Commit Graph

65 Commits

Author SHA1 Message Date
Kris Katterjohn
c13a81f7f9 Fix (and make consistent) the use of OpenBSD preprocessor macro tests
Prior to this commit, the testsuite was failing on OpenBSD.  After
this commit the testsuite runs fine on OpenBSD.

It was previously decided to test for the OpenBSD macro (rather than
__OpenBSD__, etc.) because OpenBSD forks seem to have the former
macro defined.  sys/param.h must be included for the OpenBSD macro
definition; however, many files tested for the OpenBSD macro without
having this header included.

This commit includes sys/param.h in the files where the OpenBSD macro
is used (and sys/param.h is not already included), and it also
changes some instances of the __OpenBSD__ macro to OpenBSD.

See commit 27df23abb6 which changed
everything to use OpenBSD instead of __OpenBSD__ or OPENBSD.  See
also tickets #6982 and #20980 (the latter ticket is where it was
decided to use the OpenBSD macro).

Signed-off-by: Kris Katterjohn <katterjohn@gmail.com>
2019-01-09 08:51:57 -05:00
Nick Mathewson
e5601f14ed Initialize 't' in ge25519_scalarmult_base_niels()
OSS-Fuzz's version of memorysanitizer can't tell that this value is
not going to be used unsafely.
2018-09-11 10:35:18 -04:00
Nick Mathewson
accf239fa3 Rectify include paths (automated) 2018-06-21 13:19:00 -04:00
Nick Mathewson
fa5fda5bbf Rectify include paths (automated) 2018-06-21 13:14:14 -04:00
Nick Mathewson
727db7aeb9 Rectify include paths (automated) 2018-06-21 11:03:39 -04:00
Nick Mathewson
0dab29ce10 Run rectify_include_paths.py 2018-06-20 09:35:05 -04:00
Isis Lovecruft
809f6fae84
refactor: Remove unnecessary #include "crypto.h" throughout codebase.
* FIXES part of #24658: https://bugs.torproject.org/24658
2018-04-06 22:49:18 +00:00
Isis Lovecruft
fe3aca1491
crypto: Refactor (P)RNG functionality into new crypto_rand module.
* ADD new /src/common/crypto_rand.[ch] module.
 * ADD new /src/common/crypto_util.[ch] module (contains the memwipe()
   function, since all crypto_* modules need this).
 * FIXES part of #24658: https://bugs.torproject.org/24658
2018-04-06 21:45:28 +00:00
Nick Mathewson
0eed0899cd Merge branch 'bug24658-rm-curve25519-header' into bug24658-merge 2018-03-26 20:12:59 -04:00
Deepesh Pathak
ca6682f3f8 Fix spelling mistakes corresponding to ticket #23650 2018-02-07 10:41:57 -05:00
Fernando Fernandez Mancera
61c7ec29f1 Include crypto_digest.h in order to solve dependency issues.
Included crypto_digest.h in some files in order to solve xof+digest module
dependency issues. Removed crypto.h where it isn't needed anymore.

Follows #24658.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-02-03 17:04:36 +01:00
Nick Mathewson
34e4122025 Merge branch 'ticket20657_nickm_bugfixes_squashed' 2017-08-08 20:31:57 -04:00
George Kadianakis
4ad4467fa1 Don't double hash the ed25519 blind key parameter.
We used to do:
   h = H(BLIND_STRING | H(A | s | B | N )
when we should be doing:
   h = H(BLIND_STRING | A | s | B | N)

Change the logic so that hs_common.c does the hashing, and our ed25519
libraries just receive the hashed parameter ready-made. That's easier
than doing the hashing on the ed25519 libraries, since that means we
would have to pass them a variable-length param (depending on whether
's' is set or not).

Also fix the ed25519 test vectors since they were also double hashing.
2017-08-08 20:29:34 -04:00
Nick Mathewson
c2844d5377 Merge branch 'bug22895_027' 2017-07-27 11:27:07 -04:00
cypherpunks
89c0a00a9a Remove unused variables in donna's SSE2 code
Fixes unused-const-variable warnings with GCC on 32-bit x86 systems.

