Re: svn commit: r272673 - in head: include lib/libc/string sys/conf sys/libkern sys/sys

2014-10-07 Thread Dag-Erling Smørgrav 
Xin LI delp...@freebsd.org writes:
 Log:
   Add explicit_bzero(3) and its kernel counterpart.

I would much prefer that we add memset_s(3) from C11, which predates
explicit_bzero(3) by either three or five years (depending on whether
you count from the publication date or the proposal date).  In the
longer term, we should also consider adding the rest of annex K.

Here's a patch for NetBSD (which was never accepted):

https://mail-index.netbsd.org/tech-userlevel/2012/02/24/msg006125.html

I realize that these extensions are controversial, but I still believe
that having them is better than not having them.  As the WG points out,
the intention with gets_s(3) and scanf_s(3) is not to encourage the use
of those interfaces, but to make it easier to retrofit code that uses
gets(3) and scanf(3).

DES
-- 
Dag-Erling Smørgrav - d...@des.no
___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org

svn commit: r272673 - in head: include lib/libc/string sys/conf sys/libkern sys/sys

2014-10-06 Thread Xin LI 
Author: delphij
Date: Tue Oct  7 04:54:11 2014
New Revision: 272673
URL: https://svnweb.freebsd.org/changeset/base/272673

Log:
  Add explicit_bzero(3) and its kernel counterpart.
  
  Obtained from:OpenBSD
  MFC after:2 weeks

Added:
  head/lib/libc/string/explicit_bzero.c   (contents, props changed)
  head/sys/libkern/explicit_bzero.c   (contents, props changed)
Modified:
  head/include/strings.h
  head/lib/libc/string/Makefile.inc
  head/lib/libc/string/Symbol.map
  head/lib/libc/string/bzero.3
  head/sys/conf/files
  head/sys/sys/systm.h

Modified: head/include/strings.h
==
--- head/include/strings.h  Mon Oct  6 23:17:01 2014(r272672)
+++ head/include/strings.h  Tue Oct  7 04:54:11 2014(r272673)
@@ -43,6 +43,9 @@ intbcmp(const void *, const void *, si
 voidbcopy(const void *, void *, size_t);   /* LEGACY */
 voidbzero(void *, size_t); /* LEGACY */
 #endif
+#if __BSD_VISIBLE
+voidexplicit_bzero(void *, size_t);
+#endif
 #if __XSI_VISIBLE
 int ffs(int) __pure2;
 #endif

Modified: head/lib/libc/string/Makefile.inc
==
--- head/lib/libc/string/Makefile.inc   Mon Oct  6 23:17:01 2014
(r272672)
+++ head/lib/libc/string/Makefile.inc   Tue Oct  7 04:54:11 2014
(r272673)
@@ -6,7 +6,8 @@
 CFLAGS+= -I${LIBC_SRCTOP}/locale
 
 # machine-independent string sources
-MISRCS+=bcmp.c bcopy.c bzero.c ffs.c ffsl.c ffsll.c fls.c flsl.c flsll.c \
+MISRCS+=bcmp.c bcopy.c bzero.c explicit_bzero.c \
+   ffs.c ffsl.c ffsll.c fls.c flsl.c flsll.c \
memccpy.c memchr.c memrchr.c memcmp.c \
memcpy.c memmem.c memmove.c memset.c \
stpcpy.c stpncpy.c strcasecmp.c \

Modified: head/lib/libc/string/Symbol.map
==
--- head/lib/libc/string/Symbol.map Mon Oct  6 23:17:01 2014
(r272672)
+++ head/lib/libc/string/Symbol.map Tue Oct  7 04:54:11 2014
(r272673)
@@ -100,6 +100,10 @@ FBSD_1.3 {
wcwidth_l;
 };
 
+FBSD_1.4 {
+   explicit_bzero;
+};
+
 FBSDprivate_1.0 {
__strtok_r;
 };

Modified: head/lib/libc/string/bzero.3
==
--- head/lib/libc/string/bzero.3Mon Oct  6 23:17:01 2014
(r272672)
+++ head/lib/libc/string/bzero.3Tue Oct  7 04:54:11 2014
(r272673)
@@ -35,7 +35,8 @@
 .Dt BZERO 3
 .Os
 .Sh NAME
-.Nm bzero
+.Nm bzero ,
+.Nm explicit_bzero
 .Nd write zeroes to a byte string
 .Sh LIBRARY
 .Lb libc
@@ -43,6 +44,8 @@
 .In strings.h
 .Ft void
 .Fn bzero void *b size_t len
+.Ft void
+.Fn explicit_bzero void *b size_t len
 .Sh DESCRIPTION
 The
 .Fn bzero
@@ -56,6 +59,12 @@ If
 is zero,
 .Fn bzero
 does nothing.
+.Pp
+The
+.Fn explicit_bzero
+variant behaves the same, but will not be removed by a compiler's dead store
+optimization pass, making it useful for clearing sensitive memory such as a
+password.
 .Sh SEE ALSO
 .Xr memset 3 ,
 .Xr swab 3
@@ -72,3 +81,10 @@ before it was moved to
 for
 .St -p1003.1-2001
 compliance.
+.Pp
+The
+.Fn explicit_bzero
+function first appeared in
+.Ox 5.5
+and
+.Fx 11.0 .

Added: head/lib/libc/string/explicit_bzero.c
==
--- /dev/null   00:00:00 1970   (empty, because file is newly added)
+++ head/lib/libc/string/explicit_bzero.c   Tue Oct  7 04:54:11 2014
(r272673)
@@ -0,0 +1,22 @@
+/* $OpenBSD: explicit_bzero.c,v 1.3 2014/06/21 02:34:26 matthew Exp $ */
+/*
+ * Public domain.
+ * Written by Matthew Dempsky.
+ */
+
+#include sys/cdefs.h
+__FBSDID($FreeBSD$);
+
+#include string.h
+
+__attribute__((weak)) void
+__explicit_bzero_hook(void *buf, size_t len)
+{
+}
+
+void
+explicit_bzero(void *buf, size_t len)
+{
+   memset(buf, 0, len);
+   __explicit_bzero_hook(buf, len);
+}

Modified: head/sys/conf/files
==
--- head/sys/conf/files Mon Oct  6 23:17:01 2014(r272672)
+++ head/sys/conf/files Tue Oct  7 04:54:11 2014(r272673)
@@ -3163,6 +3163,7 @@ libkern/arc4random.c  standard
 libkern/bcd.c  standard
 libkern/bsearch.c  standard
 libkern/crc32.cstandard
+libkern/explicit_bzero.c   standard
 libkern/fnmatch.c  standard
 libkern/iconv.coptional libiconv
 libkern/iconv_converter_if.m   optional libiconv

Added: head/sys/libkern/explicit_bzero.c
==
--- /dev/null   00:00:00 1970   (empty, because file is newly added)
+++ head/sys/libkern/explicit_bzero.c   Tue Oct  7 04:54:11 2014
(r272673)
@@ -0,0 +1,24 @@
+/* $OpenBSD: