge.h
View File

@ -38,7 +38,7 @@ void connection_ap_handshake_socks_reply(edge_connection_t *conn, char *reply,
void connection_ap_handshake_socks_resolved(edge_connection_t *conn,
int answer_type,
size_t answer_len,
const char *answer,
const uint8_t *answer,
int ttl,
time_t expires);

5
src/or/connection_or.c
View File

@ -1259,7 +1259,8 @@ connection_or_write_var_cell_to_buf(const var_cell_t *cell,
tor_assert(conn);
var_cell_pack_header(cell, hdr);
connection_write_to_buf(hdr, sizeof(hdr), TO_CONN(conn));
connection_write_to_buf(cell->payload, cell->payload_len, TO_CONN(conn));
connection_write_to_buf((char*)cell->payload,
cell->payload_len, TO_CONN(conn));
if (cell->command != CELL_PADDING)
conn->timestamp_last_added_nonpadding = approx_time();
}
@ -1388,7 +1389,7 @@ connection_or_send_netinfo(or_connection_t *conn)
time_t now = time(NULL);
routerinfo_t *me;
int len;
char *out;
uint8_t *out;
memset(&cell, 0, sizeof(cell_t));
cell.command = CELL_NETINFO;

14
src/or/onion.c
View File

@ -349,9 +349,9 @@ onion_skin_client_handshake(crypto_dh_env_t *handshake_state,
* Return 0 on success, &lt;0 on failure.
**/
int
fast_server_handshake(const char *key_in, /* DIGEST_LEN bytes */
char *handshake_reply_out, /* DIGEST_LEN*2 bytes */
char *key_out,
fast_server_handshake(const uint8_t *key_in, /* DIGEST_LEN bytes */
uint8_t *handshake_reply_out, /* DIGEST_LEN*2 bytes */
uint8_t *key_out,
size_t key_out_len)
{
char tmp[DIGEST_LEN+DIGEST_LEN];
@ -359,7 +359,7 @@ fast_server_handshake(const char *key_in, /* DIGEST_LEN bytes */
size_t out_len;
int r = -1;
if (crypto_rand(handshake_reply_out, DIGEST_LEN)<0)
if (crypto_rand((char*)handshake_reply_out, DIGEST_LEN)<0)
return -1;
memcpy(tmp, key_in, DIGEST_LEN);
@ -392,9 +392,9 @@ fast_server_handshake(const char *key_in, /* DIGEST_LEN bytes */
* and protected by TLS).
*/
int
fast_client_handshake(const char *handshake_state, /* DIGEST_LEN bytes */
const char *handshake_reply_out, /* DIGEST_LEN*2 bytes */
char *key_out,
fast_client_handshake(const uint8_t *handshake_state, /* DIGEST_LEN bytes */
const uint8_t *handshake_reply_out, /* DIGEST_LEN*2 bytes */
uint8_t *key_out,
size_t key_out_len)
{
char tmp[DIGEST_LEN+DIGEST_LEN];

12
src/or/onion.h
View File

@ -32,14 +32,14 @@ int onion_skin_client_handshake(crypto_dh_env_t *handshake_state,
char *key_out,
size_t key_out_len);
int fast_server_handshake(const char *key_in,
char *handshake_reply_out,
char *key_out,
int fast_server_handshake(const uint8_t *key_in,
uint8_t *handshake_reply_out,
uint8_t *key_out,
size_t key_out_len);
int fast_client_handshake(const char *handshake_state,
const char *handshake_reply_out,
char *key_out,
int fast_client_handshake(const uint8_t *handshake_state,
const uint8_t *handshake_reply_out,
uint8_t *key_out,
size_t key_out_len);
void clear_pending_onions(void);

