Commit Graph

634 Commits

Author SHA1 Message Date
Nick Mathewson
227d3b3d6b Use ENABLE/DISABLE_GCC_WARNING in masater. 2016-06-14 20:21:02 -04:00
Nick Mathewson
8486dea8d7 Merge branch 'maint-0.2.8' 2016-06-14 20:16:46 -04:00
Nick Mathewson
d6b01211b9 Resolve the remaining openssl "-Wredundant-decls" warnings.
Another part of 19406
2016-06-14 20:14:53 -04:00
Nick Mathewson
df4fa92a88 Merge branch 'maint-0.2.8' 2016-06-14 12:17:24 -04:00
Yawning Angel
b563a3a09d Bug 19406: OpenSSL made RSA and DH opaque in 1.1.0.
There's accessors to get at things, but it ends up being rather
cumbersome.  The only place where behavior should change is that the
code will fail instead of attempting to generate a new DH key if our
internal sanity check fails.

Like the previous commit, this probably breaks snapshots prior to pre5.
2016-06-14 12:13:09 -04:00
Yawning Angel
86f0b80681 Bug 19406: OpenSSL changed the Thread API in 1.1.0 again.
Instead of `ERR_remove_thread_state()` having a modified prototype, it
now has the old prototype and a deprecation annotation.  Since it's
pointless to add extra complexity just to remain compatible with an old
OpenSSL development snapshot, update the code to work with 1.1.0pre5
and later.
2016-06-14 12:13:09 -04:00
Nick Mathewson
a3ec811c2e Merge branch 'maint-0.2.8' 2016-05-25 09:27:47 -04:00
Nick Mathewson
fdfc528f85 Merge branch 'bug19152_024_v2' into maint-0.2.8 2016-05-25 09:26:45 -04:00
Nick Mathewson
c4c4380a5e Fix a dangling pointer issue in our RSA keygen code
If OpenSSL fails to generate an RSA key, do not retain a dangling
pointer to the previous (uninitialized) key value. The impact here
should be limited to a difficult-to-trigger crash, if OpenSSL is
running an engine that makes key generation failures possible, or if
OpenSSL runs out of memory. Fixes bug 19152; bugfix on
0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and Baishakhi
Ray.

This is potentially scary stuff, so let me walk through my analysis.
I think this is a bug, and a backport candidate, but not remotely
triggerable in any useful way.

Observation 1a:

Looking over the OpenSSL code here, the only way we can really fail in
the non-engine case is if malloc() fails.  But if malloc() is failing,
then tor_malloc() calls should be tor_asserting -- the only way that an
attacker could do an exploit here would be to figure out some way to
make malloc() fail when openssl does it, but work whenever Tor does it.

(Also ordinary malloc() doesn't fail on platforms like Linux that
overcommit.)

Observation 1b:

Although engines are _allowed_ to fail in extra ways, I can't find much
evidence online  that they actually _do_ fail in practice. More evidence
would be nice, though.

Observation 2:

We don't call crypto_pk_generate*() all that often, and we don't do it
in response to external inputs. The only way to get it to happen
remotely would be by causing a hidden service to build new introduction
points.

Observation 3a:

So, let's assume that both of the above observations are wrong, and the
attacker can make us generate a crypto_pk_env_t with a dangling pointer
in its 'key' field, and not immediately crash.

This dangling pointer will point to what used to be an RSA structure,
with the fields all set to NULL.  Actually using this RSA structure,
before the memory is reused for anything else, will cause a crash.

In nearly every function where we call crypto_pk_generate*(), we quickly
use the RSA key pointer -- either to sign something, or to encode the
key, or to free the key.  The only exception is when we generate an
intro key in rend_consider_services_intro_points().  In that case, we
don't actually use the key until the intro circuit is opened -- at which
point we encode it, and use it to sign an introduction request.

