Commit Graph

100 Commits

Author SHA1 Message Date
Nick Mathewson
7620c613e8 Have tinytest tolerate systems where char has > 8 bytes
CID 1064418
2015-02-17 08:40:55 -05:00
Nick Mathewson
f6afb04abb Use HT_BUCKET_NUM_ in more places
(patch from sysrqb)
2015-01-29 15:10:23 -05:00
Nick Mathewson
5faa017b86 Merge remote-tracking branch 'public/ticket11737' 2015-01-29 15:09:55 -05:00
Nick Mathewson
f54e54b0b4 Bump copyright dates to 2015, in case someday this matters. 2015-01-02 14:27:39 -05:00
Nick Mathewson
a3dafd3f58 Replace operators used as macro arguments with OP_XX macros
Part of fix for 13172
2014-11-12 13:28:07 -05:00
Nick Mathewson
6344345140 Add correctness assertions for hashtable iteration
This is meant to prevent memory corruption bugs from doing
unspeakable infinite-loop-like things to the hashtables.  Addresses
ticket 11737.  We should disable these if they turn out to be
expensive.
2014-11-06 13:57:17 -05:00
Nick Mathewson
e20fc286c0 Re-run latest git trunnel to get fix from teor for #13577 2014-10-31 08:56:14 -04:00
teor
13298d90a9 Silence spurious clang warnings
Silence clang warnings under --enable-expensive-hardening, including:
  + implicit truncation of 64 bit values to 32 bit;
  + const char assignment to self;
  + tautological compare; and
  + additional parentheses around equality tests. (gcc uses these to
    silence assignment, so clang warns when they're present in an
    equality test. But we need to use extra parentheses in macros to
    isolate them from other code).
2014-10-30 22:34:46 +11:00
Nick Mathewson
fcdcb377a4 Add another year to our copyright dates.
Because in 95 years, we or our successors will surely care about
enforcing the BSD license terms on this code.  Right?
2014-10-28 15:30:16 -04:00
Nick Mathewson
a0be2f1350 Automake syntax error :/ 2014-09-29 10:10:37 -04:00
Nick Mathewson
9455f45ae3 Add missing ed25519_ref10 headers to NOINST_HEADERS. 2014-09-29 10:10:08 -04:00
teor
b7eab94a90 Stop ed25519 8-bit signed left shift overflowing
Standardise usage in ge_scalarmult_base.c for 1 new fix.
2014-09-28 20:44:00 -04:00
Nick Mathewson
6129ff320e Use SHL{8,32,64} in ed25519/ref10 to avoid left-shifting negative values
This helps us avoid undefined behavior. It's based on a patch from teor,
except that I wrote a perl script to regenerate the patch:

  #!/usr/bin/perl -p -w -i

  BEGIN { %vartypes = (); }

  if (/^[{}]/) {
      %vartypes = ();
  }

  if (/^ *crypto_int(\d+) +([a-zA-Z_][_a-zA-Z0-9]*)/) {
      $vartypes{$2} = $1;
  } elsif (/^ *(?:signed +)char +([a-zA-Z_][_a-zA-Z0-9]*)/) {
      $vartypes{$1} = '8';
  }

  # This fixes at most one shift per line. But that's all the code does.
  if (/([a-zA-Z_][a-zA-Z_0-9]*) *<< *(\d+)/) {
      $v = $1;
      if (exists $vartypes{$v}) {
  	s/$v *<< *(\d+)/SHL$vartypes{$v}($v,$1)/;
      }
  }

  # remove extra parenthesis
  s/\(SHL64\((.*)\)\)/SHL64\($1\)/;
  s/\(SHL32\((.*)\)\)/SHL32\($1\)/;
  s/\(SHL8\((.*)\)\)/SHL8\($1\)/;
2014-09-28 20:41:05 -04:00
teor
6b155dc1a6 Stop signed left shifts overflowing in ed25519: Macros
The macros let us use unsigned types for potentially overflowing left
shifts. Create SHL32() and SHL64() and SHL8() macros for convenience.
2014-09-28 20:38:12 -04:00
Nick Mathewson
27bd1ef100 Comment-out dead code in ed25519/ref10
There are some loops of the form

       for (i=1;i<1;++i) ...

And of course, if the loop index is initialized to 1, it will never
be less than 1, and the loop body will never be executed.  This
upsets coverity.