6
src/or/or.h
View File

@ -838,7 +838,7 @@ typedef struct cell_t {
circid_t circ_id; /**< Circuit which received the cell. */
uint8_t command; /**< Type of the cell: one of CELL_PADDING, CELL_CREATE,
* CELL_DESTROY, etc */
char payload[CELL_PAYLOAD_SIZE]; /**< Cell body. */
uint8_t payload[CELL_PAYLOAD_SIZE]; /**< Cell body. */
} cell_t;
/** Parsed variable-length onion routing cell. */
@ -846,7 +846,7 @@ typedef struct var_cell_t {
uint8_t command;
circid_t circ_id;
uint16_t payload_len;
char payload[1];
uint8_t payload[1];
} var_cell_t;
/** A cell as packed for writing to the network. */
@ -1958,7 +1958,7 @@ typedef struct crypt_path_t {
* authentication, secrecy, and integrity we need, and we're already
* distinguishable from an OR.
*/
char fast_handshake_state[DIGEST_LEN];
uint8_t fast_handshake_state[DIGEST_LEN];
/** Negotiated key material shared with the OR at this step. */
char handshake_digest[DIGEST_LEN];/* KH in tor-spec.txt */

34
src/or/relay.c
View File

@ -97,7 +97,7 @@ relay_set_digest(crypto_digest_env_t *digest, cell_t *cell)
char integrity[4];
relay_header_t rh;
crypto_digest_add_bytes(digest, cell->payload, CELL_PAYLOAD_SIZE);
crypto_digest_add_bytes(digest, (char*)cell->payload, CELL_PAYLOAD_SIZE);
crypto_digest_get_digest(digest, integrity, 4);
// log_fn(LOG_DEBUG,"Putting digest of %u %u %u %u into relay cell.",
// integrity[0], integrity[1], integrity[2], integrity[3]);
@ -130,7 +130,7 @@ relay_digest_matches(crypto_digest_env_t *digest, cell_t *cell)
// received_integrity[0], received_integrity[1],
// received_integrity[2], received_integrity[3]);
crypto_digest_add_bytes(digest, cell->payload, CELL_PAYLOAD_SIZE);
crypto_digest_add_bytes(digest, (char*) cell->payload, CELL_PAYLOAD_SIZE);
crypto_digest_get_digest(digest, calculated_integrity, 4);
if (memcmp(received_integrity, calculated_integrity, 4)) {
@ -156,12 +156,12 @@ relay_digest_matches(crypto_digest_env_t *digest, cell_t *cell)
* Return -1 if the crypto fails, else return 0.
*/
static int
relay_crypt_one_payload(crypto_cipher_env_t *cipher, char *in,
relay_crypt_one_payload(crypto_cipher_env_t *cipher, uint8_t *in,
int encrypt_mode)
{
int r;
(void)encrypt_mode;
r = crypto_cipher_crypt_inplace(cipher, in, CELL_PAYLOAD_SIZE);
r = crypto_cipher_crypt_inplace(cipher, (char*) in, CELL_PAYLOAD_SIZE);
if (r) {
log_warn(LD_BUG,"Error during relay encryption");
@ -476,10 +476,9 @@ relay_lookup_conn(circuit_t *circ, cell_t *cell,
* about the wire format.
*/
void
relay_header_pack(char *dest, const relay_header_t *src)
relay_header_pack(uint8_t *dest, const relay_header_t *src)
{
*(uint8_t*)(dest) = src->command;
set_uint8(dest, src->command);
set_uint16(dest+1, htons(src->recognized));
set_uint16(dest+3, htons(src->stream_id));
memcpy(dest+5, src->integrity, 4);
@ -490,10 +489,9 @@ relay_header_pack(char *dest, const relay_header_t *src)
* relay_header_t structure <b>dest</b>.
*/
void
relay_header_unpack(relay_header_t *dest, const char *src)
relay_header_unpack(relay_header_t *dest, const uint8_t *src)
{
dest->command = *(uint8_t*)(src);
dest->command = get_uint8(src);
dest->recognized = ntohs(get_uint16(src+1));
dest->stream_id = ntohs(get_uint16(src+3));
memcpy(dest->integrity, src+5, 4);
@ -1124,13 +1122,13 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
}
stats_n_data_bytes_received += rh.length;
connection_write_to_buf(cell->payload + RELAY_HEADER_SIZE,
connection_write_to_buf((char*)(cell->payload + RELAY_HEADER_SIZE),
rh.length, TO_CONN(conn));
connection_edge_consider_sending_sendme(conn);
return 0;
case RELAY_COMMAND_END:
reason = rh.length > 0 ?
*(uint8_t *)(cell->payload+RELAY_HEADER_SIZE) : END_STREAM_REASON_MISC;
get_uint8(cell->payload+RELAY_HEADER_SIZE) : END_STREAM_REASON_MISC;
if (!conn) {
log_info(domain,"end cell (%s) dropped, unknown stream.",
stream_end_reason_to_string(reason));
@ -2463,7 +2461,7 @@ append_cell_to_circuit_queue(circuit_t *circ, or_connection_t *orconn,
* ADDRESS [length bytes]
* Return the number of bytes added, or -1 on error */
int
append_address_to_payload(char *payload_out, const tor_addr_t *addr)
append_address_to_payload(uint8_t *payload_out, const tor_addr_t *addr)
{
uint32_t a;
switch (tor_addr_family(addr)) {
@ -2488,13 +2486,13 @@ append_address_to_payload(char *payload_out, const tor_addr_t *addr)
* encoded as by append_address_to_payload(), try to decode the address into
* *<b>addr_out</b>. Return the next byte in the payload after the address on
* success, or NULL on failure. */
const char *
decode_address_from_payload(tor_addr_t *addr_out, const char *payload,
const uint8_t *
decode_address_from_payload(tor_addr_t *addr_out, const uint8_t *payload,
int payload_len)
{
if (payload_len < 2)
return NULL;
if (payload_len < 2+(uint8_t)payload[1])
if (payload_len < 2+payload[1])
return NULL;
switch (payload[0]) {
@ -2506,13 +2504,13 @@ decode_address_from_payload(tor_addr_t *addr_out, const char *payload,
case RESOLVED_TYPE_IPV6:
if (payload[1] != 16)
return NULL;
tor_addr_from_ipv6_bytes(addr_out, payload+2);
tor_addr_from_ipv6_bytes(addr_out, (char*)(payload+2));
break;
default:
tor_addr_make_unspec(addr_out);
break;
}
return payload + 2 + (uint8_t)payload[1];
return payload + 2 + payload[1];
}
/** Remove all the cells queued on <b>circ</b> for <b>orconn</b>. */

