Releases: rurban/safeclib
safeclib v16102019 3.5.1 released
Fixed memset_s for the upper 4 bits of 64 bit words (GH #73)
Fixed strncat_s error handling for slen exceeds src.
clear dest, not src (GH #73)
Fixed vswprintf_s by checking for failing malloc (GH #78)
Several minor test improvements
56f48d0ebe3c9db21073a27db512c6975abee6180003d17e425ac26e215997b8 libsafec-16102019.tar.bz2
4a6af1c8b08bbbb3bccef2c205062e371134b8b5c230a3fd4ff602be2aee73e3 libsafec-16102019.tar.gz
95a41ae3e5643bc5159661d06c9bba859c5e5e4dedc73c528a2add3c6d825ecc libsafec-16102019.tar.xz
safeclib v04062019 3.5 released
- Updated towctrans case-mappings and normalization to Unicode 12.1
Even the canon tables on windows need now a special bsearch in an
exception list, previously only the compat tables. - Unversioned and renamed the libsafec.pc pkg-config file (PR #56)
- Fixed strnlen_s and wcsnlen_s for long enough smax arguments.
Now you can get the length without knowing the length beforehand. (GH #65) - Fixed various C++ regressions (GH #64, GH #58)
- Fixed a linux kernel module regression from 3.4 (GH #67),
use the mb() macro. - Fixed MEMORY_BARRIER on exotic compilers: replace
asm("memory_barrier" ::: "memory") with __sync_synchronize() - Fixed headers and linkage for the latest msys2-w32api-headers-7
- Fixed src and tests for the nvidia pgi pgcc compiler (17.4 and 19.4).
This compiler has such a bad optimizer, that it cannot get the
object_size of all static vars. It also crashes on some valid code. - Added -mcet -fcf-protection=full probe (GH #60)
- Added the Huawei securec library to the docs
- Renamed internal build-tools to build-aux
- Reformat all source code with clang-format, added
build-aux/clang-format-all.sh
See https://github.com/rurban/safeclib/blob/master/ChangeLog and https://rurban.github.io/safeclib/
bb3680fb15cace9ffb1120352a4d8a149187006f4b7d8daa397530d9541c606c libsafec-04062019.0-ga99a05.tar.bz2
e6e452de41292db374beda943ab752b04d1587e383406a29d60b4799a3e53cb5 libsafec-04062019.0-ga99a05.tar.gz
fa0b07967793097f73247d0c493ea590f7a393d13c7e37fb29d591596b7b6c12 libsafec-04062019.0-ga99a05.tar.xz
safeclib v30122018 3.4 released
-
Updated towctrans case-mappings to Unicode 11.0 (GH #62)
-
Improved memset_s, memzero_s security by adding a CPU memory barrier,
not just a compiler barrier. (GH #63)
Check various memory_barrier insns (mfence, sfence, lwsync, membar,
lock..., memory_barrier) and use it for the memset primitives
to reliably sync memory stores with possibly re-ordered loads.
Note that glibc/BSD explicit_bzero or Microsoft SecureZeroMemory only do
a simple compiler barrier, which is not Spectre, Meltdown secure. -
add pic_flag to RETPOLINE cflags and ldflags (GH #55)
-
Add --disable-doc option (GH #54)
clang-5+ is highly recommended over gcc, for detecting errors at compile-time during development, run-time safety via retpoline and vastly better performance.
CC="clang-7 -march=native -fstrict-aliasing" ./configure or even
CC="clang-7 -flto -march=native -fstrict-aliasing" AR=llvm-ar-7 ./configure
See https://github.com/rurban/safeclib/blob/master/ChangeLog and https://rurban.github.io/safeclib/
7ca210d537b9f4d06b27a49166544694d76b587ac5c07137b7d85baacc368b7f libsafec-30122018.0-g4d1571.tar.bz2
765f1793d9f6dd50430ff7ec60ef629c1d5b84fe46202325b84a6973e5b08134 libsafec-30122018.0-g4d1571.tar.gz
1ded6a403539c9924ae273b0848cbcb31028331a3252cadbbb7b389d59df1b7a libsafec-30122018.0-g4d1571.tar.xz
safeclib 3.3 v03032018 released
- Added compile-time and run-time object_size checks (BOS), resulting
in EOVERFLOW error codes. Compilers only do this reliably with static
arrays, less so with literal strings. With known static allocation size
you can bypass RSIZE_MAX_* limits. BOS even knows about malloc sizes
on some platforms.