Patch fixes CID 1221543 and 1221542
2014-09-26 09:07:44 -04:00
Nick Mathewson
9190468246 Fix warnings on 32-bit builds.
When size_t is the most memory you can have, make sure that things
referring to real parts of memory are size_t, not uint64_t or off_t.

But not on any released Tor.
2014-09-25 17:50:13 -04:00
Nick Mathewson
1c5d680b3d Merge branch 'ed25519_ref10_squashed'
Conflicts:
	src/common/include.am
	src/ext/README
2014-09-25 15:11:34 -04:00
Nick Mathewson
46cda485bc Comments and tweaks based on review by asn
Add some documentation

Rename "derive" -> "blind"

Check for failure on randombytes().
2014-09-25 15:08:32 -04:00
Nick Mathewson
f0eb7ae79f More documentation for ed25519 stuff. 2014-09-25 15:08:31 -04:00
Nick Mathewson
1d3b33e1ed Fix linux compilation of ed25519_ref10
Our integer-definition headers apparently suck in a definition for
select(2), which interferes with the select() in ge_scalarmult_base.c
2014-09-25 15:08:31 -04:00
Nick Mathewson
25b1a32ef8 Draft implementation for ed25519 key blinding, as in prop224
This implementation allows somebody to add a blinding factor to a
secret key, and a corresponding blinding factor to the public key.

Robert Ransom came up with this idea, I believe.  Nick Hopper proved a
scheme like this secure.  The bugs are my own.
2014-09-25 15:08:31 -04:00
Nick Mathewson
4caa6fad4c Add curve25519->ed25519 key conversion per proposal 228
For proposal 228, we need to cross-certify our identity with our
curve25519 key, so that we can prove at descriptor-generation time
that we own that key.  But how can we sign something with a key that
is only for doing Diffie-Hellman?  By converting it to the
corresponding ed25519 point.

See the ALL-CAPS warning in the documentation.  According to djb
(IIUC), it is safe to use these keys in the ways that ntor and prop228
are using them, but it might not be safe if we start providing crazy
oracle access.

(Unit tests included.  What kind of a monster do you take me for?)
2014-09-25 15:08:31 -04:00
Nick Mathewson
006e6d3b6f Another ed25519 tweak: store secret keys in expanded format
This will be needed/helpful for the key blinding of prop224, I
believe.
2014-09-25 15:08:31 -04:00
Nick Mathewson
9e43ee5b4c Fix API for ed25519_ref10_open()
This is another case where DJB likes sticking the whole signature
prepended to the message, and I don't think that's the hottest idea.

The unit tests still pass.
2014-09-25 15:08:31 -04:00
Nick Mathewson
e0097a8839 Tweak ed25519 ref10 signing interface to use less space.
Unit tests still pass.
2014-09-25 15:08:31 -04:00
Nick Mathewson
e5a1cf9937 Tweak ref10 keygen APIs to be more sane. 2014-09-25 15:08:30 -04:00
Nick Mathewson
87ba033cd5 Add Ed25519 support, wrappers, and tests.
Taken from earlier ed25519 branch based on floodyberry's
ed25519-donna.  Tweaked so that it applies to ref10 instead.
2014-09-25 15:08:20 -04:00
Nick Mathewson
50d15e06b3 Use --require-version to prevent running trunnel pre-1.2
(Also, regenerate trunnel stuff with trunnel 1.2.  This just adds a
few comments to our output.)
2014-09-25 14:49:00 -04:00
Nick Mathewson
36700ee99e Mention trunnel in LICENSE and src/ext/README 2014-09-25 12:03:46 -04:00
Nick Mathewson
764e008092 Merge branch 'libscrypt_trunnel_squashed'
Conflicts:
	src/test/test_crypto.c
2014-09-25 12:03:41 -04:00
Nick Mathewson
3b7d0ed08e Use trunnel for crypto_pwbox encoding/decoding.
This reduces the likelihood that I have made any exploitable errors
in the encoding/decoding.

This commit also imports the trunnel runtime source into Tor.
2014-09-25 11:58:14 -04:00
Nick Mathewson
40b7dfaed2 Remove now-pointless SIZE_MAX stanza from OpenBSD_malloc_linux 2014-09-09 12:09:18 -04:00
Nick Mathewson
1eea7a68ed Use S?SIZE_MAX, not S?SIZE_T_MAX
This fixes bug 13102 (not on any released Tor) where using the
standard SSIZE_MAX name broke mingw64, and we didn't realize.

