diff options
| author | Roger Dingledine <arma@torproject.org> | 2010-12-16 17:24:11 -0500 |
|---|---|---|
| committer | Roger Dingledine <arma@torproject.org> | 2010-12-16 17:24:11 -0500 |
| commit | c63c937465f91b60f07e70942e2cb5af1b90dce4 (patch) | |
| tree | 1b44da39cbe47b5176829100ed8ff038348681fc | |
| parent | 591f65dde68c7847e4282c4cba5a11868fe13158 (diff) | |
| parent | b5e293afe6b3c98b50c23cc443969b5f840dca32 (diff) | |
| download | tor-c63c937465f91b60f07e70942e2cb5af1b90dce4.tar.gz tor-c63c937465f91b60f07e70942e2cb5af1b90dce4.zip | |
Merge commit 'nickm/fix_security_bug_022' into maint-0.2.2
| -rw-r--r-- | changes/security_bug | 5 | ||||
| -rw-r--r-- | src/common/compat.c | 15 | ||||
| -rw-r--r-- | src/common/compat.h | 16 | ||||
| -rw-r--r-- | src/common/crypto.c | 11 | ||||
| -rw-r--r-- | src/common/memarea.c | 3 | ||||
| -rw-r--r-- | src/common/mempool.c | 4 | ||||
| -rw-r--r-- | src/common/torint.h | 2 | ||||
| -rw-r--r-- | src/common/util.c | 11 | ||||
| -rw-r--r-- | src/or/buffers.c | 2 | ||||
| -rw-r--r-- | src/or/circuitbuild.c | 13 | ||||
| -rw-r--r-- | src/or/circuitbuild.h | 2 | ||||
| -rw-r--r-- | src/or/command.c | 17 | ||||
| -rw-r--r-- | src/or/connection_edge.c | 26 | ||||
| -rw-r--r-- | src/or/connection_edge.h | 2 | ||||
| -rw-r--r-- | src/or/connection_or.c | 5 | ||||
| -rw-r--r-- | src/or/onion.c | 14 | ||||
| -rw-r--r-- | src/or/onion.h | 12 | ||||
| -rw-r--r-- | src/or/or.h | 6 | ||||
| -rw-r--r-- | src/or/relay.c | 34 | ||||
| -rw-r--r-- | src/or/relay.h | 10 | ||||
| -rw-r--r-- | src/or/rendclient.c | 13 | ||||
| -rw-r--r-- | src/or/rendclient.h | 9 | ||||
| -rw-r--r-- | src/or/rendcommon.c | 2 | ||||
| -rw-r--r-- | src/or/rendcommon.h | 3 | ||||
| -rw-r--r-- | src/or/rendmid.c | 30 | ||||
| -rw-r--r-- | src/or/rendmid.h | 8 | ||||
| -rw-r--r-- | src/or/rendservice.c | 9 | ||||
| -rw-r--r-- | src/or/rendservice.h | 4 |
28 files changed, 166 insertions, 122 deletions
diff --git a/changes/security_bug b/changes/security_bug new file mode 100644 index 0000000000..990beee506 --- /dev/null +++ b/changes/security_bug @@ -0,0 +1,5 @@ + o Major bugfixes: + - Fix a remotely exploitable bug that could be used to crash instances + of Tor remotely by overflowing on the heap. Remove-code execution + hasn't been confirmed, but can't be ruled out. Obviously, everyone + should upgrade. Bugfix on the 0.1.1 series and later. diff --git a/src/common/compat.c b/src/common/compat.c index 4d556a85e6..8ec4221b22 100644 --- a/src/common/compat.c +++ b/src/common/compat.c @@ -126,6 +126,7 @@ tor_mmap_file(const char *filename) return NULL; } + /* XXXX why not just do fstat here? */ size = filesize = (size_t) lseek(fd, 0, SEEK_END); lseek(fd, 0, SEEK_SET); /* ensure page alignment */ @@ -299,7 +300,7 @@ tor_vsnprintf(char *str, size_t size, const char *format, va_list args) int r; if (size == 0) return -1; /* no place for the NUL */ - if (size > SSIZE_T_MAX-16) + if (size > SIZE_T_CEILING) return -1; #ifdef MS_WINDOWS r = _vsnprintf(str, size, format, args); @@ -560,7 +561,7 @@ tor_fix_source_file(const char *fname) * unaligned memory access. */ uint16_t -get_uint16(const char *cp) +get_uint16(const void *cp) { uint16_t v; memcpy(&v,cp,2); @@ -572,7 +573,7 @@ get_uint16(const char *cp) * unaligned memory access. */ uint32_t -get_uint32(const char *cp) +get_uint32(const void *cp) { uint32_t v; memcpy(&v,cp,4); @@ -584,7 +585,7 @@ get_uint32(const char *cp) * unaligned memory access. */ uint64_t -get_uint64(const char *cp) +get_uint64(const void *cp) { uint64_t v; memcpy(&v,cp,8); @@ -596,7 +597,7 @@ get_uint64(const char *cp) * *(uint16_t*)(cp) = v, but will not cause segfaults on platforms that forbid * unaligned memory access. */ void -set_uint16(char *cp, uint16_t v) +set_uint16(void *cp, uint16_t v) { memcpy(cp,&v,2); } @@ -605,7 +606,7 @@ set_uint16(char *cp, uint16_t v) * *(uint32_t*)(cp) = v, but will not cause segfaults on platforms that forbid * unaligned memory access. */ void -set_uint32(char *cp, uint32_t v) +set_uint32(void *cp, uint32_t v) { memcpy(cp,&v,4); } @@ -614,7 +615,7 @@ set_uint32(char *cp, uint32_t v) * *(uint64_t*)(cp) = v, but will not cause segfaults on platforms that forbid * unaligned memory access. */ void -set_uint64(char *cp, uint64_t v) +set_uint64(void *cp, uint64_t v) { memcpy(cp,&v,8); } diff --git a/src/common/compat.h b/src/common/compat.h index 449bf748f4..03e0686e8d 100644 --- a/src/common/compat.h +++ b/src/common/compat.h @@ -488,18 +488,18 @@ long tor_weak_random(void); /* ===== OS compatibility */ const char *get_uname(void); -uint16_t get_uint16(const char *cp) ATTR_PURE ATTR_NONNULL((1)); -uint32_t get_uint32(const char *cp) ATTR_PURE ATTR_NONNULL((1)); -uint64_t get_uint64(const char *cp) ATTR_PURE ATTR_NONNULL((1)); -void set_uint16(char *cp, uint16_t v) ATTR_NONNULL((1)); -void set_uint32(char *cp, uint32_t v) ATTR_NONNULL((1)); -void set_uint64(char *cp, uint64_t v) ATTR_NONNULL((1)); +uint16_t get_uint16(const void *cp) ATTR_PURE ATTR_NONNULL((1)); +uint32_t get_uint32(const void *cp) ATTR_PURE ATTR_NONNULL((1)); +uint64_t get_uint64(const void *cp) ATTR_PURE ATTR_NONNULL((1)); +void set_uint16(void *cp, uint16_t v) ATTR_NONNULL((1)); +void set_uint32(void *cp, uint32_t v) ATTR_NONNULL((1)); +void set_uint64(void *cp, uint64_t v) ATTR_NONNULL((1)); /* These uint8 variants are defined to make the code more uniform. */ #define get_uint8(cp) (*(const uint8_t*)(cp)) -static void set_uint8(char *cp, uint8_t v); +static