Commit Graph

51 Commits

Author SHA1 Message Date
Nick Mathewson
fb0019daf9 Update copyrights to 2018. 2018-06-20 08:13:28 -04:00
Isis Lovecruft
809f6fae84
refactor: Remove unnecessary #include "crypto.h" throughout codebase.
* FIXES part of #24658: https://bugs.torproject.org/24658
2018-04-06 22:49:18 +00:00
Isis Lovecruft
88190026b3
crypto: Alphabetise some #includes in /src/common/crypto*.
* FIXES part of #24658: https://bugs.torproject.org/24658
2018-04-06 22:49:15 +00:00
Isis Lovecruft
fe3aca1491
crypto: Refactor (P)RNG functionality into new crypto_rand module.
* ADD new /src/common/crypto_rand.[ch] module.
 * ADD new /src/common/crypto_util.[ch] module (contains the memwipe()
   function, since all crypto_* modules need this).
 * FIXES part of #24658: https://bugs.torproject.org/24658
2018-04-06 21:45:28 +00:00
Nick Mathewson
0eed0899cd Merge branch 'bug24658-rm-curve25519-header' into bug24658-merge 2018-03-26 20:12:59 -04:00
Nick Mathewson
86498e5aa5 Fix wide lines from typo-fix patch. 2018-02-07 10:46:05 -05:00
Deepesh Pathak
ca6682f3f8 Fix spelling mistakes corresponding to ticket #23650 2018-02-07 10:41:57 -05:00
Fernando Fernandez Mancera
61c7ec29f1 Include crypto_digest.h in order to solve dependency issues.
Included crypto_digest.h in some files in order to solve xof+digest module
dependency issues. Removed crypto.h where it isn't needed anymore.

Follows #24658.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-02-03 17:04:36 +01:00
Nick Mathewson
2f086888b1 Make all the crypto free() functions macros that clear their targets 2017-11-17 12:01:30 -05:00
Nick Mathewson
a64d79ca4c Move around some LCOV_EXCLs in src/common
Apparently, my compiler now generates coverage markers for
label-only lines, so we need to exclude those too if they are meant
to be unreachable.
2017-09-28 09:25:17 -04:00
Nick Mathewson
c1deabd3b0 Run our #else/#endif annotator on our source code. 2017-09-15 16:24:44 -04:00
Nick Mathewson
649104fdb9 Remove a needless memwipe.
The interior of ctx here is already wiped by
crypto_digest_free(). This memwipe call only wiped the pointer
itself, which isn't sensitive.
2017-08-08 19:58:19 -04:00
George Kadianakis
0d9873ac0d ed25519: Check retval of unpack_negative_vartime in donna. 2017-06-28 14:58:22 +03:00
Nick Mathewson
3f94041589 no newlines in log messages. 2017-06-27 18:21:35 -04:00
George Kadianakis
559658ff1c ed25519: Add func that checks for torsion component in pubkeys.
See https://lists.torproject.org/pipermail/tor-dev/2017-April/012213.html .
2017-06-27 17:17:58 -04:00
Nick Mathewson
3fc4f81de3 Make crypto_ed25519.c no longer depend on openssl
Now it calls through our own crypto API.
2017-03-31 10:04:44 -04:00
Nick Mathewson
7505f452c8 Run the copyright update script. 2017-03-15 16:13:17 -04:00
Nick Mathewson
e2aeaeb76c Make a bunch of signature/digest-checking functions mockable 2017-01-30 08:37:22 -05:00
Nick Mathewson
c838d34921 Merge branch 'dgoulet_ticket19043_030_03_squashed' 2016-12-14 15:28:28 -05:00
George Kadianakis
297213825b prop224: Add unittests handling v3 ESTABLISH_INTRO cells.
Test for both v2 and v3 ESTABLISH_INTRO handling.
2016-12-14 15:18:40 -05:00
Nick Mathewson
937aef48ee Add an ed25519_copy; use it in a couple of places dgoulet suggested. 2016-12-08 16:48:01 -05:00
Nick Mathewson
431565e053 Helper function to see if an ed25519 pk is set. 2016-11-10 09:43:27 -05:00
Nick Mathewson
aae034d13e Write a bunch of module documentation.
This commit adds or improves the module-level documenation for:

  buffers.c circuitstats.c command.c connection_edge.c control.c
  cpuworker.c crypto_curve25519.c crypto_curve25519.h
  crypto_ed25519.c crypto_format.c dircollate.c dirserv.c dns.c
  dns_structs.h fp_pair.c geoip.c hibernate.c keypin.c ntmain.c
  onion.c onion_fast.c onion_ntor.c onion_tap.c periodic.c
  protover.c protover.h reasons.c rephist.c replaycache.c
  routerlist.c routerparse.c routerset.c statefile.c status.c
  tor_main.c workqueue.c

In particular, I've tried to explain (for each documented module)
what each module does, what's in it, what the big idea is, why it
belongs in Tor, and who calls it.  In a few cases, I've added TODO
notes about refactoring opportunities.