So in order to exploit this bug to do anything besides crash Tor, the
attacker needs to make sure that by the time the introduction circuit
completes, either:
  * the e, d, and n BNs look valid, and at least one of the other BNs is
    still NULL.
OR
  * all 8 of the BNs must look valid.

To look like a valid BN, *they* all need to have their 'top' index plus
their 'd' pointer indicate an addressable region in memory.

So actually getting useful data of of this, rather than a crash, is
going to be pretty damn hard.  You'd have to force an introduction point
to be created (or wait for one to be created), and force that particular
crypto_pk_generate*() to fail, and then arrange for the memory that the
RSA points to to in turn point to 3...8 valid BNs, all by the time the
introduction circuit completes.

Naturally, the signature won't check as valid [*], so the intro point
will reject the ESTABLISH_INTRO cell.  So you need to _be_ the
introduction point, or you don't actually see this information.

[*] Okay, so if you could somehow make the 'rsa' pointer point to a
different valid RSA key, then you'd get a valid signature of an
ESTABLISH_INTRO cell using a key that was supposed to be used for
something else ... but nothing else looks like that, so you can't use
that signature elsewhere.

Observation 3b:

Your best bet as an attacker would be to make the dangling RSA pointer
actually contain a fake method, with a fake RSA_private_encrypt
function that actually pointed to code you wanted to execute.  You'd
still need to transit 3 or 4 pointers deep though in order to make that
work.

Conclusion:

By 1, you probably can't trigger this without Tor crashing from OOM.

By 2, you probably can't trigger this reliably.

By 3, even if I'm wrong about 1 and 2, you have to jump through a pretty
big array of hoops in order to get any kind of data leak or code
execution.

So I'm calling it a bug, but not a security hole. Still worth
patching.
2016-05-25 09:23:57 -04:00
Nick Mathewson
b53a2059c4 Expose crypto_digest_algorithm_get_length from crypto.c
Also, use it in routerparse.c
2016-05-23 10:58:27 -04:00
Nick Mathewson
62c5a1fa45 Mark even more crypto lines (the fragile_assert ones) as unreachable 2016-05-16 08:26:00 -04:00
Nick Mathewson
b688945dfb Refactor digest allocation backend code
I'm doing this to simplify crypto_digest_smartlist_prefix, and make
it better covered by our tests.
2016-05-16 08:26:00 -04:00
Nick Mathewson
365d0fcc6d Cover all our DH code, and/or mark it unreachable. 2016-05-16 08:26:00 -04:00
Nick Mathewson
98a590577a Treat absent argument to crypto_log_errors as a bug. 2016-05-16 08:26:00 -04:00
Nick Mathewson
d88656ec06 Slight improvements to DH coverage. 2016-05-16 08:25:59 -04:00
Nick Mathewson
c395334879 Mark some unreachable lines in crypto.c 2016-05-16 08:25:59 -04:00
Nick Mathewson
7a5f15b6e0 Improve test coverage of our strongest-rng code. 2016-05-16 08:25:59 -04:00
Nick Mathewson
bff53aabce Remove redundant declarations of MIN
Apparently somewhere along the line we decided that MIN might be
missing.

But we already defined it (if it was missing) in compat.h, which
everybody includes.

Closes ticket 18889.
2016-04-25 15:28:58 -04:00
Nick Mathewson
0630f1982d Add LCOV_EXCL* markers to crypto.c and crypto_s2k.c
This marks some lines as unreachable by the unit tests, and as
therefore excluded from test coverage.

(Note: This convention is only for lines that are absolutely
unreachable.  Don't use it anywhere you wouldn't add a
tor_fragile_assert().)
2016-04-12 21:13:33 -04:00
Nick Mathewson
967491f156 Only define NEW_THREAD_API when not building with LibreSSL. 2016-04-05 10:38:15 -04:00
Yawning Angel
6729d7328c OpenSSL 1.1.0-pre4 and later(?) have a new "thread API".
It appears that setting the various callbacks is no longer required, so
don't.
2016-04-05 10:03:24 -04:00
Nick Mathewson
9fc472e1a8 clean/extend some module docs, including fix from #18403 2016-02-28 17:57:47 +01:00
Nick Mathewson
57699de005 Update the copyright year. 2016-02-27 18:48:19 +01:00
Nick Mathewson
882e0fbd76 Merge branch 'bug17795' 2016-02-23 07:25:12 -05:00
Nick Mathewson
e202f3a1ca Fix an erroneous renaming
Did you know that crypto_digest_all is a substring of
crypto_digest_alloc_bytes()?  Hence the mysterious emergence of
"crypto_common_digestsoc_bytes".

Next time I should use the \b assertion in my regexen.

Spotted by Mike.
2016-02-23 07:22:53 -05:00
Nick Mathewson
9746aed2ba Another automated rename.
Also simplify crypto_common_digests() to have no loop.
2016-02-10 15:32:12 -05:00
Nick Mathewson
8a4bba06d2 Rename crypto_digest_all, and digests_t.
They are no longer "all" digests, but only the "common" digests.

Part of 17795.

This is an automated patch I made with a couple of perl one-liners:

  perl -i -pe 's/crypto_digest_all/crypto_common_digests/g;' src/*/*.[ch]
  perl -i -pe 's/\bdigests_t\b/common_digests_t/g;' src/*/*.[ch]
2016-02-10 15:28:19 -05:00
Nick Mathewson
0f5f6b8a41 Merge remote-tracking branch 'yawning/bug18221' 2016-02-06 15:30:22 -05:00
Nick Mathewson
31a27729b9 Fix spaces. 2016-02-06 14:00:24 -05:00
Nick Mathewson
03371e3d3c Merge branch 'cleaned_aes_crypt' 2016-02-06 13:54:09 -05:00
Malek
a9cd291753 Removed aes_crypt, left only aes_crypt_inplace. Removed should_use_openssl_CTR, was used for openssl 1.0.0 bug. 2016-02-06 13:38:11 -05:00
Hassan Alsibyani
edd93f9de8 changing output of crypto_cipher_crypt_inplace from int to void 2016-02-06 12:14:39 -05:00
Nick Mathewson
27582325dc Make Tor build happily with OpenSSL master and libressl.
Also tested with 1.0.0t and 1.0.2f.

Closes ticket 19784.

Closes most of 17921. (Still need to make some tests pass.)
2016-02-03 11:13:12 -05:00
Yawning Angel
c625ab9f5a Validate the DH parameters for correctness.
We use sensible parameters taken from common sources, and no longer
have dynamic DH groups as an option, but it feels prudent to have
OpenSSL validate p and g at initialization time.
2016-02-02 22:03:48 +00:00
Nick Mathewson
39b597c2fd Restrict the meaning of digests_t to sha1+sha256.
This saves CPU and RAM when handling consensuses and x509 certs.

Closes ticket 17795; bug not in any released tor.
2016-01-27 13:10:17 -05:00
Nick Mathewson
f557a7f327 Merge branch 'maint-0.2.7' 2016-01-19 08:30:48 -05:00
Nick Mathewson
534a0ba59b Merge branch 'maint-0.2.6' into maint-0.2.7 2016-01-19 08:30:39 -05:00
Nick Mathewson
e2efa9e321 Refine the memwipe() arguments check for 18089 a little more.
We still silently ignore
     memwipe(NULL, ch, 0);
and
     memwipe(ptr, ch, 0);  /* for ptr != NULL */

But we now assert on:
     memwipe(NULL, ch, 30);
2016-01-19 08:28:58 -05:00
Nick Mathewson
ab58f60321 Merge branch 'maint-0.2.7' 2016-01-18 20:03:28 -05:00
Nick Mathewson
8335b1f9a9 Merge branch 'maint-0.2.6' into maint-0.2.7 2016-01-18 20:00:16 -05:00
teor (Tim Wilson-Brown)
db81565331 Make memwipe() do nothing when passed a NULL pointer or zero size
Check size argument to memwipe() for underflow.