void set_uint8(void *cp, uint8_t v); static INLINE void -set_uint8(char *cp, uint8_t v) +set_uint8(void *cp, uint8_t v) { *(uint8_t*)cp = v; } diff --git a/src/common/crypto.c b/src/common/crypto.c index 81a432d8d4..e030c56064 100644 --- a/src/common/crypto.c +++ b/src/common/crypto.c @@ -901,6 +901,8 @@ crypto_pk_public_checksig_digest(crypto_pk_env_t *env, const char *data, tor_assert(env); tor_assert(data); tor_assert(sig); + tor_assert(datalen < SIZE_T_CEILING); + tor_assert(siglen < SIZE_T_CEILING); if (crypto_digest(digest,data,datalen)<0) { log_warn(LD_BUG, "couldn't compute digest"); @@ -1001,6 +1003,7 @@ crypto_pk_public_hybrid_encrypt(crypto_pk_env_t *env, tor_assert(env); tor_assert(from); tor_assert(to); + tor_assert(fromlen < SIZE_T_CEILING); overhead = crypto_get_rsa_padding_overhead(crypto_get_rsa_padding(padding)); pkeylen = crypto_pk_keysize(env); @@ -1068,6 +1071,7 @@ crypto_pk_private_hybrid_decrypt(crypto_pk_env_t *env, crypto_cipher_env_t *cipher = NULL; char *buf = NULL; + tor_assert(fromlen < SIZE_T_CEILING); pkeylen = crypto_pk_keysize(env); if (fromlen <= pkeylen) { @@ -1117,7 +1121,7 @@ crypto_pk_asn1_encode(crypto_pk_env_t *pk, char *dest, size_t dest_len) int len; unsigned char *buf, *cp; len = i2d_RSAPublicKey(pk->key, NULL); - if (len < 0 || (size_t)len > dest_len) + if (len < 0 || (size_t)len > dest_len || dest_len > SIZE_T_CEILING) return -1; cp = buf = tor_malloc(len+1); len = i2d_RSAPublicKey(pk->key, &cp); @@ -1192,6 +1196,8 @@ add_spaces_to_fp(char *out, size_t outlen, const char *in) { int n = 0; char *end = out+outlen; + tor_assert(outlen < SIZE_T_CEILING); + while (*in && out<end) { *out++ = *in++; if (++n == 4 && *in && out<end) { @@ -1337,6 +1343,7 @@ crypto_cipher_encrypt(crypto_cipher_env_t *env, char *to, tor_assert(from); tor_assert(fromlen); tor_assert(to); + tor_assert(fromlen < SIZE_T_CEILING); aes_crypt(env->cipher, from, fromlen, to); return 0; @@ -1353,6 +1360,7 @@ crypto_cipher_decrypt(crypto_cipher_env_t *env, char *to, tor_assert(env); tor_assert(from); tor_assert(to); + tor_assert(fromlen < SIZE_T_CEILING); aes_crypt(env->cipher, from, fromlen, to); return 0; @@ -1364,6 +1372,7 @@ crypto_cipher_decrypt(crypto_cipher_env_t *env, char *to, int crypto_cipher_crypt_inplace(crypto_cipher_env_t *env, char *buf, size_t len) { + tor_assert(len < SIZE_T_CEILING); aes_crypt_inplace(env->cipher, buf, len); return 0; } diff --git a/src/common/memarea.c b/src/common/memarea.c index 77579e63be..dac15434c0 100644 --- a/src/common/memarea.c +++ b/src/common/memarea.c @@ -95,6 +95,7 @@ static memarea_chunk_t *freelist = NULL; static memarea_chunk_t * alloc_chunk(size_t sz, int freelist_ok) { + tor_assert(sz < SIZE_T_CEILING); if (freelist && freelist_ok) { memarea_chunk_t *res = freelist; freelist = res->next_chunk; @@ -211,6 +212,7 @@ memarea_alloc(memarea_t *area, size_t sz) char *result; tor_assert(chunk); CHECK_SENTINEL(chunk); + tor_assert(sz < SIZE_T_CEILING); if (sz == 0) sz = 1; if (chunk->next_mem+sz > chunk->u.mem+chunk->mem_size) { @@ -269,6 +271,7 @@ memarea_strndup(memarea_t *area, const char *s, size_t n) size_t ln; char *result; const char *cp, *end = s+n; + tor_assert(n < SIZE_T_CEILING); for (cp = s; cp < end && *cp; ++cp) ; /* cp now points to s+n, or to the 0 in the string. */ diff --git a/src/common/mempool.c b/src/common/mempool.c index c795d83f0c..9d019d618e 100644 --- a/src/common/mempool.c +++ b/src/common/mempool.c @@ -357,6 +357,10 @@ mp_pool_new(size_t item_size, size_t chunk_capacity) mp_pool_t *pool; size_t alloc_size, new_chunk_cap; + tor_assert(item_size < SIZE_T_CEILING); + tor_assert(chunk_capacity < SIZE_T_CEILING); + tor_assert(SIZE_T_CEILING / item_size > chunk_capacity); + pool = ALLOC(sizeof(mp_pool_t)); CHECK_ALLOC(pool); memset(pool, 0, sizeof(mp_pool_t)); diff --git a/src/common/torint.h b/src/common/torint.h index 57f18212ad..a57d501002 100644 --- a/src/common/torint.h +++ b/src/common/torint.h @@ -330,7 +330,7 @@ typedef uint32_t uintptr_t; #endif /* Any size_t larger than this amount is likely to be an underflow. */ -#define SIZE_T_CEILING (sizeof(char)<<(sizeof(size_t)*8 - 1)) +#define SIZE_T_CEILING (SSIZE_T_MAX-16) #endif /* __TORINT_H */ diff --git a/src/common/util.c b/src/common/util.c index dafe12071f..d511872964 100644 --- a/src/common/util.c +++ b/src/common/util.c @@ -122,6 +122,8 @@ _tor_malloc(size_t size DMALLOC_PARAMS) { void *result; + tor_assert(size < SIZE_T_CEILING); + #ifndef MALLOC_ZERO_WORKS /* Some libc mallocs don't work when size==0. Override them. */ if (size==0) { @@ -218,6 +220,7 @@ _tor_strndup(const char *s, size_t n DMALLOC_PARAMS) { char *dup; tor_assert(s); + tor_assert(n < SIZE_T_CEILING); dup = _tor_malloc((n+1) DMALLOC_FN_ARGS); /* Performance note: Ordinarily we prefer strlcpy to strncpy. But * this function gets called a whole lot, and platform strncpy is @@ -234,6 +237,7 @@ void * _tor_memdup(const void *mem, size_t len DMALLOC_PARAMS) { char *dup; + tor_assert(len < SIZE_T_CEILING); tor_assert(mem); dup = _tor_malloc(len DMALLOC_FN_ARGS); memcpy(dup, mem, len); @@ -263,12 +267,15 @@ void * _tor_malloc_roundup(size_t *sizep DMALLOC_PARAMS) { #ifdef HAVE_MALLOC_GOOD_SIZE + tor_assert(*sizep < SIZE_T_CEILING); *sizep = malloc_good_size(*sizep); return _tor_malloc(*sizep DMALLOC_FN_ARGS); #elif 0 && defined(HAVE_MALLOC_USABLE_SIZE) && !defined(USE_DMALLOC) /* Never use malloc_usable_size(); it makes valgrind really unhappy, * and doesn't win much in terms of usable space where it exists. */ - void *result = _tor_malloc(*sizep DMALLOC_FN_ARGS); + void *result; + tor_assert(*sizep < SIZE_T_CEILING); + result = _tor_malloc(*sizep DMALLOC_FN_ARGS); *sizep = malloc_usable_size(result); return result; #else @@ -2131,7 +2138,7 @@ read_file_to_str(const char *filename, int flags, struct stat *stat_out) return NULL; } - if ((uint64_t)(statbuf.st_size)+1 > SIZE_T_MAX) + if ((uint64_t)(statbuf.st_size)+1 > SIZE_T_CEILING) return NULL; string = tor_malloc((size_t)(statbuf.st_size+1)); diff --git a/src/or/buffers.c b/src/or/buffers.c index 658a924cef..f84fb45c64 100644 --- a/src/or/buffers.c +++ b/src/or/buffers.c @@ -1048,7 +1048,7 @@ fetch_var_cell_from_buf(buf_t *buf, var_cell_t **out, int linkproto) result->circ_id = ntohs(get_uint16(hdr)); buf_remove_from_front(buf, VAR_CELL_HEADER_SIZE); - peek_from_buf(result->payload, length, buf); + peek_from_buf((char*) result->payload, length, buf); buf_remove_from_front(buf, length); check(); diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c index 473b28e872..2fe750ea5b 100644 --- a/src/or/circuitbuild.c +++ b/src/or/circuitbuild.c @@ -1902,7 +1902,7 @@ circuit_send_next_onion_skin(origin_circuit_t *circ) * and a DH operation. */ cell_type = CELL_CREATE_FAST; memset(payload, 0, sizeof(payload)); - crypto_rand(circ->cpath->fast_handshake_state, + crypto_rand((char*) circ->cpath->fast_handshake_state, sizeof(circ->cpath->fast_handshake_state)); memcpy(payload, circ->cpath->fast_handshake_state, sizeof(circ->cpath->fast_handshake_state)); @@ -2081,8 +2081,8 @@ circuit_extend(cell_t *cell, circuit_t *circ) n_addr32 = ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE)); n_port = ntohs(get_uint16(cell->payload+RELAY_HEADER_SIZE+4)); - onionskin = cell->payload+RELAY_HEADER_SIZE+4+2; - id_digest = cell->payload+RELAY_HEADER_SIZE+4+2+ONIONSKIN_CHALLENGE_LEN; + onionskin = (char*) cell->payload+RELAY_HEADER_SIZE+4+2; + id_digest = (char*) cell->payload+RELAY_HEADER_SIZE+4+2+ONIONSKIN_CHALLENGE_LEN; tor_addr_from_ipv4h(&n_addr, n_addr32); if (!n_port || !n_addr32) { @@ -2220,7 +2220,7 @@ circuit_init_cpath_crypto(crypt_path_t *cpath, const char *key_data, */ int circuit_finish_handshake(origin_circuit_t *circ, uint8_t reply_type, - const char *reply) + const uint8_t *reply) { char keys[CPATH_KEY_MATERIAL_LEN]; crypt_path_t *hop; @@ -2237,7 +2237,7 @@ circuit_finish_handshake(origin_circuit_t *circ, uint8_t reply_type, tor_assert(hop->state == CPATH_STATE_AWAITING_KEYS); if (reply_type == CELL_CREATED && hop->dh_handshake_state) { - if (onion_skin_client_handshake(hop->dh_handshake_state, reply, keys, + if (onion_skin_client_handshake(hop->dh_handshake_state, (char*)reply, keys, DIGEST_LEN*2+CIPHER_KEY_LEN*2) < 0) { log_warn(LD_CIRC,"onion_skin_client_handshake failed."); return -END_CIRC_REASON_TORPROTOCOL; @@ -2245,7 +2245,8 @@ circuit_finish_handshake(origin_circuit_t *circ, uint8_t reply_type, /* Remember hash of g^xy */ memcpy(hop->handshake_digest, reply+DH_KEY_LEN, DIGEST_LEN); } else if (reply_type == CELL_CREATED_FAST && !hop->dh_handshake_state) { - if (fast_client_handshake(hop->fast_handshake_state, reply, keys, + if (fast_client_handshake(hop->fast_handshake_state, reply, + (uint8_t*)keys, DIGEST_LEN*2+CIPHER_KEY_LEN*2) < 0) { log_warn(LD_CIRC,"fast_client_handshake failed."); return -END_CIRC_REASON_TORPROTOCOL; diff --git a/src/or/circuitbuild.h b/src/or/circuitbuild.h index 888bf9d255..a85c410133 100644 --- a/src/or/circuitbuild.h +++ b/src/or/circuitbuild.h @@ -31,7 +31,7 @@ int circuit_extend(cell_t *cell, circuit_t *circ); int circuit_init_cpath_crypto(crypt_path_t *cpath, const char *key_data, int reverse); int circuit_finish_handshake(origin_circuit_t *circ, uint8_t cell_type, - const char *reply); + const uint8_t *reply); int circuit_truncated(origin_circuit_t *circ, crypt_path_t *layer); int onionskin_answer(or_circuit_t *circ, uint8_t cell_type, const char *payload, const char *keys); diff --git a/src/or/command.c b/src/or/command.c index ea0bbea1e5..beb5d09a9d 100644 --- a/src/or/command.c +++ b/src/or/command.c @@ -306,7 +306,8 @@ command_process_create_cell(cell_t *cell, or_connection_t *conn) char keys[CPATH_KEY_MATERIAL_LEN]; char reply[DIGEST_LEN*2]; tor_assert(cell->command == CELL_CREATE_FAST); - if (fast_server_handshake(cell->payload, reply, keys, sizeof(keys))<0) { + if (fast_server_handshake(cell->payload, (uint8_t*)reply, + (uint8_t*)keys, sizeof(keys))<0) { log_warn(LD_OR,"Failed to generate key material. Closing."); circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_INTERNAL); return; @@ -353,7 +354,7 @@ command_process_created_cell(cell_t *cell, or_connection_t *conn) int err_reason = 0; log_debug(LD_OR,"at OP. Finishing handshake."); if ((err_reason = circuit_finish_handshake(origin_circ, cell->command, - cell->payload)) < 0) { + cell->payload)) < 0) { log_warn(LD_OR,"circuit_finish_handshake failed."); circuit_mark_for_close(circ, -err_reason); return; @@ -369,7 +370,7 @@ command_process_created_cell(cell_t *cell, or_connection_t *conn) log_debug(LD_OR, "Converting created cell to extended relay cell, sending."); relay_send_command_from_edge(0, circ, RELAY_COMMAND_EXTENDED, - cell->payload, ONIONSKIN_REPLY_LEN, + (char*)cell->payload, ONIONSKIN_REPLY_LEN, NULL); } } @@ -499,7 +500,7 @@ static void command_process_versions_cell(var_cell_t *cell, or_connection_t *conn) { int highest_supported_version = 0; - const char *cp, *end; + const