Merge branch 'maint-0.2.2'

ReleaseNotes

@@ -3,6 +3,25 @@ This document summarizes new features and bugfixes in each stable release
 of Tor. If you want to see more detailed descriptions of the changes in
 each development snapshot, see the ChangeLog file.
 
+Changes in version 0.2.1.28 - 2010-12-17
+  Tor 0.2.1.28 does some code cleanup to reduce the risk of remotely
+  exploitable bugs. We also took this opportunity to change the IP address
+  for one of our directory authorities, and to update the geoip database
+  we ship.
+
+  o Major bugfixes:
+    - Fix a remotely exploitable bug that could be used to crash instances
+      of Tor remotely by overflowing on the heap. Remote-code execution
+      hasn't been confirmed, but can't be ruled out. Everyone should
+      upgrade. Bugfix on the 0.1.1 series and later.
+
+  o Directory authority changes:
+    - Change IP address and ports for gabelmoo (v3 directory authority).
+
+  o Minor features:
+    - Update to the December 1 2010 Maxmind GeoLite Country database.
+
+
 Changes in version 0.2.1.27 - 2010-11-23
   Yet another OpenSSL security patch broke its compatibility with Tor:
   Tor 0.2.1.27 makes relays work with openssl 0.9.8p and 1.0.0.b. We

changes/security_bug

@@ -0,0 +1,5 @@
+  o Major bugfixes:
+    - Fix a remotely exploitable bug that could be used to crash instances
+      of Tor remotely by overflowing on the heap.  Remove-code execution
+      hasn't been confirmed, but can't be ruled out.  Obviously, everyone
+      should upgrade.  Bugfix on the 0.1.1 series and later.

src/common/compat.c

@@ -155,6 +155,7 @@ tor_mmap_file(const char *filename)
     return NULL;
   }
 
+  /* XXXX why not just do fstat here? */
   size = filesize = (size_t) lseek(fd, 0, SEEK_END);
   lseek(fd, 0, SEEK_SET);
   /* ensure page alignment */
@@ -328,7 +329,7 @@ tor_vsnprintf(char *str, size_t size, const char *format, va_list args)
   int r;
   if (size == 0)
     return -1; /* no place for the NUL */
-  if (size > SSIZE_T_MAX-16)
+  if (size > SIZE_T_CEILING)
     return -1;
 #ifdef MS_WINDOWS
   r = _vsnprintf(str, size, format, args);
@@ -589,7 +590,7 @@ tor_fix_source_file(const char *fname)
  * unaligned memory access.
  */
 uint16_t
-get_uint16(const char *cp)
+get_uint16(const void *cp)
 {
   uint16_t v;
   memcpy(&v,cp,2);
@@ -601,7 +602,7 @@ get_uint16(const char *cp)
  * unaligned memory access.
  */
 uint32_t
-get_uint32(const char *cp)
+get_uint32(const void *cp)
 {
   uint32_t v;
   memcpy(&v,cp,4);
@@ -613,7 +614,7 @@ get_uint32(const char *cp)
  * unaligned memory access.
  */
 uint64_t
-get_uint64(const char *cp)
+get_uint64(const void *cp)
 {
   uint64_t v;
   memcpy(&v,cp,8);
@@ -625,7 +626,7 @@ get_uint64(const char *cp)
  * *(uint16_t*)(cp) = v, but will not cause segfaults on platforms that forbid
  * unaligned memory access. */
 void
-set_uint16(char *cp, uint16_t v)
+set_uint16(void *cp, uint16_t v)
 {
   memcpy(cp,&v,2);
 }
@@ -634,7 +635,7 @@ set_uint16(char *cp, uint16_t v)
  * *(uint32_t*)(cp) = v, but will not cause segfaults on platforms that forbid
  * unaligned memory access. */
 void
-set_uint32(char *cp, uint32_t v)
+set_uint32(void *cp, uint32_t v)
 {
   memcpy(cp,&v,4);
 }
@@ -643,7 +644,7 @@ set_uint32(char *cp, uint32_t v)
  * *(uint64_t*)(cp) = v, but will not cause segfaults on platforms that forbid
  * unaligned memory access. */
 void
-set_uint64(char *cp, uint64_t v)
+set_uint64(void *cp, uint64_t v)
 {
   memcpy(cp,&v,8);
 }

src/common/compat.h

@@ -500,18 +500,18 @@ long tor_weak_random(void);
 /* ===== OS compatibility */
 const char *get_uname(void);
 
-uint16_t get_uint16(const char *cp) ATTR_PURE ATTR_NONNULL((1));
-uint32_t get_uint32(const char *cp) ATTR_PURE ATTR_NONNULL((1));
-uint64_t get_uint64(const char *cp) ATTR_PURE ATTR_NONNULL((1));
-void set_uint16(char *cp, uint16_t v) ATTR_NONNULL((1));
-void set_uint32(char *cp, uint32_t v) ATTR_NONNULL((1));
-void set_uint64(char *cp, uint64_t v) ATTR_NONNULL((1));
+uint16_t get_uint16(const void *cp) ATTR_PURE ATTR_NONNULL((1));
+uint32_t get_uint32(const void *cp) ATTR_PURE ATTR_NONNULL((1));
+uint64_t get_uint64(const void *cp) ATTR_PURE ATTR_NONNULL((1));
+void set_uint16(void *cp, uint16_t v) ATTR_NONNULL((1));
+void set_uint32(void *cp, uint32_t v) ATTR_NONNULL((1));
+void set_uint64(void *cp, uint64_t v) ATTR_NONNULL((1));
 
 /* These uint8 variants are defined to make the code more uniform. */
 #define get_uint8(cp) (*(const uint8_t*)(cp))
-static void set_uint8(char *cp, uint8_t v);
+static void set_uint8(void *cp, uint8_t v);
 static INLINE void
-set_uint8(char *cp, uint8_t v)
+set_uint8(void *cp, uint8_t v)
 {
   *(uint8_t*)cp = v;
 }

src/common/crypto.c

@@ -901,6 +901,8 @@ crypto_pk_public_checksig_digest(crypto_pk_env_t *env, const char *data,
   tor_assert(env);
   tor_assert(data);
   tor_assert(sig);
+  tor_assert(datalen < SIZE_T_CEILING);
+  tor_assert(siglen < SIZE_T_CEILING);
 
   if (crypto_digest(digest,data,datalen)<0) {
     log_warn(LD_BUG, "couldn't compute digest");
@@ -1001,6 +1003,7 @@ crypto_pk_public_hybrid_encrypt(crypto_pk_env_t *env,
   tor_assert(env);
   tor_assert(from);
   tor_assert(to);
+  tor_assert(fromlen < SIZE_T_CEILING);
 
   overhead = crypto_get_rsa_padding_overhead(crypto_get_rsa_padding(padding));
   pkeylen = crypto_pk_keysize(env);
@@ -1068,6 +1071,7 @@ crypto_pk_private_hybrid_decrypt(crypto_pk_env_t *env,
   crypto_cipher_env_t *cipher = NULL;
   char *buf = NULL;
 