Closes bug #18089. Reported by "gk", patch by "teor".
Bugfix on 0.2.3.25 and 0.2.4.6-alpha (#7352),
commit 49dd5ef3 on 7 Nov 2012.
2016-01-18 19:58:07 -05:00
Nick Mathewson
1d6dd288e1 Try a little harder to only use SecureZeroMemory when it's present
We could be using AC_CHECK_FUNC_DECL too, but it shouldn't be needed.
2016-01-11 09:02:42 -05:00
Nick Mathewson
a1019b82c1 Merge remote-tracking branch 'public/feature16794_more' 2016-01-08 14:54:51 -08:00
rl1987
fb373a9ef6 On win32, use SecureZeroMemory() to securely wipe buffers.
{Also tweak the comments. -nickm)
2016-01-07 14:25:31 -08:00
Nick Mathewson
3783046f3b Use memset_s or explicit_bzero when available. 2016-01-07 12:53:24 -08:00
Nick Mathewson
603110aa1d Merge branch 'feature17796_squashed' 2015-12-29 09:48:39 -05:00
Nick Mathewson
488cdee5e7 When allocating a crypto_digest_t, allocate no more bytes than needed
Previously we would allocate as many bytes as we'd need for a
keccak--even when we were only calculating SHA1.

Closes ticket 17796.
2015-12-29 09:47:04 -05:00
Nick Mathewson
6365859825 Disable the dynlock functions we were giving openssl.
OpenSSL doesn't use them, and fwict they were never called. If some
version of openssl *does* start using them, we should test them before
we turn them back on.

See ticket 17926
2015-12-23 09:58:36 -05:00
Nick Mathewson
d7c841f467 Unit tests for crypto_force_rand_ssleay().
Part of 16794.
2015-12-23 09:58:08 -05:00
Nick Mathewson
4ec0f8531e Add an unreachable line to make the compiler happy 2015-12-22 10:27:04 -05:00
Nick Mathewson
bb19799a49 Appease "make check-spaces" 2015-12-20 15:00:20 -05:00
Yawning Angel
9467485517 Add crypto_xof_t and assorted routines, backed by SHAKE256.
This is an eXtendable-Output Function with the following claimed
security strengths against *all* adversaries:

 Collision: min(d/2, 256)
 Preimage: >= min(d, 256)
 2nd Preimage: min(d, 256)

 where d is the amount of output used, in bits.
2015-12-19 22:45:21 +00:00
Yawning Angel
687f9b3bd7 Add the SHA-3 hash functions to common/crypto.h.
* DIGEST_SHA3_[256,512] added as supported algorithms, which do
   exactly what is said on the tin.
 * test/bench now benchmarks all of the supported digest algorithms,
   so it's possible to see just how slow SHA-3 is, though the message
   sizes could probably use tweaking since this is very dependent on
   the message size vs the SHA-3 rate.
2015-12-19 22:44:05 +00:00
cypherpunks
824a6a2a90 Replace usage of INLINE with inline
This patch was generated using;

  sed -i -e "s/\bINLINE\b/inline/" src/*/*.[ch] src/*/*/*.[ch]
2015-12-15 11:34:00 -05:00
Nick Mathewson
f3ed5ec0ca Fix a pair of dead assignments 2015-12-11 09:35:43 -05:00
Nick Mathewson
4d13cc69ce make stack-protector happy 2015-12-10 11:50:02 -05:00
Nick Mathewson
390d3fa3af add a static 2015-12-10 09:43:55 -05:00
Nick Mathewson
ce3b7ddb54 improve a comment in memwipe 2015-12-10 09:03:47 -05:00
Nick Mathewson
7186e2a943 Merge remote-tracking branch 'public/feature17694_strongest_027' 2015-12-10 09:02:10 -05:00
Nick Mathewson
631e3517e3 Mark a couple more arguments as unused. 2015-12-09 11:58:32 -05:00
Nick Mathewson
3843c6615c Small cleanups and comment fixes to rng functions. 2015-12-09 09:15:57 -05:00
Nick Mathewson
3a69fcb01f try a little harder with getrandom types to avoid warnings 2015-12-09 08:31:29 -05:00
Nick Mathewson
0df014edad mark a variable unused. 2015-12-08 17:17:17 -05:00
Nick Mathewson
b701b7962b Fix comment switcheroo. Spotted by skruffy 2015-12-08 12:53:51 -05:00
Yawning Angel
353c71516e Add support for getrandom() and getentropy() when available
Implements feature #13696.
2015-12-08 12:34:53 -05:00
Nick Mathewson
2259de0de7 Always hash crypto_strongest_rand() along with some prng
(before using it for anything besides feeding the PRNG)

