1. 10 Aug, 2020 1 commit
  2. 30 Jul, 2020 1 commit
  3. 28 Jul, 2020 1 commit
  4. 10 Jul, 2020 1 commit
  5. 07 Jul, 2020 1 commit
  6. 06 Jul, 2020 3 commits
    • Alexander Færøy's avatar
      Use ((x + 7) >> 3) instead of (x >> 3) when converting from bits to bytes. · 7b2d1070
      Alexander Færøy authored and Nick Mathewson's avatar Nick Mathewson committed
      This patch changes our bits-to-bytes conversion logic in the NSS
      implementation of `tor_tls_cert_matches_key()` from using (x >> 3) to
      ((x + 7) >> 3) since DER bit-strings are allowed to contain a number of
      bits that is not a multiple of 8.
      
      Additionally, we add a comment on why we cannot use the
      `DER_ConvertBitString()` macro from NSS, as we would potentially apply
      the bits-to-bytes conversion logic twice, which would lead to an
      insignificant amount of bytes being compared in
      `SECITEM_ItemsAreEqual()` and thus turn the logic into being a
      prefix match instead of a full match.
      
      The `DER_ConvertBitString()` macro is defined in NSS as:
      
          /*
          ** Macro to convert der decoded bit string into a decoded octet
          ** string. All it needs to do is fiddle with the length code.
          */
          #define DER_ConvertBitString(item)            \
              {                                         \
                  (item)->len = ((item)->len + 7) >> 3; \
              }
      
      Thanks to Taylor Yu for spotting this problem.
      
      This patch is part of the fix for TROVE-2020-001.
      
      See: https://bugs.torproject.org/33119
      7b2d1070
    • Alexander Færøy's avatar
      Add constness to length variables in `tor_tls_cert_matches_key`. · 06f1e959
      Alexander Færøy authored and Nick Mathewson's avatar Nick Mathewson committed
      We add constness to `peer_info_orig_len` and `cert_info_orig_len` in
      `tor_tls_cert_matches_key` to ensure that we don't accidentally alter
      the variables.
      
      This patch is part of the fix for TROVE-2020-001.
      
      See: https://bugs.torproject.org/33119
      06f1e959
    • Alexander Færøy's avatar
      Fix out-of-bound memory read in `tor_tls_cert_matches_key()` for NSS. · b46984e9
      Alexander Færøy authored and Nick Mathewson's avatar Nick Mathewson committed
      This patch fixes an out-of-bound memory read in
      `tor_tls_cert_matches_key()` when Tor is compiled to use Mozilla's NSS
      instead of OpenSSL.
      
      The NSS library stores some length fields in bits instead of bytes, but
      the comparison function found in `SECITEM_ItemsAreEqual()` needs the
      length to be encoded in bytes. This means that for a 140-byte,
      DER-encoded, SubjectPublicKeyInfo struct (with a 1024-bit RSA public key
      in it), we would ask `SECITEM_ItemsAreEqual()` to compare the first 1120
      bytes instead of 140 (140bytes * 8bits = 1120bits).
      
      This patch fixes the issue by converting from bits to bytes before
      calling `SECITEM_ItemsAreEqual()` and convert the `len`-fields back to
      bits before we leave the function.
      
      This patch is part of the fix for TROVE-2020-001.
      
      See: https://bugs.torproject.org/33119
      b46984e9
  7. 19 May, 2020 1 commit
  8. 12 May, 2020 1 commit
  9. 06 May, 2020 7 commits
    • Nick Mathewson's avatar
      Use __attribute__((fallthrough)) rather than magic GCC comments. · c1167282
      Nick Mathewson authored
      GCC added an implicit-fallthrough warning a while back, where it
      would complain if you had a nontrivial "case:" block that didn't end
      with break, return, or something like that.  Clang recently added
      the same thing.
      
      GCC, however, would let you annotate a fall-through as intended by
      any of various magic "/* fall through */" comments.  Clang, however,
      only seems to like "__attribute__((fallthrough))".  Fortunately, GCC
      accepts that too.
      
      A previous commit in this branch defined a FALLTHROUGH macro to do
      the right thing if GNUC is defined; here we replace all of our "fall
      through" comments with uses of that macro.
      
      This is an automated commit, made with the following perl one-liner:
      
        #!/usr/bin/perl -i -p
        s#/\* *falls? ?thr.*?\*/#FALLTHROUGH;#i;
      
      (In order to avoid conflicts, I'm applying this script separately to
      each maint branch. This is the 0.4.3 version.)
      c1167282
    • Nick Mathewson's avatar
      Use __attribute__((fallthrough)) rather than magic GCC comments. · 28ac17f4
      Nick Mathewson authored
      GCC added an implicit-fallthrough warning a while back, where it
      would complain if you had a nontrivial "case:" block that didn't end
      with break, return, or something like that.  Clang recently added
      the same thing.
      
      GCC, however, would let you annotate a fall-through as intended by
      any of various magic "/* fall through */" comments.  Clang, however,
      only seems to like "__attribute__((fallthrough))".  Fortunately, GCC
      accepts that too.
      
      A previous commit in this branch defined a FALLTHROUGH macro to do
      the right thing if GNUC is defined; here we replace all of our "fall
      through" comments with uses of that macro.
      
