about summary refs log tree commit diff stats
path: root/linux/313index-bounds-check.subx
blob: 377d5adb3640b17e3284bcdb953b59b4eb515e5e (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
# Helper to check an array's bounds, and to abort if they're violated.
# Really only intended to be called from code generated by mu.subx.

== code

__check-mu-array-bounds:  # index: int, elem-size: int, arr-size: int, function-name: (addr array byte), array-name: (addr array byte)
    # . prologue
    55/push-ebp
    89/<- %ebp 4/r32/esp
    # . save registers
    50/push-eax
    51/push-ecx
    52/push-edx
    # . not bothering saving ebx; it's only clobbered if we're going to abort
    # ecx = arr-size
    8b/-> *(ebp+0x10) 1/r32/ecx
    # var overflow/edx: int = 0
    ba/copy-to-edx 0/imm32
    # var offset/eax: int = index * elem-size
    8b/-> *(ebp+8) 0/r32/eax
    f7 4/subop/multiply-eax-with *(ebp+0xc)
    # check for overflow
    81 7/subop/compare %edx 0/imm32
    0f 85/jump-if-!= __check-mu-array-bounds:overflow/disp32
    # check bounds
    39/compare %eax 1/r32/ecx
    0f 82/jump-if-unsigned< $__check-mu-array-bounds:end/disp32  # negative index should always abort
    # abort if necessary
    (write-buffered Stderr "fn ")
    (write-buffered Stderr *(ebp+0x14))
    (write-buffered Stderr ": offset ")
    (write-int32-hex-buffered Stderr %eax)
    (write-buffered Stderr " is too large for array '")
    (write-buffered Stderr *(ebp+0x18))
    (write-buffered Stderr "'\n")
    (flush Stderr)
    # exit(1)
    bb/copy-to-ebx 1/imm32
    e8/call syscall_exit/disp32
    # never gets here
$__check-mu-array-bounds:end:
    # . restore registers
    5a/pop-to-edx
    59/pop-to-ecx
    58/pop-to-eax
    # . epilogue
    89/<- %esp 5/r32/ebp
    5d/pop-to-ebp
    c3/return

__check-mu-array-bounds:overflow:
    # "fn " function-name ": offset to array '" array-name "' overflowed 32 bits\n"
    (write-buffered Stderr "fn ")
    (write-buffered Stderr *(ebp+0x14))
    (write-buffered Stderr ": offset to array '")
    (write-buffered Stderr *(ebp+0x18))
    (write-buffered Stderr "' overflowed 32 bits\n")
    (flush Stderr)
    # exit(1)
    bb/copy-to-ebx 1/imm32
    e8/call syscall_exit/disp32
    # never gets here

# potential alternative

#? __bounds-check:  # msg: (addr array byte)
#?   (write-buffered Stderr "abort: array bounds exceeded in fn ")
#?   8b/-> *(esp+4) 0/r32/eax  # we're going to abort, so just clobber away
#?   (write-buffered Stderr %eax)
#?   (write-buffered Stderr Newline)
#?   # exit(1)
#?   bb/copy-to-ebx 1/imm32
#?   e8/call syscall_exit/disp32

# to be called as follows:
#   var/reg <- index arr/rega: (addr array T), idx/regi: int
#     | if size-of(T) is 1, 2, 4 or 8
#         => # temporarily save array size to reg to check bounds
#            "8b/-> *" rega " " reg "/r32"
#            "c1/shift 5/subop/right %" reg " " log2(size-of(T)) "/imm32"
#            "3b/compare " reg "/r32 *" rega
#            "68/push \"" function "\"/imm32"  # pass function name to error message
#            "0f 8d/jump-if->= __bounds_check/disp32"
#            "81 0/subop/add %esp 4/imm32"  # drop function name
#            # actually save the index addr in reg
#            "8d/copy-address *(" rega "+" regi "<<" log2(size-of(T)) "+4) " reg "/r32"