Closes #22895.
2017-07-27 11:26:13 -04:00
George Kadianakis
0269e4ffba ed25519: Also check that retval in the ref10 implementation. 2017-06-28 14:58:22 +03:00
George Kadianakis
0d9873ac0d ed25519: Check retval of unpack_negative_vartime in donna. 2017-06-28 14:58:22 +03:00
Nick Mathewson
7fff6cfead Merge branch 'asn_bug22006_final_squashed' 2017-06-27 17:19:08 -04:00
George Kadianakis
559658ff1c ed25519: Add func that checks for torsion component in pubkeys.
See https://lists.torproject.org/pipermail/tor-dev/2017-April/012213.html .
2017-06-27 17:17:58 -04:00
Andreas Stieger
1763aa058b Fix GCC 7 -Wimplicit-fallthrough warnings (32 bit)
Add magic comments recognized by default -Wimplicit-fallthrough=3
Follow-up to e5f464, fixes Ticket 22446 for 32 bit.
2017-05-31 09:30:35 -04:00
Andreas Stieger
e5f4642db3 Fix GCC 7 -Wimplicit-fallthrough warnings
Add magic comments recognized by default -Wimplicit-fallthrough=3
or break, as required.
2017-05-30 08:33:27 -04:00
Nick Mathewson
f5cc8da7e0 Use DIGEST512_LEN macro in crypto_hash_sha512.h in ref10 2017-04-07 09:58:04 -04:00
Nick Mathewson
38fb651f0d Make our ed25519 implementations no longer use openssl directly. 2017-03-31 10:04:44 -04:00
Nick Mathewson
64521a9d35 Merge remote-tracking branch 'public/solaris_warnings_028' 2016-09-11 16:52:24 -04:00
Nick Mathewson
94bff894f9 Fix a large pile of solaris warnings for bug 19767.
In nearly all cases, this is a matter of making sure that we include
orconfig.h before we include any standard c headers.
2016-07-28 10:47:46 -04:00
Nick Mathewson
47edbd4fad Fix build on 32-bit systems. 2016-06-11 13:26:05 -04:00
Nick Mathewson
53a3b39da1 Add -Wmissing-variable-declarations, with attendant fixes
This is a big-ish patch, but it's very straightforward.  Under this
clang warning, we're not actually allowed to have a global variable
without a previous extern declaration for it.  The cases where we
violated this rule fall into three roughly equal groups:
  * Stuff that should have been static.
  * Stuff that was global but where the extern was local to some
    other C file.
  * Stuff that was only global when built for the unit tests, that
    needed a conditional extern in the headers.

The first two were IMO genuine problems; the last is a wart of how
we build tests.
2016-06-11 10:11:54 -04:00
Nick Mathewson
9bbd6502f0 Use autoconf, not gcc version, to decide which warnings we have
This gives more accurate results under Clang, which can only help us
detect more warnings in more places.

Fixes bug 19216; bugfix on 0.2.0.1-alpha
2016-06-11 10:11:53 -04:00
Nick Mathewson
2ff20c93a5 Add -Wunused-const-variable=2 on GCC >=6.1
This caused a trivial warning in curve25519-donna-64bit.h, which
had two unused constants.  I commented them out.
2016-06-11 10:11:52 -04:00
Nick Mathewson
8c6b528b00 Disambiguate: Avoid defining two static functions both called gettweak() 2016-04-15 12:19:51 -04:00
teor (Tim Wilson-Brown)
9ab1037de1 Silence clang-scan warnings in ed25519_donna 2016-02-24 23:24:01 +08:00
Nick Mathewson
2259de0de7 Always hash crypto_strongest_rand() along with some prng
(before using it for anything besides feeding the PRNG)

Part of #17694
2015-12-08 10:54:42 -05:00
Sebastian Hahn
98da122ab4 Don't enable SSE2 on X86-64.
This removes a comment presumably introduced for debugging that was left
in accidentally. Bug not in any released version of Tor. Fixes bug
17092.
2015-09-16 14:08:38 +02:00
Nick Mathewson
81e3deeb54 Fix an alignment issue in our extensions to ed25519_donna
Apparently this only happens with clang (or with some particular
clang versions), and only on i386.

Fixes 16970; bug not in any released Tor.

Found by Teor; fix from Yawning.
2015-09-04 09:30:59 -04:00
Nick Mathewson
53c99cce5e Add a comment about CID 1311630 and why we won't worry about it. 2015-09-01 09:43:37 -04:00
Yawning Angel
971eba0fcd Fixup: Force enable SSE2 before undefining ALIGN if SSE2 is disabled.
This should fix the x86 build, since variables that require 16 byte
alignment will now actually be 16 byte aligned.
2015-08-17 19:21:51 +00:00
Yawning Angel
a77616f605 Enable ed25519-donna's SSE2 code when possible for 32 bit x86.
This probably requires the user to manually set CFLAGS, but should
result in a net gain on 32 bit x86. Enabling SSE2 support would be
possible on x86_64, but will result in slower performance.

Implements feature #16535.
2015-08-17 18:41:41 +00:00
Yawning Angel
78fad380cd Use ed25519-donna's batch verification support when applicable.
The code was always in our Ed25519 wrappers, so enable it when using
the ed25519-donna backend, and deal with the mocking related
crypto_rand silliness.

