base16_decode() API is inconsistent and error-prone

changed milestone to %Tor: 0.2.9.x-final

added component::core tor/tor lorax milestone::Tor: 0.2.9.x-final owner::nikkolasg parent::19531 points::1 priority::high resolution::implemented review-group-3 reviewer::dgoulet severity::normal sponsor::S-can status::closed type::defect labels

Initial branch is "bug14013_024" and is awaiting review.

Merged that to 0.2.5 and later. SHould consider for 0.2.4 backport IMO. Still needs a better fix for 0.2.6. base32_decode has the same API stupidity.

Defer some items from 0.2.6. They are mostly worth doing, but not going to happen super-fast.

Trac:
Milestone: Tor: 0.2.6.x-final to Tor: 0.2.???

Trac:
Milestone: Tor: 0.2.??? to Tor: 0.2.8.x-final

Trac:
Sponsor: N/A to N/A
Points: N/A to small

Trac:
Keywords: 024-backport 025-backport tor-client deleted, lorax added
Severity: N/A to Normal
Milestone: Tor: 0.2.8.x-final to Tor: 0.2.9.x-final

Trac:
Reviewer: N/A to N/A
Sponsor: N/A to SponsorS-can

Trac:
Priority: High to Medium

Trac:
Priority: Medium to High

Here's the (my first) patch I've wrote from the master branch. Any comments most welcomed ;)

Trac:
Username: nikkolasg

0001-base16_decodes-returns-bytes.patch

patch with correct spaces

Trac:
Username: nikkolasg

Trac:
Status: new to needs_review

reassigning in order to set the owner.

Trac:
Owner: N/A to nikkolasg
Status: needs_review to assigned

Trac:
Status: assigned to needs_review

Trac:
Keywords: N/A deleted, review-group-1 added

base16_decode() comment needs to mention that we return the size now on success.
There is still this line looking for an error instead of != to the expected size but all other fixes make that not equal change:

+      base16_decode(guard_id, DIGEST_LEN, inputs_tmp, HEX_DIGEST_LEN) < 0) {

About this comment, can you tell us what's the returned value? It seems it should be DIGEST256_LEN indeed.

+    // XXX Should it not be always DIGEST256_LEN ? Running the tests with
+    // the condition ` != DIGEST256_LEN` fails.

Trac:
Status: needs_review to needs_revision

Trac:
Username: nikkolasg

base16_decode_reviewed1.patch

Path after 1st review of dgoulet

Trac:
Username: nikkolasg

Oups, I thought I could remove the first patch but no.. Adapted the code for your first two points. About the third:

Value 17B1C409A7B0E9A9E307D38A18AF7E5F8C15C803
Size of output 20 (vs 32)
Failing tests:
- dir/clip_unmeasured_bw_kb
- dir/clip_unmeasured_bw_kb_alt
- dir/v3_networkstatus

If you'd like I can try to debug it further but to be honest, I think a more experienced Tor developer will be far most efficient (=fast) than me as I have to understand the whole codebase evolving around this line. That said, I'm willing to try ;)

Trac:
Username: nikkolasg

Trac:
Username: nikkolasg
Status: needs_revision to needs_review

Trac:
Reviewer: N/A to dgoulet

First this is a good find. I've opened #19066 (moved) about it:

+    // XXX Should it not be always DIGEST256_LEN ? Running the tests with
+    // the condition ` != DIGEST256_LEN` fails.

The patch looks good. There are some minor syntax issues that can easily be fixed such as:

    if (base16_decode(digest, DIGEST_LEN, hexbuf, HEX_DIGEST_LEN)
            != DIGEST_LEN) {

It should be aligned like this to follow the code base:

    if (base16_decode(digest, DIGEST_LEN,
                      hexbuf, HEX_DIGEST_LEN) != DIGEST_LEN) {

This one has an extra white space:

           base16_decode(voter->identity_digest, sizeof(voter->identity_digest),
-                        tok->args[1], HEX_DIGEST_LEN) < 0) {
+                        tok->args[1], HEX_DIGEST_LEN)  != DIGEST_LEN) {

Align:

+    tt_int_op(sizeof(blinding_param), OP_EQ, DECODE(blinding_param,
+                ED25519_BLINDING_PARAMS[i]));

+    tt_int_op(sizeof(buf),OP_EQ,base16_decode(buf,sizeof(buf),\
+                hex,strlen(hex)));\

Sorry about this, very wow such nitpicking but it makes the difference in the end for a more clean and maintainable code. Let me know if you can quickly fix those else I can go over them and credit you as the author. Thanks!

Trac:
Status: needs_review to needs_revision

I get it, no worry, I'm just not used yet to your formatting :) I'll fix those and submit a new patch, maybe not quickly because I've just found some unchanged calls to base16_decode that I need to fix also (still some base16_decode(..) == 0). Thanks for the review anyway. I'll get back to you soon.