+  tor_assert(fromlen < SIZE_T_CEILING);
   pkeylen = crypto_pk_keysize(env);
 
   if (fromlen <= pkeylen) {
@@ -1117,7 +1121,7 @@ crypto_pk_asn1_encode(crypto_pk_env_t *pk, char *dest, size_t dest_len)
   int len;
   unsigned char *buf, *cp;
   len = i2d_RSAPublicKey(pk->key, NULL);
-  if (len < 0 || (size_t)len > dest_len)
+  if (len < 0 || (size_t)len > dest_len || dest_len > SIZE_T_CEILING)
     return -1;
   cp = buf = tor_malloc(len+1);
   len = i2d_RSAPublicKey(pk->key, &cp);
@@ -1192,6 +1196,8 @@ add_spaces_to_fp(char *out, size_t outlen, const char *in)
 {
   int n = 0;
   char *end = out+outlen;
+  tor_assert(outlen < SIZE_T_CEILING);
+
   while (*in && out<end) {
     *out++ = *in++;
     if (++n == 4 && *in && out<end) {
@@ -1337,6 +1343,7 @@ crypto_cipher_encrypt(crypto_cipher_env_t *env, char *to,
   tor_assert(from);
   tor_assert(fromlen);
   tor_assert(to);
+  tor_assert(fromlen < SIZE_T_CEILING);
 
   aes_crypt(env->cipher, from, fromlen, to);
   return 0;
@@ -1353,6 +1360,7 @@ crypto_cipher_decrypt(crypto_cipher_env_t *env, char *to,
   tor_assert(env);
   tor_assert(from);
   tor_assert(to);
+  tor_assert(fromlen < SIZE_T_CEILING);
 
   aes_crypt(env->cipher, from, fromlen, to);
   return 0;
@@ -1364,6 +1372,7 @@ crypto_cipher_decrypt(crypto_cipher_env_t *env, char *to,
 int
 crypto_cipher_crypt_inplace(crypto_cipher_env_t *env, char *buf, size_t len)
 {
+  tor_assert(len < SIZE_T_CEILING);
   aes_crypt_inplace(env->cipher, buf, len);
   return 0;
 }

src/common/memarea.c

@@ -95,6 +95,7 @@ static memarea_chunk_t *freelist = NULL;
 static memarea_chunk_t *
 alloc_chunk(size_t sz, int freelist_ok)
 {
+  tor_assert(sz < SIZE_T_CEILING);
   if (freelist && freelist_ok) {
     memarea_chunk_t *res = freelist;
     freelist = res->next_chunk;
@@ -211,6 +212,7 @@ memarea_alloc(memarea_t *area, size_t sz)
   char *result;
   tor_assert(chunk);
   CHECK_SENTINEL(chunk);
+  tor_assert(sz < SIZE_T_CEILING);
   if (sz == 0)
     sz = 1;
   if (chunk->next_mem+sz > chunk->u.mem+chunk->mem_size) {
@@ -270,6 +272,7 @@ memarea_strndup(memarea_t *area, const char *s, size_t n)
   size_t ln;
   char *result;
   const char *cp, *end = s+n;
+  tor_assert(n < SIZE_T_CEILING);
   for (cp = s; cp < end && *cp; ++cp)
     ;
   /* cp now points to s+n, or to the 0 in the string. */

src/common/mempool.c

@@ -357,6 +357,10 @@ mp_pool_new(size_t item_size, size_t chunk_capacity)
   mp_pool_t *pool;
   size_t alloc_size, new_chunk_cap;
 
+  tor_assert(item_size < SIZE_T_CEILING);
+  tor_assert(chunk_capacity < SIZE_T_CEILING);
+  tor_assert(SIZE_T_CEILING / item_size > chunk_capacity);
+
   pool = ALLOC(sizeof(mp_pool_t));
   CHECK_ALLOC(pool);
   memset(pool, 0, sizeof(mp_pool_t));

src/common/torint.h

@@ -330,7 +330,7 @@ typedef uint32_t uintptr_t;
 #endif
 
 /* Any size_t larger than this amount is likely to be an underflow. */
-#define SIZE_T_CEILING (sizeof(char)<<(sizeof(size_t)*8 - 1))
+#define SIZE_T_CEILING (SSIZE_T_MAX-16)
 
 #endif /* __TORINT_H */
 

src/common/util.c

@@ -123,6 +123,8 @@ _tor_malloc(size_t size DMALLOC_PARAMS)
 {
   void *result;
 
+  tor_assert(size < SIZE_T_CEILING);
+
 #ifndef MALLOC_ZERO_WORKS
   /* Some libc mallocs don't work when size==0. Override them. */
   if (size==0) {
@@ -219,6 +221,7 @@ _tor_strndup(const char *s, size_t n DMALLOC_PARAMS)
 {
   char *dup;
   tor_assert(s);
+  tor_assert(n < SIZE_T_CEILING);
   dup = _tor_malloc((n+1) DMALLOC_FN_ARGS);
   /* Performance note: Ordinarily we prefer strlcpy to strncpy.  But
    * this function gets called a whole lot, and platform strncpy is
@@ -235,6 +238,7 @@ void *
 _tor_memdup(const void *mem, size_t len DMALLOC_PARAMS)
 {
   char *dup;
+  tor_assert(len < SIZE_T_CEILING);
   tor_assert(mem);
   dup = _tor_malloc(len DMALLOC_FN_ARGS);
   memcpy(dup, mem, len);
@@ -264,12 +268,15 @@ void *
 _tor_malloc_roundup(size_t *sizep DMALLOC_PARAMS)
 {
 #ifdef HAVE_MALLOC_GOOD_SIZE
+  tor_assert(*sizep < SIZE_T_CEILING);
   *sizep = malloc_good_size(*sizep);
   return _tor_malloc(*sizep DMALLOC_FN_ARGS);
 #elif 0 && defined(HAVE_MALLOC_USABLE_SIZE) && !defined(USE_DMALLOC)
   /* Never use malloc_usable_size(); it makes valgrind really unhappy,
    * and doesn't win much in terms of usable space where it exists. */
-  void *result = _tor_malloc(*sizep DMALLOC_FN_ARGS);
+  void *result;
+  tor_assert(*sizep < SIZE_T_CEILING);
+  result = _tor_malloc(*sizep DMALLOC_FN_ARGS);
   *sizep = malloc_usable_size(result);
   return result;
 #else
@@ -2055,7 +2062,7 @@ read_file_to_str(const char *filename, int flags, struct stat *stat_out)
     return NULL;
   }
 
