libtom / libtomcrypt

LibTomCrypt is a fairly comprehensive, modular and portable cryptographic toolkit that provides developers with a vast array of well known published block ciphers, one-way hash functions, chaining modes, pseudo-random number generators, public key cryptography and a plethora of other routines.

https://www.libtom.net

Other

1.57k stars 460 forks source link

src of unsigned_read should be const #581

Closed mabuchner closed 3 weeks ago

mabuchner commented 2 years ago

The ltc_math_descriptor.unsigned_read function pointer has a non-const src pointer argument, which the function is not supposed to modify

https://github.com/libtom/libtomcrypt/blob/673f5ce29015a9bba3c96792920a10601b5b0718/src/headers/tomcrypt_math.h#L179

This is error prone as one might accidentally swap dst and src.

The src pointer should get marked as const.

int (*unsigned_read)(void *dst,
                     const unsigned char *src,
                     unsigned long  len);

mabuchner commented 2 years ago

In various places libtomcrypt tries to use a constant src, but it then has to cast away the constness in order to call the unsigned_read function. E.g. see this

https://github.com/libtom/libtomcrypt/blob/673f5ce29015a9bba3c96792920a10601b5b0718/src/pk/ecc/ecc_verify_hash.c#L78

levitte commented 3 months ago

tomcrypt_math.h lacks const in quite a number of places. I supposed this is driven by tomsfastmath, which is also seriously lacking in similar cases (although interestingly enough, fp_read_unsigned_bin is properly constified, so there's really no excuse for unsigned_bin...

levitte commented 3 months ago

654 should fix this particular issue, but not the broader issue of lack of const in ltc_math_descriptor. That's a more massive piece of work, also involving changes in tomsfastmath.

levitte commented 2 months ago

Things have evolved to become a full constification effort, in #667