Trac:
Username: nikkolasg

Trac:
Points: small to 1

Everything in review-group-1 has had at least 1 review.

Trac:
Keywords: review-group-1 deleted, review-group-2 added

Trac:
Username: nikkolasg

base16_decode_reviewed2.patch

Patch after review2

Trac:
Username: nikkolasg

Hi, finally found the time to finalize it. Here's some comments:

In routerset.c:107, a call to base16_decode is un-checked; while it may not be important, I prefer still to announce it so it may be looked over by a Tor dev at some point later ...
In control.c:1214, there's inconsistency between the size of the buffer and the return value. The size of the dest buffer is 64 but base16_decode returns S2K_RFC2440_SPECIFIER_LEN + DIGEST_LEN. In fact even the comments of the function say the hashed passwords should be of length S2K_RFC2440_SPECIFIER_LEN + DIGEST_LEN. It would be a good practice to unify both values. I did not do it here as it does not make much sense here I think.
I allowed myself to change some other files to make the make check-spaces happy, I hope it's ok ;)

Otherwise the rest is ok :)

Trac:
Username: nikkolasg

Trac:
Username: nikkolasg
Status: needs_revision to needs_review

I tried different things to apply the patch on current master and I'm unable! Apparently, routerparse.c changed too much...

The patch looks good I would say except few minor syntax things but I can fix them. However, I can't use it as it is, can you maybe provide a git branch or a fresh diff that apply on master? Thanks!

Trac:
Status: needs_review to needs_revision

These have all had at least one review during review-group-2.

Trac:
Keywords: review-group-2 deleted, review-group-3 added

Trac:
Username: nikkolasg

base16_decode_reviewed3.patch

Trac:
Username: nikkolasg

Trac:
Username: nikkolasg
Status: needs_revision to needs_review

Here is the patch with minor syntax edit and fix: bug14013_029_01

Both chutney works and make test.

Trac:
Status: needs_review to merge_ready

requested changes:

require that destlen be less than SSIZE_MAX. Otherwise the cast in base16_decode isn't safe.
document what happens if destlen is greater than or less than srclen/2.

+      ok = base16_decode(id, DIGEST_LEN, cp+strlen("id="),
+                         strlen(cp)-strlen("id=")) != DIGEST_LEN ? 0 : 1;

would make more sense as ok = (base16_decode(...) == DIGEST_LEN)

Why is the comparison in decode_hashed_passwords < rather than != ?

To consider:

Should we make all of these functions clear the unused portion of the output buffer?
Is it possible that we missed any instances of base16_decode() ?

Trac:
Status: merge_ready to needs_revision

Replying to nickm:

requested changes:

require that destlen be less than SSIZE_MAX. Otherwise the cast in base16_decode isn't safe.

Hrm actually that ssize_t cast doesn't make too much sense. That function returns a int so we should align everything to INT_MAX. I originally changed it to return ssize_t but I changed my mind so every encode/decode function have the same interface.

Fixup commit: b397307

document what happens if destlen is greater than or less than srclen/2.

Also in fixup commit: b397307

{{{
 ok = base16_decode(id, DIGEST_LEN, cp+strlen("id="),
                    strlen(cp)-strlen("id=")) != DIGEST_LEN ? 0 : 1;
}}}

would make more sense as ok = (base16_decode(...) == DIGEST_LEN)

Why is the comparison in decode_hashed_passwords < rather than != ?

This was a leftover.

Both of the above fixed in fixup commit: 6bffbb9

To consider:

Should we make all of these functions clear the unused portion of the output buffer?

Ideally, we should make all the decode function return how many bytes they used so the caller can know the exact amount filled up.

Now this patch makes it for base16 and base64 is already doing that. base32 is the missing one. New ticket time I presume.

Is it possible that we missed any instances of base16_decode() ?

Always possible but nikkolasg originally made the patch and then I went over each of the base16_decode I could find to fix some syntax and change < to !=. So if we missed one, bad luck I would say.

See branch with the fixup commits: bug14013_029_01

Trac:
Status: needs_revision to merge_ready

Are you sure you pushed the fixup commits? I'm only seeing one commit on that branch.

Trac:
Status: merge_ready to needs_revision

Sorry about that, I just pushed it.

Trac:
Status: needs_revision to merge_ready

looks good. squashed and merged. I will open another ticket for the "clear target buffer" thing.

Trac:
Resolution: N/A to implemented
Status: merge_ready to closed

Trac:
Parent: N/A to #19531 (moved)

closed

changed time estimate to 8h

mentioned in issue #17868 (moved)

mentioned in issue #19066 (moved)

moved to tpo/core/tor#14013 (closed)

mentioned in issue tpo/core/tor#19066 (closed)

base16_decode() API is inconsistent and error-prone

Child items 0

Activity