I did this with
   perl -i -pe 's/SIZE_T_MAX/SIZE_MAX/' src/*/*.[ch] src/*/*/*.[ch]
2014-09-09 12:08:03 -04:00
Nick Mathewson
2997908228 Merge remote-tracking branch 'origin/maint-0.2.5' 2014-09-09 10:27:41 -04:00
Nick Mathewson
8391c96091 Clean up the MVSC nmake files so they work again.
Fixes bug 13081; bugfix on 0.2.5.1-alpha. Patch from "NewEraCracker."
2014-09-09 10:27:05 -04:00
Nick Mathewson
00ffccd9a6 Another clang analyzer complaint wrt HT_GENERATE
We're calling mallocfn() and reallocfn() in the HT_GENERATE macro
with the result of a product.  But that makes any sane analyzer
worry about overflow.

This patch keeps HT_GENERATE having its old semantics, since we
aren't the only project using ht.h.  Instead, define a HT_GENERATE2
that takes a reallocarrayfn.
2014-09-02 12:48:34 -04:00
Nick Mathewson
b2acd3580c ed25519_ref10: use uint64_t and int64_t, not long long 2014-08-26 10:58:26 -04:00
Nick Mathewson
8b36bb9299 Add headers as needed to make ed25519_ref10 compile. 2014-08-26 10:56:22 -04:00
Nick Mathewson
8594e97c03 Add some explicit casts as needed to make ed25519_ref10 compile
Apparently, ref10 likes implicit conversions from int64 to int32 more
than our warnings do.
2014-08-26 10:14:18 -04:00
Nick Mathewson
4847136d2c Integrate ed25519_ref10 into our build system. 2014-08-26 10:11:56 -04:00
Nick Mathewson
b40ac6808f Add the ed25519 ref10 code verbatim from supercop-20140622
We might use libsodium or ed25519-donna later on, but for now, let's
see whether this is fast enough.  We should use it in all cases when
performance doesn't matter.
2014-08-26 10:08:44 -04:00
Nick Mathewson
5c200d9be2 Merge remote-tracking branch 'origin/maint-0.2.4' into maint-0.2.5 2014-07-23 21:28:42 -04:00
Nick Mathewson
391861311c Small tweaks to make curve25519-donna32 compile with our warnings 2014-07-15 15:43:40 +02:00
Nick Mathewson
8cc0860592 Update to latest curve25519-donna32 2014-07-15 15:42:20 +02:00
Nick Mathewson
9b10d7a7dd Add ATTR_UNUSED to HT_FIND
The fix for bug 8746 added a hashtable instance that never actually
invoked HT_FIND.  This caused a warning, since we didn't mark HT_FIND
as okay-not-to-use.
2014-06-14 11:46:54 -04:00
Nick Mathewson
5bb6172367 Fix numerous type errors in the unit tests
Remove tinytest casts that were suppressing them.

Fix for #11825.
2014-05-08 13:08:13 -04:00
Nick Mathewson
a1cdc619bb Mention siphash in src/ext/README 2014-05-07 01:03:14 -04:00
Nick Mathewson
78301d99fe Fix compilation with DEBUG_DNS_CACHE
Reported by cypherpunks.

Fix for #11761; bugfix on 0.2.3.13-alpha where we made ht.h stop using
_identifiers.
2014-05-06 10:18:34 -04:00
Nick Mathewson
9c9e07963d scan-build: truncate tinytest hexified outputs to 1024 bytes.
scan-build didn't like the unlimited version since we might need to
overflow size_t to hexify a string that took up half our address
space. (!)
2014-04-19 12:47:51 -04:00
Nick Mathewson
4d51dcda2f scan-build: limit hashtable size so it always fits in SSIZE_MAX
scan-build recognizes that in theory there could be a numeric overflow
here.

This can't numeric overflow can't trigger IRL, since in order to fill a
hash table with more than P=402653189 buckets with a reasonable load
factor of 0.5, we'd first have P/2 malloced objects to put in it--- and
each of those would have to take take at least sizeof(void*) worth of
malloc overhead plus sizeof(void*) content, which would run you out of
address space anyway on a 32-bit system.
2014-04-19 12:39:14 -04:00