-  if ((uint64_t)(statbuf.st_size)+1 > SIZE_T_MAX)
+  if ((uint64_t)(statbuf.st_size)+1 > SIZE_T_CEILING)
     return NULL;
 
   string = tor_malloc((size_t)(statbuf.st_size+1));

src/or/buffers.c

@@ -1003,7 +1003,7 @@ fetch_var_cell_from_buf(buf_t *buf, var_cell_t **out, int linkproto)
   result->circ_id = ntohs(get_uint16(hdr));
 
   buf_remove_from_front(buf, VAR_CELL_HEADER_SIZE);
-  peek_from_buf(result->payload, length, buf);
+  peek_from_buf((char*) result->payload, length, buf);
   buf_remove_from_front(buf, length);
   check();
 

src/or/circuitbuild.c

@@ -1897,7 +1897,7 @@ circuit_send_next_onion_skin(origin_circuit_t *circ)
        * and a DH operation. */
       cell_type = CELL_CREATE_FAST;
       memset(payload, 0, sizeof(payload));
-      crypto_rand(circ->cpath->fast_handshake_state,
+      crypto_rand((char*) circ->cpath->fast_handshake_state,
                   sizeof(circ->cpath->fast_handshake_state));
       memcpy(payload, circ->cpath->fast_handshake_state,
              sizeof(circ->cpath->fast_handshake_state));
@@ -2076,8 +2076,8 @@ circuit_extend(cell_t *cell, circuit_t *circ)
 
   n_addr32 = ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE));
   n_port = ntohs(get_uint16(cell->payload+RELAY_HEADER_SIZE+4));
-  onionskin = cell->payload+RELAY_HEADER_SIZE+4+2;
-  id_digest = cell->payload+RELAY_HEADER_SIZE+4+2+ONIONSKIN_CHALLENGE_LEN;
+  onionskin = (char*) cell->payload+RELAY_HEADER_SIZE+4+2;
+  id_digest = (char*) cell->payload+RELAY_HEADER_SIZE+4+2+ONIONSKIN_CHALLENGE_LEN;
   tor_addr_from_ipv4h(&n_addr, n_addr32);
 
   if (!n_port || !n_addr32) {
@@ -2215,7 +2215,7 @@ circuit_init_cpath_crypto(crypt_path_t *cpath, const char *key_data,
  */
 int
 circuit_finish_handshake(origin_circuit_t *circ, uint8_t reply_type,
-                         const char *reply)
+                         const uint8_t *reply)
 {
   char keys[CPATH_KEY_MATERIAL_LEN];
   crypt_path_t *hop;
@@ -2232,7 +2232,7 @@ circuit_finish_handshake(origin_circuit_t *circ, uint8_t reply_type,
   tor_assert(hop->state == CPATH_STATE_AWAITING_KEYS);
 
   if (reply_type == CELL_CREATED && hop->dh_handshake_state) {
-    if (onion_skin_client_handshake(hop->dh_handshake_state, reply, keys,
+    if (onion_skin_client_handshake(hop->dh_handshake_state, (char*)reply, keys,
                                     DIGEST_LEN*2+CIPHER_KEY_LEN*2) < 0) {
       log_warn(LD_CIRC,"onion_skin_client_handshake failed.");
       return -END_CIRC_REASON_TORPROTOCOL;
@@ -2240,7 +2240,8 @@ circuit_finish_handshake(origin_circuit_t *circ, uint8_t reply_type,
     /* Remember hash of g^xy */
     memcpy(hop->handshake_digest, reply+DH_KEY_LEN, DIGEST_LEN);
   } else if (reply_type == CELL_CREATED_FAST && !hop->dh_handshake_state) {
-    if (fast_client_handshake(hop->fast_handshake_state, reply, keys,
+    if (fast_client_handshake(hop->fast_handshake_state, reply,
+                              (uint8_t*)keys,
                               DIGEST_LEN*2+CIPHER_KEY_LEN*2) < 0) {
       log_warn(LD_CIRC,"fast_client_handshake failed.");
       return -END_CIRC_REASON_TORPROTOCOL;

src/or/circuitbuild.h

@@ -31,7 +31,7 @@ int circuit_extend(cell_t *cell, circuit_t *circ);
 int circuit_init_cpath_crypto(crypt_path_t *cpath, const char *key_data,
                               int reverse);
 int circuit_finish_handshake(origin_circuit_t *circ, uint8_t cell_type,
-                             const char *reply);
+                             const uint8_t *reply);
 int circuit_truncated(origin_circuit_t *circ, crypt_path_t *layer);
 int onionskin_answer(or_circuit_t *circ, uint8_t cell_type,
                      const char *payload, const char *keys);

src/or/command.c

@@ -310,7 +310,8 @@ command_process_create_cell(cell_t *cell, or_connection_t *conn)
     char keys[CPATH_KEY_MATERIAL_LEN];
     char reply[DIGEST_LEN*2];
     tor_assert(cell->command == CELL_CREATE_FAST);
-    if (fast_server_handshake(cell->payload, reply, keys, sizeof(keys))<0) {
+    if (fast_server_handshake(cell->payload, (uint8_t*)reply,
+                              (uint8_t*)keys, sizeof(keys))<0) {
       log_warn(LD_OR,"Failed to generate key material. Closing.");
       circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_INTERNAL);
       return;
@@ -357,7 +358,7 @@ command_process_created_cell(cell_t *cell, or_connection_t *conn)
     int err_reason = 0;
     log_debug(LD_OR,"at OP. Finishing handshake.");
     if ((err_reason = circuit_finish_handshake(origin_circ, cell->command,
-                                 cell->payload)) < 0) {
+                                               cell->payload)) < 0) {
       log_warn(LD_OR,"circuit_finish_handshake failed.");
       circuit_mark_for_close(circ, -err_reason);
       return;
@@ -373,7 +374,7 @@ command_process_created_cell(cell_t *cell, or_connection_t *conn)
     log_debug(LD_OR,
               "Converting created cell to extended relay cell, sending.");
     relay_send_command_from_edge(0, circ, RELAY_COMMAND_EXTENDED,
-                                 cell->payload, ONIONSKIN_REPLY_LEN,
+                                 (char*)cell->payload, ONIONSKIN_REPLY_LEN,
                                  NULL);
   }
 }
@@ -503,7 +504,7 @@ static void
 command_process_versions_cell(var_cell_t *cell, or_connection_t *conn)
 {
   int highest_supported_version = 0;
-  const char *cp, *end;
+  const uint8_t *cp, *end;
   if (conn->link_proto != 0 ||
       conn->_base.state != OR_CONN_STATE_OR_HANDSHAKING ||
       (conn->handshake_state && conn->handshake_state->received_versions)) {
@@ -557,8 +558,8 @@ command_process_netinfo_cell(cell_t *cell, or_connection_t *conn)
   time_t timestamp;
   uint8_t my_addr_type;
   uint8_t my_addr_len;
-  const char *my_addr_ptr;
-  const char *cp, *end;
+  const uint8_t *my_addr_ptr;
+  const uint8_t *cp, *end;
   uint8_t n_other_addrs;
   time_t now = time(NULL);
 
@@ -586,7 +587,7 @@ command_process_netinfo_cell(cell_t *cell, or_connection_t *conn)
 
   my_addr_type = (uint8_t) cell->payload[4];
   my_addr_len = (uint8_t) cell->payload[5];
-  my_addr_ptr = cell->payload + 6;
+  my_addr_ptr = (uint8_t*) cell->payload + 6;
   end = cell->payload + CELL_PAYLOAD_SIZE;
   cp = cell->payload + 6 + my_addr_len;
   if (cp >= end) {
@@ -603,7 +604,7 @@ command_process_netinfo_cell(cell_t *cell, or_connection_t *conn)
     /* Consider all the other addresses; if any matches, this connection is
      * "canonical." */
     tor_addr_t addr;
-    const char *next = decode_address_from_payload(&addr, cp, (int)(end-cp));
+    const uint8_t *next = decode_address_from_payload(&addr, cp, (int)(end-cp));
     if (next == NULL) {
       log_fn(LOG_PROTOCOL_WARN,  LD_OR,
              "Bad address in netinfo cell; closing connection.");

src/or/connection_edge.c

@@ -1489,7 +1489,8 @@ connection_ap_handshake_rewrite_and_attach(edge_connection_t *conn,
       tor_snprintf(socks->address, sizeof(socks->address), "REVERSE[%s]",
                   orig_address);
       connection_ap_handshake_socks_resolved(conn, RESOLVED_TYPE_HOSTNAME,
-                                             strlen(result), result, -1,
+                                             strlen(result), (uint8_t*)result,
+                                             -1,
                                              map_expires);
       connection_mark_unattached_ap(conn,
                                 END_STREAM_REASON_DONE |
@@ -1610,7 +1611,8 @@ connection_ap_handshake_rewrite_and_attach(edge_connection_t *conn,
         /* remember _what_ is supposed to have been resolved. */
         strlcpy(socks->address, orig_address, sizeof(socks->address));
         connection_ap_handshake_socks_resolved(conn,RESOLVED_TYPE_IPV4,4,
-                                               (char*)&answer,-1,map_expires);
+                                               (uint8_t*)&answer,
+                                               -1,map_expires);
         connection_mark_unattached_ap(conn,
                                 END_STREAM_REASON_DONE |
                                 END_STREAM_REASON_FLAG_ALREADY_SOCKS_REPLIED);
@@ -2325,7 +2327,7 @@ void
 connection_ap_handshake_socks_resolved(edge_connection_t *conn,
                                        int answer_type,
                                        size_t answer_len,
-                                       const char *answer,
+                                       const uint8_t *answer,
                                        int ttl,
                                        time_t expires)
 {
@@ -2339,7 +2341,7 @@ connection_ap_handshake_socks_resolved(edge_connection_t *conn,
         client_dns_set_addressmap(conn->socks_request->address, a,
                                   conn->chosen_exit_name, ttl);
     } else if (answer_type == RESOLVED_TYPE_HOSTNAME && answer_len < 256) {
-      char *cp = tor_strndup(answer, answer_len);
+      char *cp = tor_strndup((char*)answer, answer_len);
       client_dns_set_reverse_addressmap(conn->socks_request->address,
                                         cp,
                                         conn->chosen_exit_name, ttl);
@@ -2350,14 +2352,14 @@ connection_ap_handshake_socks_resolved(edge_connection_t *conn,
   if (conn->is_dns_request) {
     if (conn->dns_server_request) {
       /* We had a request on our DNS port: answer it. */
-      dnsserv_resolved(conn, answer_type, answer_len, answer, ttl);
+      dnsserv_resolved(conn, answer_type, answer_len, (char*)answer, ttl);
       conn->socks_request->has_finished = 1;
       return;
     } else {
       /* This must be a request from the controller. We already sent
        * a mapaddress if there's a ttl. */
       tell_controller_about_resolved_result(conn, answer_type, answer_len,
-                                            answer, ttl, expires);
+                                            (char*)answer, ttl, expires);
       conn->socks_request->has_finished = 1;
       return;
     }
@@ -2502,6 +2504,8 @@ connection_exit_begin_conn(cell_t *cell, circuit_t *circ)
     or_circ = TO_OR_CIRCUIT(circ);
 
   relay_header_unpack(&rh, cell->payload);
+  if (rh.length > RELAY_PAYLOAD_SIZE)
+    return -1;
 
   /* Note: we have to use relay_send_command_from_edge here, not
    * connection_edge_end or connection_edge_send_command, since those require
@@ -2525,7 +2529,8 @@ connection_exit_begin_conn(cell_t *cell, circuit_t *circ)
                                     END_STREAM_REASON_TORPROTOCOL, NULL);
       return 0;
     }
-    if (parse_addr_port(LOG_PROTOCOL_WARN, cell->payload+RELAY_HEADER_SIZE,
+    if (parse_addr_port(LOG_PROTOCOL_WARN,
+                        (char*)(cell->payload+RELAY_HEADER_SIZE),
                         &address,NULL,&port)<0) {
       log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
              "Unable to parse addr:port in relay begin cell. Closing.");
@@ -2690,6 +2695,8 @@ connection_exit_begin_resolve(cell_t *cell, or_circuit_t *circ)
 
   assert_circuit_ok(TO_CIRCUIT(circ));
   relay_header_unpack(&rh, cell->payload);
+  if (rh.length > RELAY_PAYLOAD_SIZE)
+    return -1;
 
   /* This 'dummy_conn' only exists to remember the stream ID
    * associated with the resolve request; and to make the
@@ -2700,8 +2707,9 @@ connection_exit_begin_resolve(cell_t *cell, or_circuit_t *circ)
    */
   dummy_conn = edge_connection_new(CONN_TYPE_EXIT, AF_INET);
   dummy_conn->stream_id = rh.stream_id;
-  dummy_conn->_base.address = tor_strndup(cell->payload+RELAY_HEADER_SIZE,
-                                          rh.length);
+  dummy_conn->_base.address = tor_strndup(
+                                       (char*)cell->payload+RELAY_HEADER_SIZE,
+                                       rh.length);
   dummy_conn->_base.port = 0;
   dummy_conn->_base.state = EXIT_CONN_STATE_RESOLVEFAILED;
   dummy_conn->_base.purpose = EXIT_PURPOSE_RESOLVE;

src/or/connection_edge.h

@@ -39,7 +39,7 @@ void connection_ap_handshake_socks_reply(edge_connection_t *conn, char *reply,
 void connection_ap_handshake_socks_resolved(edge_connection_t *conn,
                                             int answer_type,
                                             size_t answer_len,
-                                            const char *answer,
+                                            const uint8_t *answer,
                                             int ttl,
                                             time_t expires);
 

src/or/connection_or.c

@@ -1403,7 +1403,8 @@ connection_or_write_var_cell_to_buf(const var_cell_t *cell,
   tor_assert(conn);
   var_cell_pack_header(cell, hdr);
   connection_write_to_buf(hdr, sizeof(hdr), TO_CONN(conn));
-  connection_write_to_buf(cell->payload, cell->payload_len, TO_CONN(conn));
+  connection_write_to_buf((char*)cell->payload,
+                          cell->payload_len, TO_CONN(conn));
   if (cell->command != CELL_PADDING)
     conn->timestamp_last_added_nonpadding = approx_time();
 }
@@ -1538,7 +1539,7 @@ connection_or_send_netinfo(or_connection_t *conn)
   time_t now = time(NULL);
   const routerinfo_t *me;
   int len;
-  char *out;
+  uint8_t *out;
 
   memset(&cell, 0, sizeof(cell_t));
   cell.command = CELL_NETINFO;

src/or/onion.c

@@ -349,9 +349,9 @@ onion_skin_client_handshake(crypto_dh_env_t *handshake_state,
  * Return 0 on success, <0 on failure.
  **/
 int
-fast_server_handshake(const char *key_in, /* DIGEST_LEN bytes */
-                      char *handshake_reply_out, /* DIGEST_LEN*2 bytes */
-                      char *key_out,
+fast_server_handshake(const uint8_t *key_in, /* DIGEST_LEN bytes */
+                      uint8_t *handshake_reply_out, /* DIGEST_LEN*2 bytes */
+                      uint8_t *key_out,
                       size_t key_out_len)
 {
   char tmp[DIGEST_LEN+DIGEST_LEN];
@@ -359,7 +359,7 @@ fast_server_handshake(const char *key_in, /* DIGEST_LEN bytes */
   size_t out_len;
   int r = -1;
 
-  if (crypto_rand(handshake_reply_out, DIGEST_LEN)<0)
+  if (crypto_rand((char*)handshake_reply_out, DIGEST_LEN)<0)
     return -1;
 
   memcpy(tmp, key_in, DIGEST_LEN);
@@ -392,9 +392,9 @@ fast_server_handshake(const char *key_in, /* DIGEST_LEN bytes */
  * and protected by TLS).
  */
 int
-fast_client_handshake(const char *handshake_state, /* DIGEST_LEN bytes */
-                      const char *handshake_reply_out, /* DIGEST_LEN*2 bytes */
-                      char *key_out,
+fast_client_handshake(const uint8_t *handshake_state, /* DIGEST_LEN bytes */
+                      const uint8_t *handshake_reply_out, /* DIGEST_LEN*2 bytes */
+                      uint8_t *key_out,
                       size_t key_out_len)
 {
   char tmp[DIGEST_LEN+DIGEST_LEN];

src/or/onion.h

@@ -32,14 +32,14 @@ int onion_skin_client_handshake(crypto_dh_env_t *handshake_state,
                                 char *key_out,
                                 size_t key_out_len);
 
-int fast_server_handshake(const char *key_in,
-                          char *handshake_reply_out,
-                          char *key_out,
+int fast_server_handshake(const uint8_t *key_in,
+                          uint8_t *handshake_reply_out,
+                          uint8_t *key_out,
                           size_t key_out_len);
 
-int fast_client_handshake(const char *handshake_state,
-                          const char *handshake_reply_out,
-                          char *key_out,
+int fast_client_handshake(const uint8_t *handshake_state,
+                          const uint8_t *handshake_reply_out,
+                          uint8_t *key_out,
                           size_t key_out_len);
 
 void clear_pending_onions(void);

src/or/or.h

@@ -850,7 +850,7 @@ typedef struct cell_t {
   circid_t circ_id; /**< Circuit which received the cell. */
   uint8_t command; /**< Type of the cell: one of CELL_PADDING, CELL_CREATE,
                     * CELL_DESTROY, etc */
-  char payload[CELL_PAYLOAD_SIZE]; /**< Cell body. */
+  uint8_t payload[CELL_PAYLOAD_SIZE]; /**< Cell body. */
 } cell_t;
 
 /** Parsed variable-length onion routing cell. */
@@ -858,7 +858,7 @@ typedef struct var_cell_t {
   uint8_t command;
   circid_t circ_id;
   uint16_t payload_len;
-  char payload[1];
+  uint8_t payload[1];
 } var_cell_t;
 
 /** A cell as packed for writing to the network. */
@@ -2111,7 +2111,7 @@ typedef struct crypt_path_t {
    * authentication, secrecy, and integrity we need, and we're already
    * distinguishable from an OR.
    */
-  char fast_handshake_state[DIGEST_LEN];
+  uint8_t fast_handshake_state[DIGEST_LEN];
   /** Negotiated key material shared with the OR at this step. */
   char handshake_digest[DIGEST_LEN];/* KH in tor-spec.txt */
 

src/or/relay.c

@@ -98,7 +98,7 @@ relay_set_digest(crypto_digest_env_t *digest, cell_t *cell)
   char integrity[4];
   relay_header_t rh;
 
-  crypto_digest_add_bytes(digest, cell->payload, CELL_PAYLOAD_SIZE);
+  crypto_digest_add_bytes(digest, (char*)cell->payload, CELL_PAYLOAD_SIZE);
   crypto_digest_get_digest(digest, integrity, 4);
 //  log_fn(LOG_DEBUG,"Putting digest of %u %u %u %u into relay cell.",
 //    integrity[0], integrity[1], integrity[2], integrity[3]);
@@ -131,7 +131,7 @@ relay_digest_matches(crypto_digest_env_t *digest, cell_t *cell)
 //    received_integrity[0], received_integrity[1],
 //    received_integrity[2], received_integrity[3]);
 
-  crypto_digest_add_bytes(digest, cell->payload, CELL_PAYLOAD_SIZE);
+  crypto_digest_add_bytes(digest, (char*) cell->payload, CELL_PAYLOAD_SIZE);
   crypto_digest_get_digest(digest, calculated_integrity, 4);
 
   if (memcmp(received_integrity, calculated_integrity, 4)) {
@@ -157,12 +157,12 @@ relay_digest_matches(crypto_digest_env_t *digest, cell_t *cell)
  * Return -1 if the crypto fails, else return 0.
  */
 static int
-relay_crypt_one_payload(crypto_cipher_env_t *cipher, char *in,
+relay_crypt_one_payload(crypto_cipher_env_t *cipher, uint8_t *in,
                         int encrypt_mode)
 {
   int r;
   (void)encrypt_mode;
-  r = crypto_cipher_crypt_inplace(cipher, in, CELL_PAYLOAD_SIZE);
+  r = crypto_cipher_crypt_inplace(cipher, (char*) in, CELL_PAYLOAD_SIZE);
 
   if (r) {
     log_warn(LD_BUG,"Error during relay encryption");
@@ -477,10 +477,9 @@ relay_lookup_conn(circuit_t *circ, cell_t *cell,
  * about the wire format.
  */
 void
-relay_header_pack(char *dest, const relay_header_t *src)
+relay_header_pack(uint8_t *dest, const relay_header_t *src)
 {
-  *(uint8_t*)(dest) = src->command;
-
+  set_uint8(dest, src->command);
   set_uint16(dest+1, htons(src->recognized));
   set_uint16(dest+3, htons(src->stream_id));
   memcpy(dest+5, src->integrity, 4);
@@ -491,10 +490,9 @@ relay_header_pack(char *dest, const relay_header_t *src)
  * relay_header_t structure <b>dest</b>.
  */
 void
-relay_header_unpack(relay_header_t *dest, const char *src)
+relay_header_unpack(relay_header_t *dest, const uint8_t *src)
 {
-  dest->command = *(uint8_t*)(src);
-
+  dest->command = get_uint8(src);
   dest->recognized = ntohs(get_uint16(src+1));
   dest->stream_id = ntohs(get_uint16(src+3));
   memcpy(dest->integrity, src+5, 4);
@@ -1119,13 +1117,13 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
       }
 
       stats_n_data_bytes_received += rh.length;
-      connection_write_to_buf(cell->payload + RELAY_HEADER_SIZE,
+      connection_write_to_buf((char*)(cell->payload + RELAY_HEADER_SIZE),
                               rh.length, TO_CONN(conn));
       connection_edge_consider_sending_sendme(conn);
       return 0;
     case RELAY_COMMAND_END:
       reason = rh.length > 0 ?
-        *(uint8_t *)(cell->payload+RELAY_HEADER_SIZE) : END_STREAM_REASON_MISC;
+        get_uint8(cell->payload+RELAY_HEADER_SIZE) : END_STREAM_REASON_MISC;
       if (!conn) {
         log_info(domain,"end cell (%s) dropped, unknown stream.",
                  stream_end_reason_to_string(reason));
@@ -2457,7 +2455,7 @@ append_cell_to_circuit_queue(circuit_t *circ, or_connection_t *orconn,
  *   ADDRESS                                   [length bytes]
  * Return the number of bytes added, or -1 on error */
 int
-append_address_to_payload(char *payload_out, const tor_addr_t *addr)
+append_address_to_payload(uint8_t *payload_out, const tor_addr_t *addr)
 {
   uint32_t a;
   switch (tor_addr_family(addr)) {
@@ -2482,13 +2480,13 @@ append_address_to_payload(char *payload_out, const tor_addr_t *addr)
  * encoded as by append_address_to_payload(), try to decode the address into
  * *<b>addr_out</b>.  Return the next byte in the payload after the address on
  * success, or NULL on failure. */
-const char *
-decode_address_from_payload(tor_addr_t *addr_out, const char *payload,
+const uint8_t *
+decode_address_from_payload(tor_addr_t *addr_out, const uint8_t *payload,
                             int payload_len)
 {
   if (payload_len < 2)
     return NULL;
-  if (payload_len < 2+(uint8_t)payload[1])
+  if (payload_len < 2+payload[1])
     return NULL;
 
   switch (payload[0]) {
@@ -2500,13 +2498,13 @@ decode_address_from_payload(tor_addr_t *addr_out, const char *payload,
   case RESOLVED_TYPE_IPV6:
     if (payload[1] != 16)
       return NULL;
-    tor_addr_from_ipv6_bytes(addr_out, payload+2);
+    tor_addr_from_ipv6_bytes(addr_out, (char*)(payload+2));
     break;
   default:
     tor_addr_make_unspec(addr_out);
     break;
   }
-  return payload + 2 + (uint8_t)payload[1];
+  return payload + 2 + payload[1];
 }
 
 /** Remove all the cells queued on <b>circ</b> for <b>orconn</b>. */

src/or/relay.h

@@ -18,8 +18,8 @@ extern uint64_t stats_n_relay_cells_delivered;
 int circuit_receive_relay_cell(cell_t *cell, circuit_t *circ,
                                cell_direction_t cell_direction);
 
-void relay_header_pack(char *dest, const relay_header_t *src);
-void relay_header_unpack(relay_header_t *dest, const char *src);
+void relay_header_pack(uint8_t *dest, const relay_header_t *src);
+void relay_header_unpack(relay_header_t *dest, const uint8_t *src);
 int relay_send_command_from_edge(streamid_t stream_id, circuit_t *circ,
                                uint8_t relay_command, const char *payload,
                                size_t payload_len, crypt_path_t *cpath_layer);
@@ -55,9 +55,9 @@ void assert_active_circuits_ok(or_connection_t *orconn);
 void make_circuit_inactive_on_conn(circuit_t *circ, or_connection_t *conn);
 void make_circuit_active_on_conn(circuit_t *circ, or_connection_t *conn);
 
-int append_address_to_payload(char *payload_out, const tor_addr_t *addr);
-const char *decode_address_from_payload(tor_addr_t *addr_out,
-                                        const char *payload,
+int append_address_to_payload(uint8_t *payload_out, const tor_addr_t *addr);
+const uint8_t *decode_address_from_payload(tor_addr_t *addr_out,
+                                        const uint8_t *payload,
                                         int payload_len);
 unsigned cell_ewma_get_tick(void);
 void cell_ewma_set_scale_factor(or_options_t *options,

src/or/rendclient.c

@@ -235,7 +235,7 @@ rend_client_rendcirc_has_opened(origin_circuit_t *circ)
  */
 int
 rend_client_introduction_acked(origin_circuit_t *circ,
-                               const char *request, size_t request_len)
+                               const uint8_t *request, size_t request_len)
 {
   origin_circuit_t *rendcirc;
   (void) request; // XXXX Use this.
@@ -584,7 +584,7 @@ rend_client_remove_intro_point(extend_info_t *failed_intro,
  * the circuit to C_REND_READY.
  */
 int
-rend_client_rendezvous_acked(origin_circuit_t *circ, const char *request,
+rend_client_rendezvous_acked(origin_circuit_t *circ, const uint8_t *request,
                              size_t request_len)
 {
   (void) request;
@@ -610,7 +610,7 @@ rend_client_rendezvous_acked(origin_circuit_t *circ, const char *request,
 
 /** Bob sent us a rendezvous cell; join the circuits. */
 int
-rend_client_receive_rendezvous(origin_circuit_t *circ, const char *request,
+rend_client_receive_rendezvous(origin_circuit_t *circ, const uint8_t *request,
                                size_t request_len)
 {
   crypt_path_t *hop;
@@ -638,9 +638,10 @@ rend_client_receive_rendezvous(origin_circuit_t *circ, const char *request,
   tor_assert(circ->build_state->pending_final_cpath);
   hop = circ->build_state->pending_final_cpath;
   tor_assert(hop->dh_handshake_state);
-  if (crypto_dh_compute_secret(LOG_PROTOCOL_WARN, hop->dh_handshake_state,
-                               request, DH_KEY_LEN, keys,
-                               DIGEST_LEN+CPATH_KEY_MATERIAL_LEN)<0) {
+  if (crypto_dh_compute_secret(LOG_PROTOCOL_WARN,
+                               hop->dh_handshake_state, (char*)request,
+                               DH_KEY_LEN,
+                               keys, DIGEST_LEN+CPATH_KEY_MATERIAL_LEN)<0) {
     log_warn(LD_GENERAL, "Couldn't complete DH handshake.");
     goto err;
   }

src/or/rendclient.h

@@ -14,14 +14,17 @@
 
 void rend_client_introcirc_has_opened(origin_circuit_t *circ);
 void rend_client_rendcirc_has_opened(origin_circuit_t *circ);
-int rend_client_introduction_acked(origin_circuit_t *circ, const char *request,
+int rend_client_introduction_acked(origin_circuit_t *circ,
+                                   const uint8_t *request,
                                    size_t request_len);
 void rend_client_refetch_v2_renddesc(const rend_data_t *rend_query);
 int rend_client_remove_intro_point(extend_info_t *failed_intro,
                                    const rend_data_t *rend_query);
-int rend_client_rendezvous_acked(origin_circuit_t *circ, const char *request,
+int rend_client_rendezvous_acked(origin_circuit_t *circ,
+                                 const uint8_t *request,
                                  size_t request_len);
-int rend_client_receive_rendezvous(origin_circuit_t *circ, const char *request,
+int rend_client_receive_rendezvous(origin_circuit_t *circ,
+                                   const uint8_t *request,
                                    size_t request_len);
 void rend_client_desc_trynow(const char *query);
 

src/or/rendcommon.c

@@ -1358,7 +1358,7 @@ rend_cache_store_v2_desc_as_client(const char *desc,
 void
 rend_process_relay_cell(circuit_t *circ, const crypt_path_t *layer_hint,
                         int command, size_t length,
-                        const char *payload)
+                        const uint8_t *payload)
 {
   or_circuit_t *or_circ = NULL;
   origin_circuit_t *origin_circ = NULL;

src/or/rendcommon.h

@@ -22,7 +22,8 @@ rend_data_free(rend_data_t *data)
 int rend_cmp_service_ids(const char *one, const char *two);
 
 void rend_process_relay_cell(circuit_t *circ, const crypt_path_t *layer_hint,
-                             int command, size_t length, const char *payload);
+                             int command, size_t length,
+                             const uint8_t *payload);
 
 void rend_service_descriptor_free(rend_service_descriptor_t *desc);
 rend_service_descriptor_t *rend_parse_service_descriptor(const char *str,

src/or/rendmid.c

@@ -18,7 +18,7 @@
  * setting the circuit's purpose and service pk digest.
  */
 int
-rend_mid_establish_intro(or_circuit_t *circ, const char *request,
+rend_mid_establish_intro(or_circuit_t *circ, const uint8_t *request,
                          size_t request_len)
 {
   crypto_pk_env_t *pk = NULL;
@@ -48,7 +48,7 @@ rend_mid_establish_intro(or_circuit_t *circ, const char *request,
   /* Next asn1len bytes: asn1-encoded key. */
   if (request_len < 2+DIGEST_LEN+asn1len)
     goto truncated;
-  pk = crypto_pk_asn1_decode(request+2, asn1len);
+  pk = crypto_pk_asn1_decode((char*)(request+2), asn1len);
   if (!pk) {
     reason = END_CIRC_REASON_TORPROTOCOL;
     log_warn(LD_PROTOCOL, "Couldn't decode public key.");
@@ -69,8 +69,8 @@ rend_mid_establish_intro(or_circuit_t *circ, const char *request,
   }
   /* Rest of body: signature of previous data */
   note_crypto_pk_op(REND_MID);
-  if (crypto_pk_public_checksig_digest(pk, request, 2+asn1len+DIGEST_LEN,
-                                       request+2+DIGEST_LEN+asn1len,
+  if (crypto_pk_public_checksig_digest(pk, (char*)request, 2+asn1len+DIGEST_LEN,
+                                       (char*)(request+2+DIGEST_LEN+asn1len),
                                        request_len-(2+DIGEST_LEN+asn1len))<0) {
     log_warn(LD_PROTOCOL,
              "Incorrect signature on ESTABLISH_INTRO cell; rejecting.");
@@ -130,7 +130,7 @@ rend_mid_establish_intro(or_circuit_t *circ, const char *request,
  * INTRODUCE2 cell.
  */
 int
-rend_mid_introduce(or_circuit_t *circ, const char *request, size_t request_len)
+rend_mid_introduce(or_circuit_t *circ, const uint8_t *request, size_t request_len)
 {
   or_circuit_t *intro_circ;
   char serviceid[REND_SERVICE_ID_LEN_BASE32+1];
@@ -159,10 +159,10 @@ rend_mid_introduce(or_circuit_t *circ, const char *request, size_t request_len)
   }
 
   base32_encode(serviceid, REND_SERVICE_ID_LEN_BASE32+1,
-                request, REND_SERVICE_ID_LEN);
+                (char*)request, REND_SERVICE_ID_LEN);
 
   /* The first 20 bytes are all we look at: they have a hash of Bob's PK. */
-  intro_circ = circuit_get_intro_point(request);
+  intro_circ = circuit_get_intro_point((char*)request);
   if (!intro_circ) {
     log_info(LD_REND,
              "No intro circ found for INTRODUCE1 cell (%s) from circuit %d; "
@@ -180,7 +180,7 @@ rend_mid_introduce(or_circuit_t *circ, const char *request, size_t request_len)
   /* Great.  Now we just relay the cell down the circuit. */
   if (relay_send_command_from_edge(0, TO_CIRCUIT(intro_circ),
                                    RELAY_COMMAND_INTRODUCE2,
-                                   request, request_len, NULL)) {
+                                   (char*)request, request_len, NULL)) {
     log_warn(LD_GENERAL,
              "Unable to send INTRODUCE2 cell to Tor client.");
     goto err;
@@ -212,7 +212,7 @@ rend_mid_introduce(or_circuit_t *circ, const char *request, size_t request_len)
  * rendezvous cookie.
  */
 int
-rend_mid_establish_rendezvous(or_circuit_t *circ, const char *request,
+rend_mid_establish_rendezvous(or_circuit_t *circ, const uint8_t *request,
                               size_t request_len)
 {
   char hexid[9];
@@ -232,7 +232,7 @@ rend_mid_establish_rendezvous(or_circuit_t *circ, const char *request,
     goto err;
   }
 
-  if (circuit_get_rendezvous(request)) {
+  if (circuit_get_rendezvous((char*)request)) {
     log_warn(LD_PROTOCOL,
              "Duplicate rendezvous cookie in ESTABLISH_RENDEZVOUS.");
     goto err;
@@ -250,7 +250,7 @@ rend_mid_establish_rendezvous(or_circuit_t *circ, const char *request,
   circ->_base.purpose = CIRCUIT_PURPOSE_REND_POINT_WAITING;
   memcpy(circ->rend_token, request, REND_COOKIE_LEN);
 
-  base16_encode(hexid,9,request,4);
+  base16_encode(hexid,9,(char*)request,4);
 
   log_info(LD_REND,
            "Established rendezvous point on circuit %d for cookie %s",
@@ -267,13 +267,13 @@ rend_mid_establish_rendezvous(or_circuit_t *circ, const char *request,
  * connecting the two circuits.
  */
 int
-rend_mid_rendezvous(or_circuit_t *circ, const char *request,
+rend_mid_rendezvous(or_circuit_t *circ, const uint8_t *request,
                     size_t request_len)
 {
   or_circuit_t *rend_circ;
   char hexid[9];
   int reason = END_CIRC_REASON_INTERNAL;
-  base16_encode(hexid,9,request,request_len<4?request_len:4);
+  base16_encode(hexid,9,(char*)request,request_len<4?request_len:4);
 
   if (request_len>=4) {
     log_info(LD_REND,
@@ -297,7 +297,7 @@ rend_mid_rendezvous(or_circuit_t *circ, const char *request,
     goto err;
   }
 
-  rend_circ = circuit_get_rendezvous(request);
+  rend_circ = circuit_get_rendezvous((char*)request);
   if (!rend_circ) {
     log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
          "Rejecting RENDEZVOUS1 cell with unrecognized rendezvous cookie %s.",
@@ -309,7 +309,7 @@ rend_mid_rendezvous(or_circuit_t *circ, const char *request,
   /* Send the RENDEZVOUS2 cell to Alice. */
   if (relay_send_command_from_edge(0, TO_CIRCUIT(rend_circ),
                                    RELAY_COMMAND_RENDEZVOUS2,
-                                   request+REND_COOKIE_LEN,
+                                   (char*)(request+REND_COOKIE_LEN),
                                    request_len-REND_COOKIE_LEN, NULL)) {
     log_warn(LD_GENERAL,
              "Unable to send RENDEZVOUS2 cell to client on circuit %d.",

src/or/rendmid.h

@@ -12,13 +12,13 @@
 #ifndef _TOR_RENDMID_H
 #define _TOR_RENDMID_H
 
-int rend_mid_establish_intro(or_circuit_t *circ, const char *request,
+int rend_mid_establish_intro(or_circuit_t *circ, const uint8_t *request,
                              size_t request_len);
-int rend_mid_introduce(or_circuit_t *circ, const char *request,
+int rend_mid_introduce(or_circuit_t *circ, const uint8_t *request,
                        size_t request_len);
-int rend_mid_establish_rendezvous(or_circuit_t *circ, const char *request,
+int rend_mid_establish_rendezvous(or_circuit_t *circ, const uint8_t *request,
                                   size_t request_len);
-int rend_mid_rendezvous(or_circuit_t *circ, const char *request,
+int rend_mid_rendezvous(or_circuit_t *circ, const uint8_t *request,
                         size_t request_len);
 
 #endif

src/or/rendservice.c

@@ -850,7 +850,7 @@ clean_accepted_intros(rend_service_t *service, time_t now)
  * rendezvous point.
  */
 int
-rend_service_introduce(origin_circuit_t *circuit, const char *request,
+rend_service_introduce(origin_circuit_t *circuit, const uint8_t *request,
                        size_t request_len)
 {
   char *ptr, *r_cookie;
@@ -914,7 +914,7 @@ rend_service_introduce(origin_circuit_t *circuit, const char *request,
   crypto_pk_get_digest(intro_key, intro_key_digest);
   if (memcmp(intro_key_digest, request, DIGEST_LEN)) {
     base32_encode(serviceid, REND_SERVICE_ID_LEN_BASE32+1,
-                  request, REND_SERVICE_ID_LEN);
+                  (char*)request, REND_SERVICE_ID_LEN);
     log_warn(LD_REND, "Got an INTRODUCE2 cell for the wrong service (%s).",
              escaped(serviceid));
     return -1;
@@ -929,7 +929,7 @@ rend_service_introduce(origin_circuit_t *circuit, const char *request,
   /* Next N bytes is encrypted with service key */
   note_crypto_pk_op(REND_SERVER);
   r = crypto_pk_private_hybrid_decrypt(
-       intro_key,buf,request+DIGEST_LEN,request_len-DIGEST_LEN,
+       intro_key,buf,(char*)(request+DIGEST_LEN),request_len-DIGEST_LEN,
        PK_PKCS1_OAEP_PADDING,1);
   if (r<0) {
     log_warn(LD_PROTOCOL, "Couldn't decrypt INTRODUCE2 cell.");
@@ -1393,7 +1393,8 @@ rend_service_intro_has_opened(origin_circuit_t *circuit)
  * live introduction point, and note that the service descriptor is
  * now out-of-date.*/
 int
-rend_service_intro_established(origin_circuit_t *circuit, const char *request,
+rend_service_intro_established(origin_circuit_t *circuit,
+                               const uint8_t *request,
                                size_t request_len)
 {
   rend_service_t *service;

src/or/rendservice.h

@@ -22,10 +22,10 @@ void rend_consider_descriptor_republication(void);
 
 void rend_service_intro_has_opened(origin_circuit_t *circuit);
 int rend_service_intro_established(origin_circuit_t *circuit,
-                                   const char *request,
+                                   const uint8_t *request,
                                    size_t request_len);
 void rend_service_rendezvous_has_opened(origin_circuit_t *circuit);
-int rend_service_introduce(origin_circuit_t *circuit, const char *request,
+int rend_service_introduce(origin_circuit_t *circuit, const uint8_t *request,
                            size_t request_len);
 void rend_service_relaunch_rendezvous(origin_circuit_t *oldcirc);
 int rend_service_set_connection_addr_port(edge_connection_t *conn,