1. 10 Jul, 2020 1 commit
  2. 07 Jul, 2020 1 commit
  3. 06 Jul, 2020 3 commits
    • Alexander Færøy's avatar
      Use ((x + 7) >> 3) instead of (x >> 3) when converting from bits to bytes. · 7b2d1070
      Alexander Færøy authored and Nick Mathewson's avatar Nick Mathewson committed
      This patch changes our bits-to-bytes conversion logic in the NSS
      implementation of `tor_tls_cert_matches_key()` from using (x >> 3) to
      ((x + 7) >> 3) since DER bit-strings are allowed to contain a number of
      bits that is not a multiple of 8.
      
      Additionally, we add a comment on why we cannot use the
      `DER_ConvertBitString()` macro from NSS, as we would potentially apply
      the bits-to-bytes conversion logic twice, which would lead to an
      insignificant amount of bytes being compared in
      `SECITEM_ItemsAreEqual()` and thus turn the logic into being a
      prefix match instead of a full match.
      
      The `DER_ConvertBitString()` macro is defined in NSS as:
      
          /*
          ** Macro to convert der decoded bit string into a decoded octet
          ** string. All it needs to do is fiddle with the length code.
          */
          #define DER_ConvertBitString(item)            \
              {                                         \
                  (item)->len = ((item)->len + 7) >> 3; \
              }
      
      Thanks to Taylor Yu for spotting this problem.
      
      This patch is part of the fix for TROVE-2020-001.
      
      See: https://bugs.torproject.org/33119
      7b2d1070
    • Alexander Færøy's avatar
      Add constness to length variables in `tor_tls_cert_matches_key`. · 06f1e959
      Alexander Færøy authored and Nick Mathewson's avatar Nick Mathewson committed
      We add constness to `peer_info_orig_len` and `cert_info_orig_len` in
      `tor_tls_cert_matches_key` to ensure that we don't accidentally alter
      the variables.
      
      This patch is part of the fix for TROVE-2020-001.
      
      See: https://bugs.torproject.org/33119
      06f1e959
    • Alexander Færøy's avatar
      Fix out-of-bound memory read in `tor_tls_cert_matches_key()` for NSS. · b46984e9
      Alexander Færøy authored and Nick Mathewson's avatar Nick Mathewson committed
      This patch fixes an out-of-bound memory read in
      `tor_tls_cert_matches_key()` when Tor is compiled to use Mozilla's NSS
      instead of OpenSSL.
      
      The NSS library stores some length fields in bits instead of bytes, but
      the comparison function found in `SECITEM_ItemsAreEqual()` needs the
      length to be encoded in bytes. This means that for a 140-byte,
      DER-encoded, SubjectPublicKeyInfo struct (with a 1024-bit RSA public key
      in it), we would ask `SECITEM_ItemsAreEqual()` to compare the first 1120
      bytes instead of 140 (140bytes * 8bits = 1120bits).
      
      This patch fixes the issue by converting from bits to bytes before
      calling `SECITEM_ItemsAreEqual()` and convert the `len`-fields back to
      bits before we leave the function.
      
      This patch is part of the fix for TROVE-2020-001.
      
      See: https://bugs.torproject.org/33119
      b46984e9
  4. 29 Jan, 2020 2 commits
    • Nick Mathewson's avatar
      buf_read_from_tls: Return ERROR_MISC, not WANTWRITE, on BUG(). · 2985a601
      Nick Mathewson authored
      Fixes bug 32673; bugfix on 0.3.0.4-alpha.  We introduced these
      checks in ee5471f9 to help diagnose 21369, but we used "-1"
      when "TOR_TLS_ERROR_MISC" would have been correct.  Found by opara.
      
      I don't think that this is actually getting triggered in the wild,
      but if it were, it could cause nasty behavior: spurious
      WANTREAD/WANTWRITE returns have a way of turning into CPU-eating
      busy-loops.
      2985a601
    • Nick Mathewson's avatar
      Change BUG() messages in buf_flush_to_tls() to IF_BUG_ONCE() · 1f163fcb
      Nick Mathewson authored
      We introduced these BUG() checks in b0ddaac0 to prevent a
      recurrence of bug 23690.  But there's a report of the BUG() message
      getting triggered and filling up the disk.  Let's change it to
      IF_BUG_ONCE().
      
      Fixes bug 33093; bugfix on 0.3.2.2-alpha.
      1f163fcb
  5. 09 Jan, 2020 2 commits
  6. 08 Jan, 2020 1 commit
  7. 15 Nov, 2019 2 commits
  8. 04 Nov, 2019 3 commits
  9. 26 Oct, 2019 1 commit
    • Nick Mathewson's avatar
      doxygen: add @file declarations for src/lib · 39d09ea0
      Nick Mathewson authored
      If a file doesn't use the file command (either \file or @file),
      Doxygen won't try to process it.
      
      These declarations also turned up a doxygen warning for
      crypto_ope.c; I fixed that too.
      39d09ea0
  10. 22 Oct, 2019 1 commit
  11. 04 Oct, 2019 1 commit
  12. 30 Sep, 2019 1 commit
  13. 26 Sep, 2019 1 commit
  14. 05 Sep, 2019 1 commit
  15. 05 Jun, 2019 2 commits
  16. 02 May, 2019 1 commit
  17. 06 Apr, 2019 2 commits
  18. 08 Feb, 2019 1 commit
  19. 16 Jan, 2019 2 commits
  20. 14 Nov, 2018 2 commits
  21. 09 Nov, 2018 1 commit
  22. 05 Nov, 2018 1 commit
  23. 14 Oct, 2018 1 commit
  24. 20 Sep, 2018 3 commits
  25. 16 Sep, 2018 1 commit
  26. 14 Sep, 2018 2 commits