uint8_t *cp, *end; if (conn->link_proto != 0 || conn->_base.state != OR_CONN_STATE_OR_HANDSHAKING || (conn->handshake_state && conn->handshake_state->received_versions)) { @@ -553,8 +554,8 @@ command_process_netinfo_cell(cell_t *cell, or_connection_t *conn) time_t timestamp; uint8_t my_addr_type; uint8_t my_addr_len; - const char *my_addr_ptr; - const char *cp, *end; + const uint8_t *my_addr_ptr; + const uint8_t *cp, *end; uint8_t n_other_addrs; time_t now = time(NULL); @@ -582,7 +583,7 @@ command_process_netinfo_cell(cell_t *cell, or_connection_t *conn) my_addr_type = (uint8_t) cell->payload[4]; my_addr_len = (uint8_t) cell->payload[5]; - my_addr_ptr = cell->payload + 6; + my_addr_ptr = (uint8_t*) cell->payload + 6; end = cell->payload + CELL_PAYLOAD_SIZE; cp = cell->payload + 6 + my_addr_len; if (cp >= end) { @@ -599,7 +600,7 @@ command_process_netinfo_cell(cell_t *cell, or_connection_t *conn) /* Consider all the other addresses; if any matches, this connection is * "canonical." */ tor_addr_t addr; - const char *next = decode_address_from_payload(&addr, cp, (int)(end-cp)); + const uint8_t *next = decode_address_from_payload(&addr, cp, (int)(end-cp)); if (next == NULL) { log_fn(LOG_PROTOCOL_WARN, LD_OR, "Bad address in netinfo cell; closing connection."); diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c index cc040b1780..2bfa88e6a9 100644 --- a/src/or/connection_edge.c +++ b/src/or/connection_edge.c @@ -1492,7 +1492,8 @@ connection_ap_handshake_rewrite_and_attach(edge_connection_t *conn, tor_snprintf(socks->address, sizeof(socks->address), "REVERSE[%s]", orig_address); connection_ap_handshake_socks_resolved(conn, RESOLVED_TYPE_HOSTNAME, - strlen(result), result, -1, + strlen(result), (uint8_t*)result, + -1, map_expires); connection_mark_unattached_ap(conn, END_STREAM_REASON_DONE | @@ -1613,7 +1614,8 @@ connection_ap_handshake_rewrite_and_attach(edge_connection_t *conn, /* remember _what_ is supposed to have been resolved. */ strlcpy(socks->address, orig_address, sizeof(socks->address)); connection_ap_handshake_socks_resolved(conn,RESOLVED_TYPE_IPV4,4, - (char*)&answer,-1,map_expires); + (uint8_t*)&answer, + -1,map_expires); connection_mark_unattached_ap(conn, END_STREAM_REASON_DONE | END_STREAM_REASON_FLAG_ALREADY_SOCKS_REPLIED); @@ -2318,7 +2320,7 @@ void connection_ap_handshake_socks_resolved(edge_connection_t *conn, int answer_type, size_t answer_len, - const char *answer, + const uint8_t *answer, int ttl, time_t expires) { @@ -2332,7 +2334,7 @@ connection_ap_handshake_socks_resolved(edge_connection_t *conn, client_dns_set_addressmap(conn->socks_request->address, a, conn->chosen_exit_name, ttl); } else if (answer_type == RESOLVED_TYPE_HOSTNAME && answer_len < 256) { - char *cp = tor_strndup(answer, answer_len); + char *cp = tor_strndup((char*)answer, answer_len); client_dns_set_reverse_addressmap(conn->socks_request->address, cp, conn->chosen_exit_name, ttl); @@ -2343,14 +2345,14 @@ connection_ap_handshake_socks_resolved(edge_connection_t *conn, if (conn->is_dns_request) { if (conn->dns_server_request) { /* We had a request on our DNS port: answer it. */ - dnsserv_resolved(conn, answer_type, answer_len, answer, ttl); + dnsserv_resolved(conn, answer_type, answer_len, (char*)answer, ttl); conn->socks_request->has_finished = 1; return; } else { /* This must be a request from the controller. We already sent * a mapaddress if there's a ttl. */ tell_controller_about_resolved_result(conn, answer_type, answer_len, - answer, ttl, expires); + (char*)answer, ttl, expires); conn->socks_request->has_finished = 1; return; } @@ -2495,6 +2497,8 @@ connection_exit_begin_conn(cell_t *cell, circuit_t *circ) or_circ = TO_OR_CIRCUIT(circ); relay_header_unpack(&rh, cell->payload); + if (rh.length > RELAY_PAYLOAD_SIZE) + return -1; /* Note: we have to use relay_send_command_from_edge here, not * connection_edge_end or connection_edge_send_command, since those require @@ -2518,7 +2522,8 @@ connection_exit_begin_conn(cell_t *cell, circuit_t *circ) END_STREAM_REASON_TORPROTOCOL, NULL); return 0; } - if (parse_addr_port(LOG_PROTOCOL_WARN, cell->payload+RELAY_HEADER_SIZE, + if (parse_addr_port(LOG_PROTOCOL_WARN, + (char*)(cell->payload+RELAY_HEADER_SIZE), &address,NULL,&port)<0) { log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Unable to parse addr:port in relay begin cell. Closing."); @@ -2683,6 +2688,8 @@ connection_exit_begin_resolve(cell_t *cell, or_circuit_t *circ) assert_circuit_ok(TO_CIRCUIT(circ)); relay_header_unpack(&rh, cell->payload); + if (rh.length > RELAY_PAYLOAD_SIZE) + return -1; /* This 'dummy_conn' only exists to remember the stream ID * associated with the resolve request; and to make the @@ -2693,8 +2700,9 @@ connection_exit_begin_resolve(cell_t *cell, or_circuit_t *circ) */ dummy_conn = edge_connection_new(CONN_TYPE_EXIT, AF_INET); dummy_conn->stream_id = rh.stream_id; - dummy_conn->_base.address = tor_strndup(cell->payload+RELAY_HEADER_SIZE, - rh.length); + dummy_conn->_base.address = tor_strndup( + (char*)cell->payload+RELAY_HEADER_SIZE, + rh.length); dummy_conn->_base.port = 0; dummy_conn->_base.state = EXIT_CONN_STATE_RESOLVEFAILED; dummy_conn->_base.purpose = EXIT_PURPOSE_RESOLVE; diff --git a/src/or/connection_edge.h b/src/or/connection_edge.h index 762af5172e..cca82022c3 100644 --- a/src/or/connection_edge.h +++ b/src/or/connection_edge.h @@ -38,7 +38,7 @@ void connection_ap_handshake_socks_reply(edge_connection_t *conn, char *reply, void