      This is an automated commit, made with the following perl one-liner:
      
        #!/usr/bin/perl -i -p
        s#/\* *falls? ?thr.*?\*/#FALLTHROUGH;#i;
      
      (In order to avoid conflicts, I'm applying this script separately to
      each maint branch. This is the 0.4.2 version.)
      28ac17f4
    • Nick Mathewson's avatar
      Use __attribute__((fallthrough)) rather than magic GCC comments. · 79ff2b6a
      Nick Mathewson authored
      GCC added an implicit-fallthrough warning a while back, where it
      would complain if you had a nontrivial "case:" block that didn't end
      with break, return, or something like that.  Clang recently added
      the same thing.
      
      GCC, however, would let you annotate a fall-through as intended by
      any of various magic "/* fall through */" comments.  Clang, however,
      only seems to like "__attribute__((fallthrough))".  Fortunately, GCC
      accepts that too.
      
      A previous commit in this branch defined a FALLTHROUGH macro to do
      the right thing if GNUC is defined; here we replace all of our "fall
      through" comments with uses of that macro.
      
      This is an automated commit, made with the following perl one-liner:
      
        #!/usr/bin/perl -i -p
        s#/\* *falls? ?thr.*?\*/#FALLTHROUGH;#i;
      
      (In order to avoid conflicts, I'm applying this script separately to
      each maint branch. This is the 0.4.1 version.)
      79ff2b6a
    • Nick Mathewson's avatar
      Use __attribute__((fallthrough)) rather than magic GCC comments. · cc397449
      Nick Mathewson authored
      GCC added an implicit-fallthrough warning a while back, where it
      would complain if you had a nontrivial "case:" block that didn't end
      with break, return, or something like that.  Clang recently added
      the same thing.
      
      GCC, however, would let you annotate a fall-through as intended by
      any of various magic "/* fall through */" comments.  Clang, however,
      only seems to like "__attribute__((fallthrough))".  Fortunately, GCC
      accepts that too.
      
      A previous commit in this branch defined a FALLTHROUGH macro to do
      the right thing if GNUC is defined; here we replace all of our "fall
      through" comments with uses of that macro.
      
      This is an automated commit, made with the following perl one-liner:
      
        #!/usr/bin/perl -i -p
        s#/\* *falls? ?thr.*?\*/#FALLTHROUGH;#i;
      cc397449
    • Nick Mathewson's avatar
      3d364115
    • Nick Mathewson's avatar
      8798c0a9
    • Nick Mathewson's avatar
      Add a fallthrough macro. · 6c3c9435
      Nick Mathewson authored
      This macro defers to __attribute__((fallthrough)) on GCC (and
      clang).  Previously we had been using GCC's magic /* fallthrough */
      comments, but clang very sensibly doesn't accept those.
      
      Since not all compiler recognize it, we only define it when our
      configure script detects that it works.
      
      Part of a fix for 34078.
      6c3c9435
  10. 09 Apr, 2020 1 commit
  11. 18 Mar, 2020 1 commit
  12. 17 Mar, 2020 3 commits
  13. 14 Mar, 2020 2 commits
  14. 11 Mar, 2020 1 commit
  15. 10 Mar, 2020 1 commit
  16. 26 Feb, 2020 3 commits
  17. 12 Feb, 2020 5 commits
  18. 05 Feb, 2020 1 commit
  19. 04 Feb, 2020 1 commit
  20. 30 Jan, 2020 1 commit
  21. 29 Jan, 2020 2 commits
    • Nick Mathewson's avatar
      buf_read_from_tls: Return ERROR_MISC, not WANTWRITE, on BUG(). · 2985a601
      Nick Mathewson authored
      Fixes bug 32673; bugfix on 0.3.0.4-alpha.  We introduced these
      checks in ee5471f9 to help diagnose 21369, but we used "-1"
      when "TOR_TLS_ERROR_MISC" would have been correct.  Found by opara.
      
      I don't think that this is actually getting triggered in the wild,
      but if it were, it could cause nasty behavior: spurious
      WANTREAD/WANTWRITE returns have a way of turning into CPU-eating
      busy-loops.
      2985a601
    • Nick Mathewson's avatar
      Change BUG() messages in buf_flush_to_tls() to IF_BUG_ONCE() · 1f163fcb
      Nick Mathewson authored
      We introduced these BUG() checks in b0ddaac0 to prevent a
      recurrence of bug 23690.  But there's a report of the BUG() message
      getting triggered and filling up the disk.  Let's change it to
      IF_BUG_ONCE().
      
      Fixes bug 33093; bugfix on 0.3.2.2-alpha.
      1f163fcb
  22. 15 Jan, 2020 1 commit
    • Nick Mathewson's avatar
      compat_compiler: add a macro to prevent coverity deadcode warnings. · 5e27caa6
      Nick Mathewson authored
      The POSSIBLE(e) macro evaluates to the value of (e), but does so in
      a way that a static analyzer will not conclude that (e) is
      impossible.  We can use this when we expect our regular compilers to
      eliminate deadcode, but we don't want coverity to complain about it.
      
      Part of a fix for 32960.
      5e27caa6