[tor-bugs] #17587 [Tor]: Double code

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Nov 12 16:43:14 UTC 2015 

#17587: Double code
-----------------------------+------------------------------
     Reporter:  pfrankw      |      Owner:
         Type:  enhancement  |     Status:  new
     Priority:  Medium       |  Milestone:
    Component:  Tor          |    Version:  Tor: unspecified
     Severity:  Minor        |   Keywords:
Actual Points:               |  Parent ID:
       Points:               |    Sponsor:
-----------------------------+------------------------------
 Hello,

 I found that the following code
 {{{
 int crypto_expand_key_material_TAP(const uint8_t *key_in, size_t
 key_in_len,
                                uint8_t *key_out, size_t key_out_len)
 {
   int i;
   uint8_t *cp, *tmp = tor_malloc(key_in_len+1);
   uint8_t digest[DIGEST_LEN];

   /* If we try to get more than this amount of key data, we'll repeat
 blocks.*/
   tor_assert(key_out_len <= DIGEST_LEN*256);

   memcpy(tmp, key_in, key_in_len);
   for (cp = key_out, i=0; cp < key_out+key_out_len;
        ++i, cp += DIGEST_LEN) {
     tmp[key_in_len] = i;
     if (crypto_digest((char*)digest, (const char *)tmp, key_in_len+1))
       goto err;
     memcpy(cp, digest, MIN(DIGEST_LEN, key_out_len-(cp-key_out)));
   }
   memwipe(tmp, 0, key_in_len+1);
   tor_free(tmp);
   memwipe(digest, 0, sizeof(digest));
   return 0;

  err:
   memwipe(tmp, 0, key_in_len+1);
   tor_free(tmp);
   memwipe(digest, 0, sizeof(digest));
   return -1;
 }
 }}}

 contains twice this code
 {{{
   memwipe(tmp, 0, key_in_len+1);
   tor_free(tmp);
   memwipe(digest, 0, sizeof(digest));
 }}}

 then I think it will be ok to modify like this

 {{{
 int crypto_expand_key_material_TAP(const uint8_t *key_in, size_t
 key_in_len,
                                uint8_t *key_out, size_t key_out_len)
 {
   int i, r = -1;
   uint8_t *cp, *tmp = tor_malloc(key_in_len+1);
   uint8_t digest[DIGEST_LEN];

   /* If we try to get more than this amount of key data, we'll repeat
 blocks.*/
   tor_assert(key_out_len <= DIGEST_LEN*256);

   memcpy(tmp, key_in, key_in_len);
   for (cp = key_out, i=0; cp < key_out+key_out_len;
        ++i, cp += DIGEST_LEN) {
     tmp[key_in_len] = i;
     if (crypto_digest((char*)digest, (const char *)tmp, key_in_len+1))
       goto exit;
     memcpy(cp, digest, MIN(DIGEST_LEN, key_out_len-(cp-key_out)));
   }

   r = 0;
  exit:
   memwipe(tmp, 0, key_in_len+1);
   tor_free(tmp);
   memwipe(digest, 0, sizeof(digest));
   return r;
 }
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17587>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list