Part of #17694
2015-12-08 10:54:42 -05:00
Nick Mathewson
e5754c42d1 Merge branch 'bug17686_v2_027' 2015-11-25 22:33:49 -05:00
Nick Mathewson
1cfa2bc859 Fix documentation for crypto_rand* 2015-11-25 22:29:59 -05:00
Nick Mathewson
ddcbe26474 Now that crypto_rand() cannot fail, it should return void. 2015-11-25 22:29:59 -05:00
Nick Mathewson
10fdee6285 Add crypto-initializer functions to those whose return values must be checked 2015-11-25 22:29:59 -05:00
Nick Mathewson
dedea28c2e Make crypto_seed_rng() and crypto_rand() less scary.
These functions must really never fail; so have crypto_rand() assert
that it's working okay, and have crypto_seed_rng() demand that
callers check its return value.  Also have crypto_seed_rng() check
RAND_status() before returning.
2015-11-25 22:29:59 -05:00
teor (Tim Wilson-Brown)
b1b8f7982e Check the return value of HMAC in crypto.c and assert on error
Fixes bug #17658; bugfix on commit in fdbb9cdf74 (11 Oct 2011)
in tor version 0.2.3.5-alpha-dev.
2015-11-26 10:46:36 +11:00
Nick Mathewson
45caeec9a0 Merge remote-tracking branch 'teor/comments-20151123' 2015-11-25 09:08:15 -05:00
Nick Mathewson
7194d3d957 Tweak gtank's sha512 patch a little 2015-11-25 09:04:17 -05:00
George Tankersley
695412302b implement teor's comments 2015-11-24 02:17:37 +00:00
George Tankersley
ff54cc8481 add SHA512 support to crypto 2015-11-24 01:34:28 +00:00
teor (Tim Wilson-Brown)
5b2adfb3d4 Fix comments to describe actual return values (crypto.c) 2015-11-23 20:31:57 +11:00
teor (Tim Wilson-Brown)
84d1373ba0 Fix typo in comment on crypto_add_spaces_to_fp 2015-11-23 18:59:11 +11:00
teor (Tim Wilson-Brown)
604d3ee48d Comment only: crypto_seed_rng no longer has a "startup" parameter 2015-11-23 10:26:07 +11:00
Nick Mathewson
accb726db6 Remove a little duplicated code in TAP key expansion
patch from pfrankw; closes 17587.
2015-11-13 09:46:32 -05:00
Nick Mathewson
3aebeeffa5 Every openssl we support has ERR_remove_thread_state 2015-11-10 10:13:04 -05:00
Nick Mathewson
c32a43a4d2 Move openssl version compatibility defines into a new header. 2015-11-10 10:02:21 -05:00
Yawning Angel
3e3ec750cd Fix compilation with OpenSSL 1.1.0-dev.
OpenSSL changed the API:
 * 5998e29035
 * b0700d2c8d
2015-11-06 19:02:56 +00:00
Nick Mathewson
b5aa257d46 Fix "make check-spaces" 2015-10-02 14:33:54 +02:00
Ola Bini
94e5db3dca
Add tests for tortls.c 2015-09-15 17:09:18 +02:00
Nick Mathewson
280672bdbc Handle negative inputs to crypto_random_time_range().
(These inputs are possible when Shadow starts the world at time_t 0,
and breaks our assumption that Tor didn't exist in the 1970s.)