I've also renamed an argument, and fixed a few DOCDOC comments.
2016-10-17 10:16:59 -04:00
George Kadianakis
b8bfdf638e Introduce ed25519_{sign,checksig}_prefixed functions(). 2016-08-23 14:53:01 +03:00
Nick Mathewson
0ef36626ea Use calloc, not malloc(a*b), in ed25519 batch signature check fn
[Not a triggerable bug unless somebody is going to go checking
millions+ of signatures in a single go.]
2016-05-25 08:59:08 -04:00
Nick Mathewson
ec81329339 Do not leak the 'tag' when trying to read a truncated ed25519 key file
Fix for bug 18956.
2016-05-16 08:25:59 -04:00
Nick Mathewson
5b91e70a4f Mark unreachable lines in crypto_ed25519.c 2016-05-16 08:25:59 -04:00
Nick Mathewson
dd572dac34 Fix all doxygen warnings (other than missing docs) 2016-03-26 09:53:12 -04:00
Nick Mathewson
57699de005 Update the copyright year. 2016-02-27 18:48:19 +01:00
Nick Mathewson
23f8c9b32f Add a brief file-level description for everything in src/common 2016-02-27 18:19:57 +01:00
Nick Mathewson
b18f533cf0 Always test both ed25519 backends.
Part of #16794
2015-12-23 09:16:26 -05:00
Nick Mathewson
2259de0de7 Always hash crypto_strongest_rand() along with some prng
(before using it for anything besides feeding the PRNG)

Part of #17694
2015-12-08 10:54:42 -05:00
Nick Mathewson
542cc8a5ff Fix a memory leak; bug 17398. 2015-10-21 08:17:07 -04:00
Yawning Angel
78fad380cd Use ed25519-donna's batch verification support when applicable.
The code was always in our Ed25519 wrappers, so enable it when using
the ed25519-donna backend, and deal with the mocking related
crypto_rand silliness.

Implements feature 16533.
2015-08-12 16:01:28 +00:00
Nick Mathewson
347fe449fe Move formatting functions around.
The base64 and base32 functions used to be in crypto.c;
crypto_format.h had no header; some general-purpose functions were in
crypto_curve25519.c.

This patch makes a {crypto,util}_format.[ch], and puts more functions
there.  Small modules are beautiful!
2015-07-31 11:21:34 -04:00
Nick Mathewson
3c28d95ca7 Add more EINVAL errno setting on key read failures
Teor found these.  This is for part of #16582.
2015-07-15 10:35:29 -04:00
Yawning Angel
840e68d917 Integrate and enable ed25519-donna.
The runtime sanity checking is slightly different from the optimized
basepoint stuff in that it uses a given implementation's self tests if
available, and checks if signing/verification works with a test vector
from the IETF EdDSA draft.

The unit tests include a new testcase that will fuzz donna against ref0,
including the blinding and curve25519 key conversion routines.  If this
is something that should be done at runtime (No?), the code can be
stolen from there.

Note: Integrating batch verification is not done yet.
2015-07-06 10:11:10 +00:00
Nick Mathewson
fe5d2477aa Implement ed25519-signed descriptors
Now that we have ed25519 keys, we can sign descriptors with them
and check those signatures as documented in proposal 220.
2015-05-28 10:40:56 -04:00
Nick Mathewson
818e6f939d prop220: Implement certificates and key storage/creation
For prop220, we have a new ed25519 certificate type. This patch
implements the code to create, parse, and validate those, along with
code for routers to maintain their own sets of certificates and
keys.  (Some parts of master identity key encryption are done, but
the implementation of that isn't finished)
2015-05-28 10:40:56 -04:00
Nick Mathewson
f54e54b0b4 Bump copyright dates to 2015, in case someday this matters. 2015-01-02 14:27:39 -05:00
Nick Mathewson
fcdcb377a4 Add another year to our copyright dates.
Because in 95 years, we or our successors will surely care about
enforcing the BSD license terms on this code.  Right?
2014-10-28 15:30:16 -04:00
Nick Mathewson
46cda485bc Comments and tweaks based on review by asn
Add some documentation

Rename "derive" -> "blind"

Check for failure on randombytes().
2014-09-25 15:08:32 -04:00
Nick Mathewson
f0eb7ae79f More documentation for ed25519 stuff. 2014-09-25 15:08:31 -04:00
Nick Mathewson
25b1a32ef8 Draft implementation for ed25519 key blinding, as in prop224
This implementation allows somebody to add a blinding factor to a
secret key, and a corresponding blinding factor to the public key.

Robert Ransom came up with this idea, I believe.  Nick Hopper proved a
scheme like this secure.  The bugs are my own.
2014-09-25 15:08:31 -04:00
Nick Mathewson
4caa6fad4c Add curve25519->ed25519 key conversion per proposal 228
For proposal 228, we need to cross-certify our identity with our
curve25519 key, so that we can prove at descriptor-generation time
that we own that key.  But how can we sign something with a key that
is only for doing Diffie-Hellman?  By converting it to the
corresponding ed25519 point.

See the ALL-CAPS warning in the documentation.  According to djb
(IIUC), it is safe to use these keys in the ways that ntor and prop228
are using them, but it might not be safe if we start providing crazy
oracle access.

(Unit tests included.  What kind of a monster do you take me for?)
2014-09-25 15:08:31 -04:00
Nick Mathewson
ed48b0fe56 Support for writing ed25519 public/private components to disk.
This refactors the "== type:tag ==" code from crypto_curve25519.c
2014-09-25 15:08:31 -04:00
Nick Mathewson
22760c4899 Restore the operation of extra_strong in ed25519_secret_key_generate 2014-09-25 15:08:31 -04:00
Nick Mathewson
006e6d3b6f Another ed25519 tweak: store secret keys in expanded format
This will be needed/helpful for the key blinding of prop224, I
believe.
2014-09-25 15:08:31 -04:00
Nick Mathewson
9e43ee5b4c Fix API for ed25519_ref10_open()
This is another case where DJB likes sticking the whole signature
prepended to the message, and I don't think that's the hottest idea.

The unit tests still pass.
2014-09-25 15:08:31 -04:00
Nick Mathewson
e0097a8839 Tweak ed25519 ref10 signing interface to use less space.
Unit tests still pass.
2014-09-25 15:08:31 -04:00