Implements feature 16533.
2015-08-12 16:01:28 +00:00
Yawning Angel
c0106118fa Fix ed25519-donna with SSP on non-x86.
The only reason 16 byte alignment is required is for SSE2 load and
store operations, so only align datastructures to 16 byte boundaries
when building with SSE2 support.

This fixes builds with GCC SSP on platforms that don't have special
case code to do dynamic stack re-alignment (everything not x86/x86_64).

Fixes bug #16666.
2015-07-27 00:49:11 +00:00
Nick Mathewson
b06759edfd Try to convince coverity not to worry about this loop either 2015-07-12 17:01:17 -04:00
Nick Mathewson
7892aff3a8 Try to convince coverity not to worryh about this loop 2015-07-12 17:00:45 -04:00
Nick Mathewson
920c63877c Tell coverity to tolerate ed25519_verify 2015-07-12 16:59:37 -04:00
Nick Mathewson
d835264690 Disable -Wstack-protector diagnostics in curve25519-donna-helpers.h
This was causing a false positive on our arm builders.
2015-07-12 14:48:48 -04:00
Yawning Angel
be113f0bce Add Curve25519->Ed25519 support to ed25519-donna (Not yet used).
This needs to be done to allow for the possibility of removing the
ref10 code at a later date, though it is not performance critical.
When integrated by kludging it into tor, it passes unit tests, and is
twice as fast.
2015-07-06 09:48:00 +00:00
Yawning Angel
b7aa3074fc Add blinding support to ed25519-donna (Not yet used).
Integrating it the "wrong" way into common/crypto_ed25519.c passes
`make check`, and there appear to be some known answer tests for this,
so I assume I got it right.

Blinding a public key goes from 139.10 usec to 70.78 usec using
ed25519-donna (NB: Turboboost/phase of moon), though the code isn't
critical path, so supporting it is mostly done for completeness.
2015-07-06 09:44:43 +00:00
Yawning Angel
0f3eeca9b8 Integrate ed25519-donna (Not yet used).
Integrate ed25519-donna into the build process, and provide an
interface that matches the `ref10` code.  Apart from the blinding and
Curve25519 key conversion, this functions as a drop-in replacement for
ref10 (verified by modifying crypto_ed25519.c).

Tests pass, and the benchmarks claim it is quite a bit faster, however
actually using the code requires additional integration work.
2015-07-06 09:40:28 +00:00
Yawning Angel
7b10741be4 Import Andrew Moon's ed25519-donna.
This is a clean copy of ed25519-donna as of commit:

  8757bd4cd209cb032853ece0ce413f122eef212c

https://github.com/floodyberry/ed25519-donna
2015-07-06 08:00:01 +00:00
teor
b7eab94a90 Stop ed25519 8-bit signed left shift overflowing
Standardise usage in ge_scalarmult_base.c for 1 new fix.
2014-09-28 20:44:00 -04:00
Nick Mathewson
6129ff320e Use SHL{8,32,64} in ed25519/ref10 to avoid left-shifting negative values
This helps us avoid undefined behavior. It's based on a patch from teor,
except that I wrote a perl script to regenerate the patch:

  #!/usr/bin/perl -p -w -i

  BEGIN { %vartypes = (); }

  if (/^[{}]/) {
      %vartypes = ();
  }

  if (/^ *crypto_int(\d+) +([a-zA-Z_][_a-zA-Z0-9]*)/) {
      $vartypes{$2} = $1;
  } elsif (/^ *(?:signed +)char +([a-zA-Z_][_a-zA-Z0-9]*)/) {
      $vartypes{$1} = '8';
  }

  # This fixes at most one shift per line. But that's all the code does.
  if (/([a-zA-Z_][a-zA-Z_0-9]*) *<< *(\d+)/) {
      $v = $1;
      if (exists $vartypes{$v}) {
  	s/$v *<< *(\d+)/SHL$vartypes{$v}($v,$1)/;
      }
  }

  # remove extra parenthesis
  s/\(SHL64\((.*)\)\)/SHL64\($1\)/;
  s/\(SHL32\((.*)\)\)/SHL32\($1\)/;
  s/\(SHL8\((.*)\)\)/SHL8\($1\)/;
2014-09-28 20:41:05 -04:00
teor
6b155dc1a6 Stop signed left shifts overflowing in ed25519: Macros
The macros let us use unsigned types for potentially overflowing left
shifts. Create SHL32() and SHL64() and SHL8() macros for convenience.
2014-09-28 20:38:12 -04:00