1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
|
ChangeLog file for safeclib
Changes in 3.7.1
- Fixed powerpc compilation of the perf tests. GH #113
Changes in 3.7
- Switched to proper semantic versioning for upstream packagers.
- Fixed getenv_s to allow dest=NULL or dmax=0 as in the spec. (GH #109)
- Fixed qsort_s with gcc-12 (GH #110)
- Updated to Unicode 14 (tested against perl 5.35.7)
export define SAFECLIB_UNICODE_VERSION 14
- Added stpcpy_s and stpncpy_s as in the Intel safestringlib fork.
- Added our own portable implementation of the family of printf_s
functions. This make the results and errno sideeffects more predictable.
scanf_s not yet. Fixes GH #97.
- This also adds support for the %Lx family of printf handlers: %L[fFeEaAgG]
and wide-char %ls, %lc conversions.
(GH #103). Now just custom sscanf_s and UTF-8 support is missing.
- Added a --disable-hardening option, which bypasses obviously failing
AX_APPEND_COMPILE_FLAGS probes (PR #107, ffontaine).
E.g. needed on some exotic uclibc buildroot targets.
- Some minor bugfixes, like unknown size_t GH #89, ECONSTANTS as enums
on hurd (GH #101), sprintf_s with "" arg (GH #97).
- Minor test improvements overall.
- Don't build/install wchar manpages with --disable-wchar (GH #95)
Changes in v02092020 3.6.0
- Improved generated man pages. Describe not the private _chk functions,
but the public _s functions. Merge duplicate return values.
Changes in v31082020 3.6.0
- Added smokers for more architectures and distros:
ubuntu, debian, centos, fedora, rhel /
x86_64, i386, arm32, aarch64, s390x, ppc64le on travis and drone.
just ubuntu arm32, arm64 and s390x are broken. (GH #81)
Big-endian works.
- Updated Unicode to version 13. Very few changes only.
- Use __attribute__format printf and scanf checks, and prepared for the
eventual wprintf and wscanf formats which are waiting to be added into gcc
since 2008. (GH #85)
- favor gcc-{ar,ranlib,nm} to find the plugin paths (e.g. for lto)
- move typedef rsize_t below def. of size_t (GH #89)
- kernel module: detect new time64_t and use old_time32_t for our API.
We didn't add the new time64_t API's yet.
- tests: add 2 missing HAVE_CT_BOS_OVR comptime overflows
- tests: fixes for latest msys2, new HAVE_MINGW64 now also defines __MINGW32__
- travis: improve distchecks timeouts.
- hardened compiler flags: -fstack-protector-strong -fstack-clash-protection
-fcf-protection
- Move SAFECLIB_HAVE_C99 to public safe_config.h (Hauke Mehrtens)
- Fix wcslwr_s error msg prefixes.
Changes in v05112019 3.5.2
- Fixed musl compilation by don't undefining _GNU_SOURCE
with getenv_s (PR #83, Fabrice Fontaine)
Changes in v29102019 3.5.2
- Fixed musl compilation by adding some _GNU_SOURCE
(PR #82, Fabrice Fontaine)
Changes in v17102019 3.5.2
- Fixed mbsrtowcs_s error message prefix.
- Fixed t_mbsrtowcs_s.exe compilation under newer mingw gcc.
Changes in v16102019 3.5.1
- Fixed memset_s for the upper 4 bits of 64 bit words (GH #73)
- Fixed strncat_s error handling for slen exceeds src.
clear dest, not src (GH #73)
- Fixed vswprintf_s by checking for failing malloc (GH #78)
- Several minor test improvements
Changes in v04062019 3.5.0
- Updated towctrans case-mappings and normalization to Unicode 12.1
Even the canon tables on windows need now a special bsearch in an
exception list, previously only the compat tables.
- Unversioned and renamed the libsafec.pc pkg-config file (PR #56)
- Fixed strnlen_s and wcsnlen_s for long enough smax arguments.
Now you can get the length without knowing the length beforehand. (GH #65)
- Fixed various C++ regressions (GH #64, GH #58)
- Fixed a linux kernel module regression from 3.4 (GH #67),
use the mb() macro.
- Fixed MEMORY_BARRIER on exotic compilers: replace
asm("memory_barrier" ::: "memory") with __sync_synchronize()
- Fixed headers and linkage for the latest msys2-w32api-headers-7
- Fixed src and tests for the nvidia pgi pgcc compiler (17.4 and 19.4).
This compiler has such a bad optimizer, that it cannot get the
object_size of all static vars. It also crashes on some valid code.
- Added -mcet -fcf-protection=full probe (GH #60)
- Added the Huawei securec library to the docs
- Renamed internal build-tools to build-aux
- Reformat all source code with clang-format, added
build-aux/clang-format-all.sh
Changes in v30122018 3.4.0
- Updated towctrans case-mappings to Unicode 11.0 (GH #62)
- Improved memset_s, memzero_s security by adding a CPU memory barrier,
not just a compiler barrier. (GH #63)
Check various memory_barrier insns (mfence, sfence, lwsync, membar,
lock..., memory_barrier) and use it for the memset primitives
to reliably sync memory stores with possibly re-ordered loads.
Note that glibc/BSD explicit_bzero or Microsoft SecureZeroMemory only do
a simple compiler barrier, which is not Spectre, Meltdown secure.
- add pic_flag to RETPOLINE cflags and ldflags (GH #55)
- Add --disable-doc option (GH #54)
Changes in v03032018 3.3.0
- Added compile-time and run-time object_size checks (BOS), resulting
in EOVERFLOW error codes. Compilers only do this reliably with static
arrays, less so with literal strings. With known static allocation size
you can bypass RSIZE_MAX_* limits. BOS even knows about malloc sizes
on some platforms.
Renamed all functions to _*_chk, with the API as macros. (GH #40)
- Added run-time libmpx pointer boundary checks if supported. (GH #49)
gcc-5+ (optional), icc-15+
- Improved performance of mem_prim_set/mem_prim_move on 64bit machines by factor 2
by using 64bit ops, not 32bit. With clang-4+ memcpy_s is now as fast as
memcpy native, with gcc only 77% slower.
Added more benchmarks and improved the timing.
- Made the unsafe functions snprintf_s, vsnprintf_s, snwprintf_s, vsnwprintf_s
safe by guaranteeing null termination. Only tmpnam_s remains unsafe. (GH #52)
- Added strnatcmp_s, strnatcasecmp_s
- Add --disable-constraint-handler option. undef the run-time
invoke_safe_{str,mem}_constraint_handler function calls
in safe_config.h to avoid the large errormsg strings. No run-time
performance improvements, as those calls only happen in the error cases.
- Added --enable-warn-dmax option to warn when dmax != sizeof(dest),
and fatalized via --enable-error-dmax.
- Fixed wrong count max check in memmove32_s
- Fully tested against other secure libc extensions, the native msvcrt 7.0 (Win8)
and the msvcrt under wine-2.0.4 and wine-3.0.
- Fixed --disable-shared for Windows.
- Optimized null-slack clearing of dest, unrolling the memset loop with
small dest buffers.
- truncating funcs {v,}sn{w,}printf_s: clear dest on errors after printing to it
- Fixed compilation of the linux kernel module (PR #43, Fabrice Fontaine)
- Fixed c++ strictness when !c99 (e.g. g++ 4.3)
- Changed retval of sprintf_s/vsprintf_s on all errors from 0 to -1,
deviating from the standard. The original -1 retval was changed with
http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1141.pdf by Microsoft
to keep count += sprintf(buf + count, format_string, args) working,
where all errors simply returned 0. Later Microsoft and all others
changed the error return value back to -1, to be consistent with other
sprintf functions. So do we. (GH #45)
- Removed errno of sprintf_s/vsprintf_s, return the negative ES error code.
- sprintf_s/vsprintf_s on Windows use now the native vsnprintf_s function
to reject illegal format specifiers.
- More hardening with gcc-7.3/clang-7: Probe for -Wl,-z,textonly and
-Wl,-z,retpolineplt, currently only with lld-7
- Fixed wcsnorm_compose_s >RSIZE_MAX_WSTR integer overflow
- Fixed overlap checks to be C11 conformant, cast to uintptr_t. (GH #51)
- add strnatcmp_s, add strcmp_s src overflow checks,
ESUNTERM for src to avoid overflows
- Reworked C11 compatibility to closer align with the existing Windows+BSD
sec_api's, esp. with slen=0 cases of the cpy and move functions, while still
following the spec. (GH #39)
There's no seperate logic if the library was compiled with a C11 compiler
anymore. See the testcases for the remaining discrepances.
In detail:
- Return EOK and set dest[0] = 0 on n/slen = 0 with:
memccpy_s, strncpy_s
- Exit early with EOK on n/count=0 with:
mem{cpy,move}{16,32}_s, memset{16,32}_s, strcpyfld{,in,out}}_s,
wcs{lwr,upr}_s
- Change dmax to bytes to follow the documentation with:
mem{cpy,move}{16,32}_s
- Change memcmp{16,32} to work with natural sizes, not bytes.
- strncat_s, wcsncat_s: with slen=0 and dest=NULL and dmax=0, return EOK
- fwscanf_s: on mingw reset errno when *fmt = L'\0'
- vfwscanf_s: break early on mingw when *fmt = L'\0'
- wcstombs_s: clear dest when dest==src (as with msvcrt)
- {v,}sprintf_s: allow empty dest/dmax for size calculation
Changes in v15012018 3.2.0
- Fixed 32bit Windows wchar conversion functions, by changing wint_t to uint32_t
types for most internal conversions.
- Changed 2 public APIs:
int iswfc(uint32_t wc);
int towfc_s(wchar_t *restrict dest, rsize_t dmax, const uint32_t src);
- Removed ssize_t GNU extension (jeremyhannon)
- Removed illegal warnings with C++
- Fixed tests failing with C++
- Fixed cygwin smokes on Appveyor
- Workaround broken gcc-4.8 strchr macro
- Probe for broken strnstr, broken in newlib until Aug 2017.
- Fixed mingw smokes on Appveyor, adjusted many tests using
the native sec_api variants which do deviate from safeclib.
- Clear dest on empty src with *ncpy_s and *ncat_s: PR #38 (Arjun Gour)
- More hardening: Add -Wl,-z,noexecstack to AM_LDFLAGS,
retpoline, textonly not yet.
Changes in v09102017 3.1.0
Summary: With a non-C11 compiler not on windows the API didn't change, only docs.
- Fixed man pages: show public headers, hide private headers.
- Removed html pages from the release tarball
- Fixed slen=0 behaviour with cpy functions: When the library is compiled
with a C11 compiler, slen=0 is permitted, with an older compiler keep
erroring with ESZEROL: strncpy_s, wcsncpy_s, wcslwr_s, wcsupr_s, strcpyfld_s,
strcpyfldin_s, strcpyfldout_s
- Fixed docs for this behaviour: wcsncat_s, strncat_s
- Added hardened WARN_CFLAGS and WARN_LDFLAGS, minor fixes for the
hardened flags on older compilers,
probe for -Wl,--as-needed -Wl,-z,relro -Wl,-z,now
- Fixed NFD canon table for windows (sizeof wchar_t == 2) for 9 expansions
of length 6: U+1D160 - U+1D1C0
- Fixed _dec_w16 and _ENC_W16 encoding on windows, convert from and to
surrogate pair.
- Fixed distcheck and release targets, added distcheck to travis
Changes in v04102017 3.0.0
- Added mingw cross-compilation support and changes.
The MINGW_HAS_SECURE_API deviates in strtok_s, vsnprintf_s, wcstok_s
from C11 in w64, and in vswprintf for w32. (!__STRICT_ANSI__).
Add EXPORT and EXTERN decls for dllexport/dllimport.
Cleanup the src headers.
- Added -D_FORTIFY_SOURCE=2
- Made it -Wall -Wextra -Werror -pedantic safe
- Added cygwin and freebsd support
- Install bin/check_for_unsafe_apis. Renamed and improved: 7x faster,
added missing conversion hints. also install its man1.
- Seperated internal libstdunsafe target, for std but unsafe C11
functions: snprintf_s, vsnprintf_s, snwprintf_s, vsnwprintf_s, tmpnam_s
- Added --enable-unsafe (the 5 funcs above are not included by default).
defines SAFECLIB_ENABLE_UNSAFE
- Added --disable-extensions, skipping all non-C11 safe functions.
This contains in summary only 13 functions for now:
memcpy_s, memmove_s, memset_s, sprintf_s, strcat_s, strcpy_s, strncat_s,
strncpy_s, strnlen_s, strtok_s, vsprintf_s, strerror_s, strerrorlen_s
plus all the new C11 functions.
defines SAFECLIB_DISABLE_EXTENSIONS
- Rearranged src layout
- Macrofied many more tests, add CHECK_SLACK, errnot_t return and ERRNO checks.
- Improved some tests for old gcc -ansi (c89) memcmp
- Add unlikely() to improve branch prediction
- Added --enable-gcov and a gcov target. lcov support not yet,
but via gcov2perl and some fixups essentially the same. See build-tools/smoke.sh
- Added a check-valgrind make target with support for BSD make
- Added all missing safe wchar and multibyte string C11 functions:
mbsrtowcs_s, mbstowcs_s, wcsrtombs_s, wcstombs_s, wcrtomb_s,
wctomb_s, wcsnlen_s, wcscpy_s, wcsncpy_s, wcscat_s, wcsncat_s,
wcstok_s, swprintf_s, vswprintf_s, wmemcpy_s, wmemmove_s,
wprintf_s, fwprintf_s, vfwprintf_s, vwprintf_s, vswscanf_s, swscanf_s,
wscanf_s, vwscanf_s, vfwscanf_s, fwscanf_s
- Added RSIZE_MAX_WMEM and RSIZE_MAX_WSTR limits,
wchar_t maybe 2 or 4 bytes.
- Added all missing safe C11 IO functions:
sscanf_s, scanf_s, fscanf_s, vsscanf_s, vscanf_s, vfscanf_s,
fprintf_s, printf_s, vfprintf_s, vprintf_s, tmpnam_s (unsafe),
tmpfile_s, gets_s.
- Added all missing safe C11 time and stdlib functions:
asctime_s, ctime_s, gmtime_s, localtime_s, getenv_s,
bsearch_s, qsort_s.
- Added --disable-wchar to disable the new multibyte and wchar functions,
but not the old 16/32 memory functions.
defines SAFECLIB_DISABLE_WCHAR
- Better debugging support: add .i target
- Fixed memset32_s for n > RSIZE_MAX_MEM32 ESLEMAX,
was only RSIZE_MAX_MEM16.
- Added the wcsfc_s, wcsnorm_s, wcsicmp_s extensions to be able to compare wide
strings.
- Added --enable-norm-compat to enable the big compatbility modes NFKD, NFKC
for wcsnorm_s.
- Added the timingsafe_bcmp and timingsafe_memcmp extensions from OpenBSD,
and memccpy_s derived from FreeBSD.
- Changed strtok_s to set errno to ES* values. C11 does nothing,
but with wcstok_s sets errno to EINVAL.
- Changed memset_s, harmonized with C11 API
- Changed mem{cpy,move,set}_s with smax/n=0, dependent if compiled with
a C11 compiler or not.
- Added a C11 compiler probe from latest autoconf git.
- Eliminated str/mem/lib inclusion loops. You need to include the right header(s).
- Clarify return values for {str,wcs}tok_s
- Negative return error values for all printf functions,
Make clear that errno is not set with _s violations, only the underlying
system call sets it. (EINVAL, EOVERFLOW, EILSEQ, EOF)
- Updated from autoconf 2.68 to 2.69
Changes in v30082017 2.1.1
- Added vsprintf_s, vsnprintf_s. They are C11.
- Fixed travis smoking with different compilers.
- Fixed test with wrong -fsanitize=address strcmp() results.
asan returns just sgn(strcmp()), not the position.
- Macrofied some tests, use probed stdlib defines for fallbacks,
and add missing headers.
- Added empty stubs for all missing safe C11 functions
- Fixed C++ support for sprintf* and bool. Resolve restrict from
config.h before the header declarations.
Changes in v25082017 2.1.0
- Fixed many tests. They were not enabled at all. See #10.
sprintf_s, snprintf_s, memcpy16_s, memcpy32_s,
memmove_s, memmove16_s, memmove32_s, memset_s,
strcpyfldout_s, strljustify_s,
- Changed some errors: Throw ESLEMAX when smax exceeds max,
before the smax>dmax check (ESNOSPC):
memcpy_s, memcpy16_s, memcpy32_s, memcmp_s, memcmp16_s,
memcmp32_s, memmove_s, memmove16_s, memmov32_s.
- Reverted a strljustify_s change by me.
- Document that memset_s on C11 allows n = ZERO, and
ESNULLP will be EINVAL
- --enable-debug on Darwin disables shared
- add snprintf_s, which is the unsafe variant of sprintf_s
Changes in v24082017 2.0.1
- Added man (3) pages and proper documentation.
See https://rurban.github.io/safeclib/
- Added a safe_config.h for some new configure options:
strmax, memmax, nullstack and STRTOK_DELIM_MAX_LEN
Changes in v15082017 2.0.0
- Add restrict to all pointer args, where applicable
- Change ESLEMAX to ESNOSPC for `(smax > dmax)` overflows
- Made it -Wall -pedantic safe
- Fix strljustify_s for empty src
- Fix various test errors: wrong printf format types, mostly on 64bit.
uninitialized variables, wrong variable types, wrong variables.
- test_strcspn_s.c: fix for g++
- Fixup sprintf_s: Use the established API, call the str_constraint_handler,
return the proper error values. Add tests.
- Add guards to prevent name mangleing when headers are used in c++ code.
- change memset_s to __STDC_WANT_LIB_EXT1__
- memset16_s, memset32_s: change API analog to memset_s.
Also add the smax C11 argument there, to be consistent.
smax denotes the max. number of bytes, the max size.
- add missing AM_PROG_AR to configure.ac
Changes in v10052013 1.0.0
- Autogenerate safe_lib_errno.h safe_types.h
- use C99 stdbool instead of boolean_t, replace TRUE/FALSE with true/false
Changes in v04122012 1.0.0
- Update documentation
- Support slkm: linux kernel module
Changes in v08112011 0.0
- autotoolized
- taken from http://sourceforge.net/projects/safeclib/
|