connection_ap_handshake_socks_resolved(edge_connection_t *conn, int answer_type, size_t answer_len, - const char *answer, + const uint8_t *answer, int ttl, time_t expires); diff --git a/src/or/connection_or.c b/src/or/connection_or.c index 415a48dca3..45266a99b1 100644 --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@ -1259,7 +1259,8 @@ connection_or_write_var_cell_to_buf(const var_cell_t *cell, tor_assert(conn); var_cell_pack_header(cell, hdr); connection_write_to_buf(hdr, sizeof(hdr), TO_CONN(conn)); - connection_write_to_buf(cell->payload, cell->payload_len, TO_CONN(conn)); + connection_write_to_buf((char*)cell->payload, + cell->payload_len, TO_CONN(conn)); if (cell->command != CELL_PADDING) conn->timestamp_last_added_nonpadding = approx_time(); } @@ -1388,7 +1389,7 @@ connection_or_send_netinfo(or_connection_t *conn) time_t now = time(NULL); routerinfo_t *me; int len; - char *out; + uint8_t *out; memset(&cell, 0, sizeof(cell_t)); cell.command = CELL_NETINFO; diff --git a/src/or/onion.c b/src/or/onion.c index fa001656e6..4d14f9095b 100644 --- a/src/or/onion.c +++ b/src/or/onion.c @@ -349,9 +349,9 @@ onion_skin_client_handshake(crypto_dh_env_t *handshake_state, * Return 0 on success, <0 on failure. **/ int -fast_server_handshake(const char *key_in, /* DIGEST_LEN bytes */ - char *handshake_reply_out, /* DIGEST_LEN*2 bytes */ - char *key_out, +fast_server_handshake(const uint8_t *key_in, /* DIGEST_LEN bytes */ + uint8_t *handshake_reply_out, /* DIGEST_LEN*2 bytes */ + uint8_t *key_out, size_t key_out_len) { char tmp[DIGEST_LEN+DIGEST_LEN]; @@ -359,7 +359,7 @@ fast_server_handshake(const char *key_in, /* DIGEST_LEN bytes */ size_t out_len; int r = -1; - if (crypto_rand(handshake_reply_out, DIGEST_LEN)<0) + if (crypto_rand((char*)handshake_reply_out, DIGEST_LEN)<0) return -1; memcpy(tmp, key_in, DIGEST_LEN); @@ -392,9 +392,9 @@ fast_server_handshake(const char *key_in, /* DIGEST_LEN bytes */ * and protected by TLS). */ int -fast_client_handshake(const char *handshake_state, /* DIGEST_LEN bytes */ - const char *handshake_reply_out, /* DIGEST_LEN*2 bytes */ - char *key_out, +fast_client_handshake(const uint8_t *handshake_state, /* DIGEST_LEN bytes */ + const uint8_t *handshake_reply_out, /* DIGEST_LEN*2 bytes */ + uint8_t *key_out, size_t key_out_len) { char tmp[DIGEST_LEN+DIGEST_LEN]; diff --git a/src/or/onion.h b/src/or/onion.h index e84dbb47be..e097dcdbb3 100644 --- a/src/or/onion.h +++ b/src/or/onion.h @@ -32,14 +32,14 @@ int onion_skin_client_handshake(crypto_dh_env_t *handshake_state, char *key_out, size_t key_out_len); -int fast_server_handshake(const char *key_in, - char *handshake_reply_out, - char *key_out, +int fast_server_handshake(const uint8_t *key_in, + uint8_t *handshake_reply_out, + uint8_t *key_out, size_t key_out_len); -int fast_client_handshake(const char *handshake_state, - const char *handshake_reply_out, - char *key_out, +int fast_client_handshake(const uint8_t *handshake_state, + const uint8_t *handshake_reply_out, + uint8_t *key_out, size_t key_out_len); void clear_pending_onions(void); diff --git a/src/or/or.h b/src/or/or.h index a2cefe2b4a..07b73ec9b7 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -838,7 +838,7 @@ typedef struct cell_t { circid_t circ_id; /**< Circuit which received the cell. */ uint8_t command; /**< Type of the cell: one of CELL_PADDING, CELL_CREATE, * CELL_DESTROY, etc */ - char payload[CELL_PAYLOAD_SIZE]; /**< Cell body. */ + uint8_t payload[CELL_PAYLOAD_SIZE]; /**< Cell body. */ } cell_t; /** Parsed variable-length onion routing cell. */ @@ -846,7 +846,7 @@ typedef struct var_cell_t { uint8_t command; circid_t circ_id; uint16_t payload_len; - char payload[1]; + uint8_t payload[1]; } var_cell_t; /** A cell as packed for writing to the network. */ @@ -1958,7 +1958,7 @@ typedef struct crypt_path_t { * authentication, secrecy, and integrity we need, and we're already * distinguishable from an OR. */ - char fast_handshake_state[DIGEST_LEN]; + uint8_t fast_handshake_state[DIGEST_LEN]; /** Negotiated key material shared with the OR at this step. */ char handshake_digest[DIGEST_LEN];/* KH in tor-spec.txt */ diff --git a/src/or/relay.c b/src/or/relay.c index a65280e2a3..c951cab560 100644 --- a/src/or/relay.c +++ b/src/or/relay.c @@ -97,7 +97,7 @@ relay_set_digest(crypto_digest_env_t *digest, cell_t *cell) char integrity[4]; relay_header_t rh; - crypto_digest_add_bytes(digest, cell->payload, CELL_PAYLOAD_SIZE); + crypto_digest_add_bytes(digest, (char*)cell->payload, CELL_PAYLOAD_SIZE); crypto_digest_get_digest(digest, integrity, 4); // log_fn(LOG_DEBUG,"Putting digest of %u %u %u %u into relay cell.", // integrity[0], integrity[1], integrity[2], integrity[3]); @@ -130,7 +130,7 @@ relay_digest_matches(crypto_digest_env_t *digest, cell_t *cell) // received_integrity[0], received_integrity[1], // received_integrity[2], received_integrity[3]); - crypto_digest_add_bytes(digest, cell->payload, CELL_PAYLOAD_SIZE); + crypto_digest_add_bytes(digest, (char*) cell->payload, CELL_PAYLOAD_SIZE); crypto_digest_get_digest(digest, calculated_integrity, 4); if (memcmp(received_integrity, calculated_integrity, 4)) { @@ -156,12 +156,12 @@ relay_digest_matches(crypto_digest_env_t *digest, cell_t *cell) * Return -1 if the crypto fails, else return 0. */ static int -relay_crypt_one_payload(crypto_cipher_env_t *cipher, char *in, +relay_crypt_one_payload(crypto_cipher_env_t *cipher, uint8_t *in, int encrypt_mode) { int r; (void)encrypt_mode; - r = crypto_cipher_crypt_inplace(cipher, in, CELL_PAYLOAD_SIZE); + r = crypto_cipher_crypt_inplace(cipher, (char*) in, CELL_PAYLOAD_SIZE); if (r) { log_warn(LD_BUG,"Error during relay encryption"); @@ -476,10 +476,9 @@ relay_lookup_conn(circuit_t *circ, cell_t *cell, * about the wire format. */ void -relay_header_pack(char *dest, const relay_header_t *src) +relay_header_pack(uint8_t *dest, const relay_header_t *src) { - *(uint8_t*)(dest) = src->command; - + set_uint8(dest, src->command); set_uint16(dest+1, htons(src->recognized)); set_uint16(dest+3, htons(src->stream_id)); memcpy(dest+5, src->integrity, 4); @@ -490,10 +489,9 @@ relay_header_pack(char *dest, const relay_header_t *src) * relay_header_t structure <b>dest</b>. */ void -relay_header_unpack(relay_header_t *dest, const char *src) +relay_header_unpack(relay_header_t *dest, const uint8_t *src) { - dest->command = *(uint8_t*)(src); - + dest->command = get_uint8(src); dest->recognized = ntohs(get_uint16(src+1)); dest->stream_id = ntohs(get_uint16(src+3)); memcpy(dest->integrity, src+5, 4); @@ -1124,13 +1122,13 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ, } stats_n_data_bytes_received += rh.length; - connection_write_to_buf(cell->payload + RELAY_HEADER_SIZE, + connection_write_to_buf((char*)(cell->payload + RELAY_HEADER_SIZE), rh.length, TO_CONN(conn)); connection_edge_consider_sending_sendme(conn); return 0; case RELAY_COMMAND_END: reason = rh.length > 0 ? - *(uint8_t *)(cell->payload+RELAY_HEADER_SIZE) : END_STREAM_REASON_MISC; + get_uint8(cell->payload+RELAY_HEADER_SIZE) : END_STREAM_REASON_MISC; if (!conn) { log_info(domain,"end cell (%s) dropped, unknown stream.", stream_end_reason_to_string(reason)); @@ -2463,7 +2461,7 @@ append_cell_to_circuit_queue(circuit_t *circ, or_connection_t *orconn, * ADDRESS [length bytes] * Return the number of bytes added, or -1 on error */ int -append_address_to_payload(char *payload_out, const tor_addr_t *addr) +append_address_to_payload(uint8_t *payload_out, const tor_addr_t *addr) { uint32_t a; switch (tor_addr_family(addr)) { @@ -2488,13 +2486,13 @@ append_address_to_payload(char *payload_out, const tor_addr_t *addr) * encoded as by append_address_to_payload(), try to decode the address into * *<b>addr_out</b>. Return the next byte in the payload after the address on * success, or NULL on failure. */ -const char * -decode_address_from_payload(tor_addr_t *addr_out, const char *payload, +const uint8_t * +decode_address_from_payload(tor_addr_t *addr_out, const uint8_t *payload, int payload_len) { if (payload_len < 2) return NULL; - if (payload_len < 2+(uint8_t)payload[1]) + if (payload_len < 2+payload[1]) return NULL; switch (payload[0]) { @@ -2506,13 +2504,13 @@ decode_address_from_payload(tor_addr_t *addr_out, const char *payload, case RESOLVED_TYPE_IPV6: if (payload[1] != 16) return NULL; - tor_addr_from_ipv6_bytes(addr_out, payload+2); + tor_addr_from_ipv6_bytes(addr_out, (char*)(payload+2)); break; default: tor_addr_make_unspec(addr_out); break; } - return payload + 2 + (uint8_t)payload[1]; + return payload + 2 + payload[1]; } /** Remove all the cells queued on <b>circ</b> for <b>orconn</b>. */ diff --git a/src/or/relay.h b/src/or/relay.h index 08a1ffe789..8ccf0e2b30 100644 --- a/src/or/relay.h +++ b/src/or/relay.h @@ -18,8 +18,8 @@ extern uint64_t stats_n_relay_cells_delivered; int circuit_receive_relay_cell(cell_t *cell, circuit_t *circ, cell_direction_t cell_direction); -void relay_header_pack(char *dest, const relay_header_t *src); -void relay_header_unpack(relay_header_t *dest, const char *src); +void relay_header_pack(uint8_t *dest, const relay_header_t *src); +void relay_header_unpack(relay_header_t *dest, const uint8_t *src); int relay_send_command_from_edge(streamid_t stream_id, circuit_t *circ, uint8_t relay_command, const char *payload, size_t payload_len, crypt_path_t *cpath_layer); @@ -55,9 +55,9 @@ void assert_active_circuits_ok(or_connection_t *orconn); void make_circuit_inactive_on_conn(circuit_t *circ, or_connection_t *conn); void make_circuit_active_on_conn(circuit_t *circ, or_connection_t *conn); -int append_address_to_payload(char *payload_out, const tor_addr_t *addr); -const char *decode_address_from_payload(tor_addr_t *addr_out, - const char *payload, +int append_address_to_payload(uint8_t *payload_out, const tor_addr_t *addr); +const uint8_t *decode_address_from_payload(tor_addr_t *addr_out, + const uint8_t *payload, int payload_len); unsigned cell_ewma_get_tick(void); void cell_ewma_set_scale_factor(or_options_t *options, diff --git a/src/or/rendclient.c b/src/or/rendclient.c index 3e1083f694..ab968078e8 100644 --- a/src/or/rendclient.c +++ b/src/or/rendclient.c @@ -234,7 +234,7 @@ rend_client_rendcirc_has_opened(origin_circuit_t *circ) */ int rend_client_introduction_acked(origin_circuit_t *circ, - const char *request, size_t request_len) + const uint8_t *request, size_t request_len) { origin_circuit_t *rendcirc; (void) request; // XXXX Use this. @@ -583,7 +583,7 @@ rend_client_remove_intro_point(extend_info_t *failed_intro, * the circuit to C_REND_READY. */ int -rend_client_rendezvous_acked(origin_circuit_t *circ, const char *request, +rend_client_rendezvous_acked(origin_circuit_t *circ, const uint8_t *request, size_t request_len) { (void) request; @@ -609,7 +609,7 @@ rend_client_rendezvous_acked(origin_circuit_t *circ, const char *request, /** Bob sent us a rendezvous cell; join the circuits. */ int -rend_client_receive_rendezvous(origin_circuit_t *circ, const