10
src/or/relay.h
View File

@ -18,8 +18,8 @@ extern uint64_t stats_n_relay_cells_delivered;
int circuit_receive_relay_cell(cell_t *cell, circuit_t *circ,
cell_direction_t cell_direction);
void relay_header_pack(char *dest, const relay_header_t *src);
void relay_header_unpack(relay_header_t *dest, const char *src);
void relay_header_pack(uint8_t *dest, const relay_header_t *src);
void relay_header_unpack(relay_header_t *dest, const uint8_t *src);
int relay_send_command_from_edge(streamid_t stream_id, circuit_t *circ,
uint8_t relay_command, const char *payload,
size_t payload_len, crypt_path_t *cpath_layer);
@ -55,9 +55,9 @@ void assert_active_circuits_ok(or_connection_t *orconn);
void make_circuit_inactive_on_conn(circuit_t *circ, or_connection_t *conn);
void make_circuit_active_on_conn(circuit_t *circ, or_connection_t *conn);
int append_address_to_payload(char *payload_out, const tor_addr_t *addr);
const char *decode_address_from_payload(tor_addr_t *addr_out,
const char *payload,
int append_address_to_payload(uint8_t *payload_out, const tor_addr_t *addr);
const uint8_t *decode_address_from_payload(tor_addr_t *addr_out,
const uint8_t *payload,
int payload_len);
unsigned cell_ewma_get_tick(void);
void cell_ewma_set_scale_factor(or_options_t *options,