__mu-abort-null-index-base-address:
    (write-buffered Stderr "null address in 'index'\n")
    (flush Stderr)
    # exit(1)
    bb/copy-to-ebx 1/imm32
    e8/call syscall_exit/disp32
    # never gets here

__mu-abort-null-get-base-address:
    (write-buffered Stderr "null address in 'get'\n")
    (flush Stderr)
    # exit(1)
    bb/copy-to-ebx 1/imm32
    e8/call syscall_exit/disp32
    # never gets here
light .sc { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Char */ .highlight .dl { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Delimiter */ .highlight .sd { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Doc */ .highlight .s2 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Double */ .highlight .se { color: #0044dd; background-color: #fff0f0 } /* Literal.String.Escape */ .highlight .sh { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Heredoc */ .highlight .si { color: #3333bb; background-color: #fff0f0 } /* Literal.String.Interpol */ .highlight .sx { color: #22bb22; background-color: #f0fff0 } /* Literal.String.Other */ .highlight .sr { color: #008800; background-color: #fff0ff } /* Literal.String.Regex */ .highlight .s1 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Single */ .highlight .ss { color: #aa6600; background-color: #fff0f0 } /* Literal.String.Symbol */ .highlight .bp { color: #003388 } /* Name.Builtin.Pseudo */ .highlight .fm { color: #0066bb; font-weight: bold } /* Name.Function.Magic */ .highlight .vc { color: #336699 } /* Name.Variable.Class */ .highlight .vg { color: #dd7700 } /* Name.Variable.Global */ .highlight .vi { color: #3333bb } /* Name.Variable.Instance */ .highlight .vm { color: #336699 } /* Name.Variable.Magic */ .highlight .il { color: #0000DD; font-weight: bold } /* Literal.Number.Integer.Long */
/*
 * store.h
 * vim: expandtab:ts=4:sts=4:sw=4
 *
 * Copyright (C) 2019 Paul Fariello <paul@fariello.eu>
 *
 * This file is part of Profanity.
 *
 * Profanity is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * Profanity is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with Profanity.  If not, see <https://www.gnu.org/licenses/>.
 *
 * In addition, as a special exception, the copyright holders give permission to
 * link the code of portions of this program with the OpenSSL library under
 * certain conditions as described in each individual source file, and
 * distribute linked combinations including the two.
 *
 * You must obey the GNU General Public License in all respects for all of the
 * code used other than OpenSSL. If you modify file(s) with this exception, you
 * may extend this exception to your version of the file(s), but you are not
 * obligated to do so. If you do not wish to do so, delete this exception
 * statement from your version. If you delete this exception statement from all
 * source files in the program, then also delete it here.
 *
 */
#include <signal/signal_protocol.h>

#include "config.h"

#define OMEMO_STORE_GROUP_IDENTITY           "identity"
#define OMEMO_STORE_GROUP_PREKEYS            "prekeys"
#define OMEMO_STORE_GROUP_SIGNED_PREKEYS     "signed_prekeys"
#define OMEMO_STORE_KEY_DEVICE_ID            "device_id"
#define OMEMO_STORE_KEY_REGISTRATION_ID      "registration_id"
#define OMEMO_STORE_KEY_IDENTITY_KEY_PUBLIC  "identity_key_public"
#define OMEMO_STORE_KEY_IDENTITY_KEY_PRIVATE "identity_key_private"

typedef struct
{
    signal_buffer* public;
    signal_buffer* private;
    uint32_t registration_id;
    GHashTable* trusted;
    bool recv;
} identity_key_store_t;

GHashTable* session_store_new(void);
GHashTable* pre_key_store_new(void);
GHashTable* signed_pre_key_store_new(void);
void identity_key_store_new(identity_key_store_t* identity_key_store);
void identity_key_store_destroy(identity_key_store_t* identity_key_store);

/**
 * Returns a copy of the serialized session record corresponding to the
 * provided recipient ID + device ID tuple.
 *
 * @param record pointer to a freshly allocated buffer containing the
 *     serialized session record. Unset if no record was found.
 *     The Signal Protocol library is responsible for freeing this buffer.
 * @param address the address of the remote client
 * @return 1 if the session was loaded, 0 if the session was not found, negative on failure
 */
int load_session(signal_buffer** record, signal_buffer** user_record, const signal_protocol_address* address, void* user_data);

