| Age | Commit message (Collapse) | Author |
|---|
|
|
|
Avoid 4 null pointer errors under clang shallow analysis (the default when
building under Xcode) by using tor_assert() to prove that the pointers
aren't null. Resolves issue 13284 via minor code refactoring.
|
|
Standardise usage in ge_scalarmult_base.c for 1 new fix.
|
|
This helps us avoid undefined behavior. It's based on a patch from teor,
except that I wrote a perl script to regenerate the patch:
#!/usr/bin/perl -p -w -i
BEGIN { %vartypes = (); }
if (/^[{}]/) {
%vartypes = ();
}
if (/^ *crypto_int(\d+) +([a-zA-Z_][_a-zA-Z0-9]*)/) {
$vartypes{$2} = $1;
} elsif (/^ *(?:signed +)char +([a-zA-Z_][_a-zA-Z0-9]*)/) {
$vartypes{$1} = '8';
}
# This fixes at most one shift per line. But that's all the code does.
if (/([a-zA-Z_][a-zA-Z_0-9]*) *<< *(\d+)/) {
$v = $1;
if (exists $vartypes{$v}) {
s/$v *<< *(\d+)/SHL$vartypes{$v}($v,$1)/;
}
}
# remove extra parenthesis
s/\(SHL64\((.*)\)\)/SHL64\($1\)/;
s/\(SHL32\((.*)\)\)/SHL32\($1\)/;
s/\(SHL8\((.*)\)\)/SHL8\($1\)/;
|
|
The macros let us use unsigned types for potentially overflowing left
shifts. Create SHL32() and SHL64() and SHL8() macros for convenience.
|
|
|
|
Fixes CID 752028
|
|
This one should no longer generate dead-code warnings with coverity.
Fingers crossed? This was CID 1241498
|
|
There are some loops of the form
for (i=1;i<1;++i) ...
And of course, if the loop index is initialized to 1, it will never
be less than 1, and the loop body will never be executed. This
upsets coverity.
Patch fixes CID 1221543 and 1221542
|
|
This bug shouldn't be reachable so long as secret_to_key_len and
secret_to_key_make_specifier stay in sync, but we might screw up
someday.
Found by coverity; this is CID 1241500
|
|
Bugfix on ed8f020e205267e6270494634346ab68d830e1d8; bug not in any
released version of Tor. Found by Coverity; this is CID 1239290.
[Yes, I used this commit message before, in 58e813d0fcfcecfc2017.
Turns out, that fix wasn't right, since I didn't look up a
screen. :P ]
|
|
|
|
When size_t is the most memory you can have, make sure that things
referring to real parts of memory are size_t, not uint64_t or off_t.
But not on any released Tor.
|
|
Conflicts:
src/common/include.am
src/ext/README
|
|
Add some documentation
Rename "derive" -> "blind"
Check for failure on randombytes().
|
|
|
|
|
|
I know it's pointless to optimize them, but I just can't let them
spend all that time in expmod() when native python pow() does the same
thing.
|
|
Also, use it to generate test vectors, and add those test vectors
to test_crypto.c
This is based on ed25519.py from the ed25519 webpage; the kludgy hacks
are my own.
|
|
|
|
|
|
Our integer-definition headers apparently suck in a definition for
select(2), which interferes with the select() in ge_scalarmult_base.c
|
|
This implementation allows somebody to add a blinding factor to a
secret key, and a corresponding blinding factor to the public key.
Robert Ransom came up with this idea, I believe. Nick Hopper proved a
scheme like this secure. The bugs are my own.
|
|
For proposal 228, we need to cross-certify our identity with our
curve25519 key, so that we can prove at descriptor-generation time
that we own that key. But how can we sign something with a key that
is only for doing Diffie-Hellman? By converting it to the
corresponding ed25519 point.
See the ALL-CAPS warning in the documentation. According to djb
(IIUC), it is safe to use these keys in the ways that ntor and prop228
are using them, but it might not be safe if we start providing crazy
oracle access.
(Unit tests included. What kind of a monster do you take me for?)
|
|
This refactors the "== type:tag ==" code from crypto_curve25519.c
|
|
|
|
|
|
This will be needed/helpful for the key blinding of prop224, I
believe.
|
|
This is another case where DJB likes sticking the whole signature
prepended to the message, and I don't think that's the hottest idea.
The unit tests still pass.
|
|
Unit tests still pass.
|
|
|
|
Taken from earlier ed25519 branch based on floodyberry's
ed25519-donna. Tweaked so that it applies to ref10 instead.
|
|
(Also, regenerate trunnel stuff with trunnel 1.2. This just adds a
few comments to our output.)
|
|
|
|
Also, re-run the latest trunnel.
Closes ticket 13242
|
|
|
|
Conflicts:
src/test/test_crypto.c
|
|
|
|
This reduces the likelihood that I have made any exploitable errors
in the encoding/decoding.
This commit also imports the trunnel runtime source into Tor.
|
|
Suggested by yawning
|
|
Suggested by yawning.
|
|
Use HKDF for RFC2440 s2k only.
|
|
|
|
|
|
Doing this lets me pass in a salt of an unusual length.
|
|
See crypto_pwbox.c for a description of the file format.
There are tests for successful operation, but it still needs
error-case tests.
|
|
Uses libscrypt when found; otherwise, we don't have scrypt and we
only support openpgp rfc2440 s2k hashing, or pbkdf2.
Includes documentation and unit tests; coverage around 95%. Remaining
uncovered code is sanity-checks that shouldn't be reachable fwict.
|
|
Apparently some compilers want extra switches.
|
|
Since address.c is the first file to get compiled, let's have it use
a little judicious c99 in order to catch broken compilers that
somehow make it past our autoconf tests.
|
|
c99 lets us do neat stuff like:
{
int j, k;
foo(&j, &k);
int z = j + k;
}
and also
struct point { int x; int y; };
struct point pt = { .x=5, .y=5 };
This commit makes the configure scripts check to make sure your
compiler implements them. It also disables our longstanding warning
about midblock declarations.
Closes ticket 13233.
|