13
src/or/rendclient.c
View File

@ -234,7 +234,7 @@ rend_client_rendcirc_has_opened(origin_circuit_t *circ)
*/
int
rend_client_introduction_acked(origin_circuit_t *circ,
const char *request, size_t request_len)
const uint8_t *request, size_t request_len)
{
origin_circuit_t *rendcirc;
(void) request; // XXXX Use this.
@ -583,7 +583,7 @@ rend_client_remove_intro_point(extend_info_t *failed_intro,
* the circuit to C_REND_READY.
*/
int
rend_client_rendezvous_acked(origin_circuit_t *circ, const char *request,
rend_client_rendezvous_acked(origin_circuit_t *circ, const uint8_t *request,
size_t request_len)
{
(void) request;
@ -609,7 +609,7 @@ rend_client_rendezvous_acked(origin_circuit_t *circ, const char *request,
/** Bob sent us a rendezvous cell; join the circuits. */
int
rend_client_receive_rendezvous(origin_circuit_t *circ, const char *request,
rend_client_receive_rendezvous(origin_circuit_t *circ, const uint8_t *request,
size_t request_len)
{
crypt_path_t *hop;
@ -637,9 +637,10 @@ rend_client_receive_rendezvous(origin_circuit_t *circ, const char *request,
tor_assert(circ->build_state->pending_final_cpath);
hop = circ->build_state->pending_final_cpath;
tor_assert(hop->dh_handshake_state);
if (crypto_dh_compute_secret(LOG_PROTOCOL_WARN, hop->dh_handshake_state,
request, DH_KEY_LEN, keys,
DIGEST_LEN+CPATH_KEY_MATERIAL_LEN)<0) {
if (crypto_dh_compute_secret(LOG_PROTOCOL_WARN,
hop->dh_handshake_state, (char*)request,
DH_KEY_LEN,
keys, DIGEST_LEN+CPATH_KEY_MATERIAL_LEN)<0) {
log_warn(LD_GENERAL, "Couldn't complete DH handshake.");
goto err;
}

9
src/or/rendclient.h
View File

@ -14,14 +14,17 @@
void rend_client_introcirc_has_opened(origin_circuit_t *circ);
void rend_client_rendcirc_has_opened(origin_circuit_t *circ);
int rend_client_introduction_acked(origin_circuit_t *circ, const char *request,
int rend_client_introduction_acked(origin_circuit_t *circ,
const uint8_t *request,
size_t request_len);
void rend_client_refetch_v2_renddesc(const rend_data_t *rend_query);
int rend_client_remove_intro_point(extend_info_t *failed_intro,
const rend_data_t *rend_query);
int rend_client_rendezvous_acked(origin_circuit_t *circ, const char *request,
int rend_client_rendezvous_acked(origin_circuit_t *circ,
const uint8_t *request,
size_t request_len);
int rend_client_receive_rendezvous(origin_circuit_t *circ, const char *request,
int rend_client_receive_rendezvous(origin_circuit_t *circ,
const uint8_t *request,
size_t request_len);
void rend_client_desc_trynow(const char *query);

2
src/or/rendcommon.c
View File

@ -1358,7 +1358,7 @@ rend_cache_store_v2_desc_as_client(const char *desc,
void
rend_process_relay_cell(circuit_t *circ, const crypt_path_t *layer_hint,
int command, size_t length,
const char *payload)
const uint8_t *payload)
{
or_circuit_t *or_circ = NULL;
origin_circuit_t *origin_circ = NULL;

3
src/or/rendcommon.h
View File

@ -22,7 +22,8 @@ rend_data_free(rend_data_t *data)
int rend_cmp_service_ids(const char *one, const char *two);
void rend_process_relay_cell(circuit_t *circ, const crypt_path_t *layer_hint,
int command, size_t length, const char *payload);
int command, size_t length,
const uint8_t *payload);
void rend_service_descriptor_free(rend_service_descriptor_t *desc);
rend_service_descriptor_t *rend_parse_service_descriptor(const char *str,