char *request, +rend_client_receive_rendezvous(origin_circuit_t *circ, const uint8_t *request, size_t request_len) { crypt_path_t *hop; @@ -637,9 +637,10 @@ rend_client_receive_rendezvous(origin_circuit_t *circ, const char *request, tor_assert(circ->build_state->pending_final_cpath); hop = circ->build_state->pending_final_cpath; tor_assert(hop->dh_handshake_state); - if (crypto_dh_compute_secret(LOG_PROTOCOL_WARN, hop->dh_handshake_state, - request, DH_KEY_LEN, keys, - DIGEST_LEN+CPATH_KEY_MATERIAL_LEN)<0) { + if (crypto_dh_compute_secret(LOG_PROTOCOL_WARN, + hop->dh_handshake_state, (char*)request, + DH_KEY_LEN, + keys, DIGEST_LEN+CPATH_KEY_MATERIAL_LEN)<0) { log_warn(LD_GENERAL, "Couldn't complete DH handshake."); goto err; } diff --git a/src/or/rendclient.h b/src/or/rendclient.h index 842fe0b8ce..79d37b2a58 100644 --- a/src/or/rendclient.h +++ b/src/or/rendclient.h @@ -14,14 +14,17 @@ void rend_client_introcirc_has_opened(origin_circuit_t *circ); void rend_client_rendcirc_has_opened(origin_circuit_t *circ); -int rend_client_introduction_acked(origin_circuit_t *circ, const char *request, +int rend_client_introduction_acked(origin_circuit_t *circ, + const uint8_t *request, size_t request_len); void rend_client_refetch_v2_renddesc(const rend_data_t *rend_query); int rend_client_remove_intro_point(extend_info_t *failed_intro, const rend_data_t *rend_query); -int rend_client_rendezvous_acked(origin_circuit_t *circ, const char *request, +int rend_client_rendezvous_acked(origin_circuit_t *circ, + const uint8_t *request, size_t request_len); -int rend_client_receive_rendezvous(origin_circuit_t *circ, const char *request, +int rend_client_receive_rendezvous(origin_circuit_t *circ, + const uint8_t *request, size_t request_len); void rend_client_desc_trynow(const char *query); diff --git a/src/or/rendcommon.c b/src/or/rendcommon.c index ec6680b1e6..85d97e0253 100644 --- a/src/or/rendcommon.c +++ b/src/or/rendcommon.c @@ -1358,7 +1358,7 @@ rend_cache_store_v2_desc_as_client(const char *desc, void rend_process_relay_cell(circuit_t *circ, const crypt_path_t *layer_hint, int command, size_t length, - const char *payload) + const uint8_t *payload) { or_circuit_t *or_circ = NULL; origin_circuit_t *origin_circ = NULL; diff --git a/src/or/rendcommon.h b/src/or/rendcommon.h index 00705022a2..d3313faf5a 100644 --- a/src/or/rendcommon.h +++ b/src/or/rendcommon.h @@ -22,7 +22,8 @@ rend_data_free(rend_data_t *data) int rend_cmp_service_ids(const char *one, const char *two); void rend_process_relay_cell(circuit_t *circ, const crypt_path_t *layer_hint, - int command, size_t length, const char *payload); + int command, size_t length, + const uint8_t *payload); void rend_service_descriptor_free(rend_service_descriptor_t *desc); rend_service_descriptor_t *rend_parse_service_descriptor(const char *str, diff --git a/src/or/rendmid.c b/src/or/rendmid.c index d392f8e53a..bc36a4e117 100644 --- a/src/or/rendmid.c +++ b/src/or/rendmid.c @@ -18,7 +18,7 @@ * setting the circuit's purpose and service pk digest. */ int -rend_mid_establish_intro(or_circuit_t *circ, const char *request, +rend_mid_establish_intro(or_circuit_t *circ, const uint8_t *request, size_t request_len) { crypto_pk_env_t *pk = NULL; @@ -48,7 +48,7 @@ rend_mid_establish_intro(or_circuit_t *circ, const char *request, /* Next asn1len bytes: asn1-encoded key. */ if (request_len < 2+DIGEST_LEN+asn1len) goto truncated; - pk = crypto_pk_asn1_decode(request+2, asn1len); + pk = crypto_pk_asn1_decode((char*)(request+2), asn1len); if (!pk) { reason = END_CIRC_REASON_TORPROTOCOL; log_warn(LD_PROTOCOL, "Couldn't decode public key."); @@ -69,8 +69,8 @@ rend_mid_establish_intro(or_circuit_t *circ, const char *request, } /* Rest of body: signature of previous data */ note_crypto_pk_op(REND_MID); - if (crypto_pk_public_checksig_digest(pk, request, 2+asn1len+DIGEST_LEN, - request+2+DIGEST_LEN+asn1len, + if (crypto_pk_public_checksig_digest(pk, (char*)request, 2+asn1len+DIGEST_LEN, + (char*)(request+2+DIGEST_LEN+asn1len), request_len-(2+DIGEST_LEN+asn1len))<0) { log_warn(LD_PROTOCOL, "Incorrect signature on ESTABLISH_INTRO cell; rejecting."); @@ -130,7 +130,7 @@ rend_mid_establish_intro(or_circuit_t *circ, const char *request, * INTRODUCE2 cell. */ int -rend_mid_introduce(or_circuit_t *circ, const char *request, size_t request_len) +rend_mid_introduce(or_circuit_t *circ, const uint8_t *request, size_t request_len) { or_circuit_t *intro_circ; char serviceid[REND_SERVICE_ID_LEN_BASE32+1]; @@ -159,10 +159,10 @@ rend_mid_introduce(or_circuit_t *circ, const char *request, size_t request_len) } base32_encode(serviceid, REND_SERVICE_ID_LEN_BASE32+1, - request, REND_SERVICE_ID_LEN); + (char*)request, REND_SERVICE_ID_LEN); /* The first 20 bytes are all we look at: they have a hash of Bob's PK. */ - intro_circ = circuit_get_intro_point(request); + intro_circ = circuit_get_intro_point((char*)request); if (!intro_circ) { log_info(LD_REND, "No intro circ found for INTRODUCE1 cell (%s) from circuit %d; " @@ -180,7 +180,7 @@ rend_mid_introduce(or_circuit_t *circ, const char *request, size_t request_len) /* Great. Now we just relay the cell down the circuit. */ if (relay_send_command_from_edge(0, TO_CIRCUIT(intro_circ), RELAY_COMMAND_INTRODUCE2, - request, request_len, NULL)) { + (char*)request, request_len, NULL)) { log_warn(LD_GENERAL, "Unable to send INTRODUCE2 cell to Tor client."); goto err; @@ -212,7 +212,7 @@ rend_mid_introduce(or_circuit_t *circ, const char *request, size_t request_len) * rendezvous cookie. */ int -rend_mid_establish_rendezvous(or_circuit_t *circ, const char *request, +rend_mid_establish_rendezvous(or_circuit_t *circ, const uint8_t *request, size_t request_len) { char hexid[9]; @@ -232,7 +232,7 @@ rend_mid_establish_rendezvous(or_circuit_t *circ, const char *request, goto err; } - if (circuit_get_rendezvous(request)) { + if (circuit_get_rendezvous((char*)request)) { log_warn(LD_PROTOCOL, "Duplicate rendezvous cookie in ESTABLISH_RENDEZVOUS."); goto err; @@ -250,7 +250,7 @@ rend_mid_establish_rendezvous(or_circuit_t *circ, const char *request, circ->_base.purpose = CIRCUIT_PURPOSE_REND_POINT_WAITING; memcpy(circ->rend_token, request, REND_COOKIE_LEN); - base16_encode(hexid,9,request,4); + base16_encode(hexid,9,(char*)request,4); log_info(LD_REND, "Established rendezvous point on circuit %d for cookie %s", @@ -267,13 +267,13 @@ rend_mid_establish_rendezvous(or_circuit_t *circ, const char *request, * connecting the two circuits. */ int -rend_mid_rendezvous(or_circuit_t *circ, const char *request, +rend_mid_rendezvous(or_circuit_t *circ, const uint8_t *request, size_t request_len) { or_circuit_t *rend_circ; char hexid[9]; int reason = END_CIRC_REASON_INTERNAL; - base16_encode(hexid,9,request,request_len<4?request_len:4); + base16_encode(hexid,9,(char*)request,request_len<4?request_len:4); if (request_len>=4) { log_info(LD_REND, @@ -297,7 +297,7 @@ rend_mid_rendezvous(or_circuit_t *circ, const char *request, goto err; } - rend_circ = circuit_get_rendezvous(request); + rend_circ = circuit_get_rendezvous((char*)request); if (!rend_circ) { log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Rejecting RENDEZVOUS1 cell with unrecognized rendezvous cookie %s.", @@ -309,7 +309,7 @@ rend_mid_rendezvous(or_circuit_t *circ, const char *request, /* Send the RENDEZVOUS2 cell to Alice. */ if (relay_send_command_from_edge(0, TO_CIRCUIT(rend_circ), RELAY_COMMAND_RENDEZVOUS2, - request+REND_COOKIE_LEN, + (char*)(request+REND_COOKIE_LEN), request_len-REND_COOKIE_LEN, NULL)) { log_warn(LD_GENERAL, "Unable to send RENDEZVOUS2 cell to client on circuit %d.", diff --git a/src/or/rendmid.h b/src/or/rendmid.h index 4d08d4c8b9..f06dd3d85e 100644 --- a/src/or/rendmid.h +++ b/src/or/rendmid.h @@ -12,13 +12,13 @@ #ifndef _TOR_RENDMID_H #define _TOR_RENDMID_H -int rend_mid_establish_intro(or_circuit_t *circ, const char *request, +int rend_mid_establish_intro(or_circuit_t *circ, const uint8_t *request, size_t request_len); -int rend_mid_introduce(or_circuit_t *circ, const char *request, +int rend_mid_introduce(or_circuit_t *circ, const uint8_t *request, size_t request_len); -int rend_mid_establish_rendezvous(or_circuit_t *circ, const char *request, +int rend_mid_establish_rendezvous(or_circuit_t *circ, const uint8_t *request, size_t request_len); -int rend_mid_rendezvous(or_circuit_t *circ, const char *request, +int rend_mid_rendezvous(or_circuit_t *circ, const uint8_t *request, size_t request_len); #endif diff --git a/src/or/rendservice.c b/src/or/rendservice.c index b0d791529b..f06c98337a 100644 --- a/src/or/rendservice.c +++ b/src/or/rendservice.c @@ -849,7 +849,7 @@ clean_accepted_intros(rend_service_t *service, time_t now) * rendezvous point. */ int -rend_service_introduce(origin_circuit_t *circuit, const char *request, +rend_service_introduce(origin_circuit_t *circuit, const uint8_t *request, size_t request_len) { char *ptr, *r_cookie; @@ -913,7 +913,7 @@ rend_service_introduce(origin_circuit_t *circuit, const char *request, crypto_pk_get_digest(intro_key, intro_key_digest); if (memcmp(intro_key_digest, request, DIGEST_LEN)) { base32_encode(serviceid, REND_SERVICE_ID_LEN_BASE32+1, - request, REND_SERVICE_ID_LEN); + (char*)request, REND_SERVICE_ID_LEN); log_warn(LD_REND, "Got an INTRODUCE2 cell for the wrong service (%s).", escaped(serviceid)); return -1; @@ -928,7 +928,7 @@ rend_service_introduce(origin_circuit_t *circuit, const char *request, /* Next N bytes is encrypted with service key */ note_crypto_pk_op(REND_SERVER); r = crypto_pk_private_hybrid_decrypt( - intro_key,buf,request+DIGEST_LEN,request_len-DIGEST_LEN, + intro_key,buf,(char*)(request+DIGEST_LEN),request_len-DIGEST_LEN, PK_PKCS1_OAEP_PADDING,1); if (r<0) { log_warn(LD_PROTOCOL, "Couldn't decrypt INTRODUCE2 cell."); @@ -1392,7 +1392,8 @@ rend_service_intro_has_opened(origin_circuit_t *circuit) * live introduction point, and note that the service descriptor is * now out-of-date.*/ int -rend_service_intro_established(origin_circuit_t *circuit, const char *request, +rend_service_intro_established(origin_circuit_t *circuit, + const uint8_t *request, size_t request_len) { rend_service_t *service; diff --git a/src/or/rendservice.h b/src/or/rendservice.h index 1767714c60..722cec1561 100644 --- a/src/or/rendservice.h +++ b/src/or/rendservice.h @@ -22,10 +22,10 @@ void rend_consider_descriptor_republication(void); void rend_service_intro_has_opened(origin_circuit_t *circuit); int rend_service_intro_established(origin_circuit_t *circuit, - const char *request, + const uint8_t *request, size_t request_len); void rend_service_rendezvous_has_opened(origin_circuit_t *circuit); -int rend_service_introduce(origin_circuit_t *circuit, const char *request, +int rend_service_introduce(origin_circuit_t *circuit, const uint8_t *request, size_t request_len); void rend_service_relaunch_rendezvous(origin_circuit_t *oldcirc); int rend_service_set_connection_addr_port(edge_connection_t *conn, |