/**
 * Returns all known devices with active sessions for a recipient
 *
 * @param pointer to an array that will be allocated and populated with the result
 * @param name the name of the remote client
 * @param name_len the length of the name
 * @return size of the sessions array, or negative on failure
 */
int get_sub_device_sessions(signal_int_list** sessions, const char* name, size_t name_len, void* user_data);

/**
 * Commit to storage the session record for a given
 * recipient ID + device ID tuple.
 *
 * @param address the address of the remote client
 * @param record pointer to a buffer containing the serialized session
 *     record for the remote client
 * @param record_len length of the serialized session record
 * @return 0 on success, negative on failure
 */
int store_session(const signal_protocol_address* address, uint8_t* record, size_t record_len, uint8_t* user_record, size_t user_record_len, void* user_data);

/**
 * Determine whether there is a committed session record for a
 * recipient ID + device ID tuple.
 *
 * @param address the address of the remote client
 * @return 1 if a session record exists, 0 otherwise.
 */
int contains_session(const signal_protocol_address* address, void* user_data);

/**
 * Remove a session record for a recipient ID + device ID tuple.
 *
 * @param address the address of the remote client
 * @return 1 if a session was deleted, 0 if a session was not deleted, negative on error
 */
int delete_session(const signal_protocol_address* address, void* user_data);

/**
 * Remove the session records corresponding to all devices of a recipient ID.
 *
 * @param name the name of the remote client
 * @param name_len the length of the name
 * @return the number of deleted sessions on success, negative on failure
 */
int delete_all_sessions(const char* name, size_t name_len, void* user_data);

/**
 * Load a local serialized PreKey record.
 *
 * @param record pointer to a newly allocated buffer containing the record,
 *     if found. Unset if no record was found.
 *     The Signal Protocol library is responsible for freeing this buffer.
 * @param pre_key_id the ID of the local serialized PreKey record
 * @retval SG_SUCCESS if the key was found
 * @retval SG_ERR_INVALID_KEY_ID if the key could not be found
 */
int load_pre_key(signal_buffer** record, uint32_t pre_key_id, void* user_data);

/**
 * Store a local serialized PreKey record.
 *
 * @param pre_key_id the ID of the PreKey record to store.
 * @param record pointer to a buffer containing the serialized record
 * @param record_len length of the serialized record
 * @return 0 on success, negative on failure
 */
int store_pre_key(uint32_t pre_key_id, uint8_t* record, size_t record_len, void* user_data);

/**
 * Determine whether there is a committed PreKey record matching the
 * provided ID.
 *
 * @param pre_key_id A PreKey record ID.
 * @return 1 if the store has a record for the PreKey ID, 0 otherwise
 */
int contains_pre_key(uint32_t pre_key_id, void* user_data);

/**
 * Delete a PreKey record from local storage.
 *
 * @param pre_key_id The ID of the PreKey record to remove.
 * @return 0 on success, negative on failure
 */
int remove_pre_key(uint32_t pre_key_id, void* user_data);

/**
 * Load a local serialized signed PreKey record.
 *
 * @param record pointer to a newly allocated buffer containing the record,
 *     if found. Unset if no record was found.
 *     The Signal Protocol library is responsible for freeing this buffer.
 * @param signed_pre_key_id the ID of the local signed PreKey record
 * @retval SG_SUCCESS if the key was found
 * @retval SG_ERR_INVALID_KEY_ID if the key could not be found
 */
int load_signed_pre_key(signal_buffer** record, uint32_t signed_pre_key_id, void* user_data);

/**
 * Store a local serialized signed PreKey record.
 *
 * @param signed_pre_key_id the ID of the signed PreKey record to store
 * @param record pointer to a buffer containing the serialized record
 * @param record_len length of the serialized record
 * @return 0 on success, negative on failure
 */
int store_signed_pre_key(uint32_t signed_pre_key_id, uint8_t* record, size_t record_len, void* user_data);

/**
 * Determine whether there is a committed signed PreKey record matching
 * the provided ID.
 *
 * @param signed_pre_key_id A signed PreKey record ID.
 * @return 1 if the store has a record for the signed PreKey ID, 0 otherwise
 */
int contains_signed_pre_key(uint32_t signed_pre_key_id, void* user_data);

/**
 * Delete a SignedPreKeyRecord from local storage.
 *
 * @param signed_pre_key_id The ID of the signed PreKey record to remove.
 * @return 0 on success, negative on failure
 */
int remove_signed_pre_key(uint32_t signed_pre_key_id, void* user_data);

/**
 * Get the local client's identity key pair.
 *
 * @param public_data pointer to a newly allocated buffer containing the
 *     public key, if found. Unset if no record was found.
 *     The Signal Protocol library is responsible for freeing this buffer.
 * @param private_data pointer to a newly allocated buffer containing the
 *     private key, if found. Unset if no record was found.
 *     The Signal Protocol library is responsible for freeing this buffer.
 * @return 0 on success, negative on failure
 */
int get_identity_key_pair(signal_buffer** public_data, signal_buffer** private_data, void* user_data);

/**
 * Return the local client's registration ID.
 *
 * Clients should maintain a registration ID, a random number
 * between 1 and 16380 that's generated once at install time.
 *
 * @param registration_id pointer to be set to the local client's
 *     registration ID, if it was successfully retrieved.
 * @return 0 on success, negative on failure
 */
int get_local_registration_id(void* user_data, uint32_t* registration_id);

/**
 * Save a remote client's identity key
 * <p>
 * Store a remote client's identity key as trusted.
 * The value of key_data may be null. In this case remove the key data
 * from the identity store, but retain any metadata that may be kept
 * alongside it.
 *
 * @param address the address of the remote client
 * @param key_data Pointer to the remote client's identity key, may be null
 * @param key_len Length of the remote client's identity key
 * @return 0 on success, negative on failure
 */
int save_identity(const signal_protocol_address* address, uint8_t* key_data, size_t key_len, void* user_data);

/**
 * Verify a remote client's identity key.
 *
 * Determine whether a remote client's identity is trusted.  Convention is
 * that the TextSecure protocol is 'trust on first use.'  This means that
 * an identity key is considered 'trusted' if there is no entry for the recipient
 * in the local store, or if it matches the saved key for a recipient in the local
 * store.  Only if it mismatches an entry in the local store is it considered
 * 'untrusted.'
 *
 * @param address the address of the remote client
 * @param identityKey The identity key to verify.
 * @param key_data Pointer to the identity key to verify
 * @param key_len Length of the identity key to verify
 * @return 1 if trusted, 0 if untrusted, negative on failure
 */
int is_trusted_identity(const signal_protocol_address* address, uint8_t* key_data, size_t key_len, void* user_data);

/**
 * Store a serialized sender key record for a given
 * (groupId + senderId + deviceId) tuple.
 *
 * @param sender_key_name the (groupId + senderId + deviceId) tuple
 * @param record pointer to a buffer containing the serialized record
 * @param record_len length of the serialized record
 * @return 0 on success, negative on failure
 */
int store_sender_key(const signal_protocol_sender_key_name* sender_key_name, uint8_t* record, size_t record_len, uint8_t* user_record, size_t user_record_len, void* user_data);

/**
 * Returns a copy of the sender key record corresponding to the
 * (groupId + senderId + deviceId) tuple.
 *
 * @param record pointer to a newly allocated buffer containing the record,
 *     if found. Unset if no record was found.
 *     The Signal Protocol library is responsible for freeing this buffer.
 * @param sender_key_name the (groupId + senderId + deviceId) tuple
 * @return 1 if the record was loaded, 0 if the record was not found, negative on failure
 */
int load_sender_key(signal_buffer** record, signal_buffer** user_record, const signal_protocol_sender_key_name* sender_key_name, void* user_data);