30
src/or/rendmid.c
View File

@ -18,7 +18,7 @@
* setting the circuit's purpose and service pk digest.
*/
int
rend_mid_establish_intro(or_circuit_t *circ, const char *request,
rend_mid_establish_intro(or_circuit_t *circ, const uint8_t *request,
size_t request_len)
{
crypto_pk_env_t *pk = NULL;
@ -48,7 +48,7 @@ rend_mid_establish_intro(or_circuit_t *circ, const char *request,
/* Next asn1len bytes: asn1-encoded key. */
if (request_len < 2+DIGEST_LEN+asn1len)
goto truncated;
pk = crypto_pk_asn1_decode(request+2, asn1len);
pk = crypto_pk_asn1_decode((char*)(request+2), asn1len);
if (!pk) {
reason = END_CIRC_REASON_TORPROTOCOL;
log_warn(LD_PROTOCOL, "Couldn't decode public key.");
@ -69,8 +69,8 @@ rend_mid_establish_intro(or_circuit_t *circ, const char *request,
}
/* Rest of body: signature of previous data */
note_crypto_pk_op(REND_MID);
if (crypto_pk_public_checksig_digest(pk, request, 2+asn1len+DIGEST_LEN,
request+2+DIGEST_LEN+asn1len,
if (crypto_pk_public_checksig_digest(pk, (char*)request, 2+asn1len+DIGEST_LEN,
(char*)(request+2+DIGEST_LEN+asn1len),
request_len-(2+DIGEST_LEN+asn1len))<0) {
log_warn(LD_PROTOCOL,
"Incorrect signature on ESTABLISH_INTRO cell; rejecting.");
@ -130,7 +130,7 @@ rend_mid_establish_intro(or_circuit_t *circ, const char *request,
* INTRODUCE2 cell.
*/
int
rend_mid_introduce(or_circuit_t *circ, const char *request, size_t request_len)
rend_mid_introduce(or_circuit_t *circ, const uint8_t *request, size_t request_len)
{
or_circuit_t *intro_circ;
char serviceid[REND_SERVICE_ID_LEN_BASE32+1];
@ -159,10 +159,10 @@ rend_mid_introduce(or_circuit_t *circ, const char *request, size_t request_len)
}
base32_encode(serviceid, REND_SERVICE_ID_LEN_BASE32+1,
request, REND_SERVICE_ID_LEN);
(char*)request, REND_SERVICE_ID_LEN);
/* The first 20 bytes are all we look at: they have a hash of Bob's PK. */
intro_circ = circuit_get_intro_point(request);
intro_circ = circuit_get_intro_point((char*)request);
if (!intro_circ) {
log_info(LD_REND,
"No intro circ found for INTRODUCE1 cell (%s) from circuit %d; "
@ -180,7 +180,7 @@ rend_mid_introduce(or_circuit_t *circ, const char *request, size_t request_len)
/* Great. Now we just relay the cell down the circuit. */
if (relay_send_command_from_edge(0, TO_CIRCUIT(intro_circ),
RELAY_COMMAND_INTRODUCE2,
request, request_len, NULL)) {
(char*)request, request_len, NULL)) {
log_warn(LD_GENERAL,
"Unable to send INTRODUCE2 cell to Tor client.");
goto err;
@ -212,7 +212,7 @@ rend_mid_introduce(or_circuit_t *circ, const char *request, size_t request_len)
* rendezvous cookie.
*/
int
rend_mid_establish_rendezvous(or_circuit_t *circ, const char *request,
rend_mid_establish_rendezvous(or_circuit_t *circ, const uint8_t *request,
size_t request_len)
{
char hexid[9];
@ -232,7 +232,7 @@ rend_mid_establish_rendezvous(or_circuit_t *circ, const char *request,
goto err;
}
if (circuit_get_rendezvous(request)) {
if (circuit_get_rendezvous((char*)request)) {
log_warn(LD_PROTOCOL,
"Duplicate rendezvous cookie in ESTABLISH_RENDEZVOUS.");
goto err;
@ -250,7 +250,7 @@ rend_mid_establish_rendezvous(or_circuit_t *circ, const char *request,
circ->_base.purpose = CIRCUIT_PURPOSE_REND_POINT_WAITING;
memcpy(circ->rend_token, request, REND_COOKIE_LEN);
base16_encode(hexid,9,request,4);
base16_encode(hexid,9,(char*)request,4);
log_info(LD_REND,
"Established rendezvous point on circuit %d for cookie %s",
@ -267,13 +267,13 @@ rend_mid_establish_rendezvous(or_circuit_t *circ, const char *request,
* connecting the two circuits.
*/
int
rend_mid_rendezvous(or_circuit_t *circ, const char *request,
rend_mid_rendezvous(or_circuit_t *circ, const uint8_t *request,
size_t request_len)
{
or_circuit_t *rend_circ;
char hexid[9];
int reason = END_CIRC_REASON_INTERNAL;
base16_encode(hexid,9,request,request_len<4?request_len:4);
base16_encode(hexid,9,(char*)request,request_len<4?request_len:4);
if (request_len>=4) {
log_info(LD_REND,
@ -297,7 +297,7 @@ rend_mid_rendezvous(or_circuit_t *circ, const char *request,
goto err;
}
rend_circ = circuit_get_rendezvous(request);
rend_circ = circuit_get_rendezvous((char*)request);
if (!rend_circ) {
log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
"Rejecting RENDEZVOUS1 cell with unrecognized rendezvous cookie %s.",
@ -309,7 +309,7 @@ rend_mid_rendezvous(or_circuit_t *circ, const char *request,
/* Send the RENDEZVOUS2 cell to Alice. */
if (relay_send_command_from_edge(0, TO_CIRCUIT(rend_circ),
RELAY_COMMAND_RENDEZVOUS2,
request+REND_COOKIE_LEN,
(char*)(request+REND_COOKIE_LEN),
request_len-REND_COOKIE_LEN, NULL)) {
log_warn(LD_GENERAL,
"Unable to send RENDEZVOUS2 cell to client on circuit %d.",