Fixes regression introduced in 241e6b09. Fixes #16980.
2015-09-08 10:22:01 -04:00
Yawning Angel
af898f5475 Add crypto_rand_unmocked, which is crypto_rand without mocking.
There is odd issues with calling crypto_rand from our copy of
ed25519-donna, due to mocking that are not easily resolved.
2015-08-12 15:57:05 +00:00
Nick Mathewson
347fe449fe Move formatting functions around.
The base64 and base32 functions used to be in crypto.c;
crypto_format.h had no header; some general-purpose functions were in
crypto_curve25519.c.

This patch makes a {crypto,util}_format.[ch], and puts more functions
there.  Small modules are beautiful!
2015-07-31 11:21:34 -04:00
Yawning Angel
840e68d917 Integrate and enable ed25519-donna.
The runtime sanity checking is slightly different from the optimized
basepoint stuff in that it uses a given implementation's self tests if
available, and checks if signing/verification works with a test vector
from the IETF EdDSA draft.

The unit tests include a new testcase that will fuzz donna against ref0,
including the blinding and curve25519 key conversion routines.  If this
is something that should be done at runtime (No?), the code can be
stolen from there.

Note: Integrating batch verification is not done yet.
2015-07-06 10:11:10 +00:00
Yawning Angel
f079c27761 Integrate the accelerated Curve25519 scalar basemult.
Integration work scavanged from nickm's `ticket8897_9663_v2` branch,
with minor modifications.  Tor will still sanity check the output but
now also attempts to catch extreme breakage by spot checking the
optimized implementation vs known values from the NaCl documentation.

Implements feature 9663.
2015-07-06 09:57:23 +00:00
Nick Mathewson
753797391f More tweaks for windows compilation. (ick) 2015-06-29 13:47:44 -04:00
Nick Mathewson
d9052c629b Remove checks for visual C 6. 2015-06-29 12:55:03 -04:00
Nick Mathewson
7816ba8f1a Add assertions to crypto_dh_dup()
Without these, coverity is annoyed that aren't checking for NULL in bench.c

CID 1293335 -- found by coverity.
2015-05-28 12:27:22 -04:00
Nick Mathewson
1b52e95028 Merge branch '12498_ed25519_keys_v6'
Fixed numerous conflicts, and ported code to use new base64 api.
2015-05-28 11:04:33 -04:00
Nick Mathewson
277c9a3580 Note some functions that should move or be merged 2015-05-28 10:47:47 -04:00
Nick Mathewson
efa21bb941 Implement proposal 228: cross-certification with onion keys
Routers now use TAP and ntor onion keys to sign their identity keys,
and put these signatures in their descriptors.  That allows other
parties to be confident that the onion keys are indeed controlled by
the router that generated the descriptor.
2015-05-28 10:40:57 -04:00
Nick Mathewson
fe5d2477aa Implement ed25519-signed descriptors
Now that we have ed25519 keys, we can sign descriptors with them
and check those signatures as documented in proposal 220.
2015-05-28 10:40:56 -04:00
Nick Mathewson
0b7bf3585a Generate error ASAP if building with too-old openssl 2015-05-21 11:54:13 -04:00
Nick Mathewson
ed02a409cf Merge branch 'bug16034_no_more_openssl_098_squashed'
Conflicts:
	src/test/testing_common.c
2015-05-20 15:33:22 -04:00
Nick Mathewson
f8f407d66a Now that OpenSSL 0.9.8 is dead, crypto_seed_rng() needs no args
It needed an argument before because it wasn't safe to call
RAND_poll() on openssl 0.9.8c if you had already opened more fds
than would fit in fd_set.
2015-05-20 15:27:36 -04:00