8
src/or/rendmid.h
View File

@ -12,13 +12,13 @@
#ifndef _TOR_RENDMID_H
#define _TOR_RENDMID_H
int rend_mid_establish_intro(or_circuit_t *circ, const char *request,
int rend_mid_establish_intro(or_circuit_t *circ, const uint8_t *request,
size_t request_len);
int rend_mid_introduce(or_circuit_t *circ, const char *request,
int rend_mid_introduce(or_circuit_t *circ, const uint8_t *request,
size_t request_len);
int rend_mid_establish_rendezvous(or_circuit_t *circ, const char *request,
int rend_mid_establish_rendezvous(or_circuit_t *circ, const uint8_t *request,
size_t request_len);
int rend_mid_rendezvous(or_circuit_t *circ, const char *request,
int rend_mid_rendezvous(or_circuit_t *circ, const uint8_t *request,
size_t request_len);
#endif

9
src/or/rendservice.c
View File

@ -849,7 +849,7 @@ clean_accepted_intros(rend_service_t *service, time_t now)
* rendezvous point.
*/
int
rend_service_introduce(origin_circuit_t *circuit, const char *request,
rend_service_introduce(origin_circuit_t *circuit, const uint8_t *request,
size_t request_len)
{
char *ptr, *r_cookie;
@ -913,7 +913,7 @@ rend_service_introduce(origin_circuit_t *circuit, const char *request,
crypto_pk_get_digest(intro_key, intro_key_digest);
if (memcmp(intro_key_digest, request, DIGEST_LEN)) {
base32_encode(serviceid, REND_SERVICE_ID_LEN_BASE32+1,
request, REND_SERVICE_ID_LEN);
(char*)request, REND_SERVICE_ID_LEN);
log_warn(LD_REND, "Got an INTRODUCE2 cell for the wrong service (%s).",
escaped(serviceid));
return -1;
@ -928,7 +928,7 @@ rend_service_introduce(origin_circuit_t *circuit, const char *request,
/* Next N bytes is encrypted with service key */
note_crypto_pk_op(REND_SERVER);
r = crypto_pk_private_hybrid_decrypt(
intro_key,buf,request+DIGEST_LEN,request_len-DIGEST_LEN,
intro_key,buf,(char*)(request+DIGEST_LEN),request_len-DIGEST_LEN,
PK_PKCS1_OAEP_PADDING,1);
if (r<0) {
log_warn(LD_PROTOCOL, "Couldn't decrypt INTRODUCE2 cell.");
@ -1392,7 +1392,8 @@ rend_service_intro_has_opened(origin_circuit_t *circuit)
* live introduction point, and note that the service descriptor is
* now out-of-date.*/
int
rend_service_intro_established(origin_circuit_t *circuit, const char *request,
rend_service_intro_established(origin_circuit_t *circuit,
const uint8_t *request,
size_t request_len)
{
rend_service_t *service;

4
src/or/rendservice.h
View File

@ -22,10 +22,10 @@ void rend_consider_descriptor_republication(void);
void rend_service_intro_has_opened(origin_circuit_t *circuit);
int rend_service_intro_established(origin_circuit_t *circuit,
const char *request,
const uint8_t *request,
size_t request_len);
void rend_service_rendezvous_has_opened(origin_circuit_t *circuit);
int rend_service_introduce(origin_circuit_t *circuit, const char *request,
int rend_service_introduce(origin_circuit_t *circuit, const uint8_t *request,
size_t request_len);
void rend_service_relaunch_rendezvous(origin_circuit_t *oldcirc);
int rend_service_set_connection_addr_port(edge_connection_t *conn,