Renamed all functions to _*_chk, with the API as macros. (GH #40)
- Added run-time libmpx pointer boundary checks if supported. (GH #49)
gcc-5+ (optional), icc-15+
- Improved performance of mem_prim_set/mem_prim_move on 64bit machines by factor 2
by using 64bit ops, not 32bit. With clang-4+ memcpy_s is now as fast as
memcpy native, with gcc only 77% slower.
Added more benchmarks and improved the timing.
- Made the unsafe functions snprintf_s, vsnprintf_s, snwprintf_s, vsnwprintf_s
safe by guaranteeing null termination. Only tmpnam_s remains unsafe. (GH #52)
- Added strnatcmp_s, strnatcasecmp_s, wcsnatcmp_s, wcsnaticmp_s
- Add --disable-constraint-handler option. undef the run-time
invoke_safe_{str,mem}_constraint_handler function calls
in safe_config.h to avoid the large errormsg strings. No run-time
performance improvements, as those calls only happen in the error cases.
- Added --enable-warn-dmax option to warn when dmax != sizeof(dest),
and fatalized via --enable-error-dmax.
- Fixed wrong count max check in memmove32_s
- Fully tested against other secure libc extensions, the native msvcrt 7.0 (Win8)
and the msvcrt under wine-2.0.4 and wine-3.0.
- Fixed --disable-shared for Windows.
- Optimized null-slack clearing of dest, unrolling the memset loop with
small dest buffers.
- truncating funcs {v,}sn{w,}printf_s: clear dest on errors after printing to it
- Fixed compilation of the linux kernel module (PR #43, Fabrice Fontaine)
- Fixed c++ strictness when !c99 (e.g. g++ 4.3)
- Changed retval of sprintf_s/vsprintf_s on all errors from 0 to -1,
deviating from the standard. The original -1 retval was changed with
http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1141.pdf by Microsoft
to keep count += sprintf(buf + count, format_string, args) working,
where all errors simply returned 0. Later Microsoft and all others
changed the error return value back to -1, to be consistent with other
sprintf functions. So do we. (GH #45)
- Removed errno of sprintf_s/vsprintf_s, return the negative ES error code.
- sprintf_s/vsprintf_s on Windows use now the native vsnprintf_s function
to reject illegal format specifiers.
- More hardening with gcc-7.3/clang-7: Probe for -Wl,-z,textonly and
-Wl,-z,retpolineplt, currently only with lld-7
- Fixed wcsnorm_compose_s >RSIZE_MAX_WSTR integer overflow
- Fixed overlap checks to be C11 conformant, cast to uintptr_t. (GH #51)
- add strnatcmp_s, add strcmp_s src overflow checks,
ESUNTERM for src to avoid overflows
- Reworked C11 compatibility to closer align with the existing Windows+BSD
sec_api's, esp. with slen=0 cases of the cpy and move functions, while still
following the spec. (GH #39)
There's no seperate logic if the library was compiled with a C11 compiler
anymore. See the testcases for the remaining discrepances.
clang-5+ is highly recommended over gcc, for detecting errors at compile-time during development, run-time safety via retpoline and vastly better performance.
CC="clang-7 -march=native -fstrict-aliasing" ./configure or even
CC="clang-7 -flto -march=native -fstrict-aliasing" AR=llvm-ar-7 ./configure
See https://github.com/rurban/safeclib/blob/master/ChangeLog and https://rurban.github.io/safeclib/
54b25c2b4738a80404a493c7091bf16ecd5de32a libsafec-03032018.0-g570fa5.tar.bz2
8f6e3fafdfd3599def9c1b6773575ed89018a435 libsafec-03032018.0-g570fa5.tar.gz
0395d52b0929007becfeddfbe58d1cb39762a014 libsafec-03032018.0-g570fa5.tar.xz
safeclib 3.2 v15012018.0 released
See https://github.com/rurban/safeclib/blob/master/ChangeLog and https://rurban.github.io/safeclib/
a688a81a97b053c87e8ff79c7e1316891ded07e8 libsafec-15012018.0-ge0f580.tar.bz2
ab5062a9b7838adcad54e7a6c6c00e841a29ec72 libsafec-15012018.0-ge0f580.tar.gz
safeclib-3.1 v09102017 released
Mostly just docs and windows (sizeof(wchar_t)==2) fixes.
Permit slen=0 for C11
Harden: added WARN_CFLAGS
With a non-C11 compiler not on windows the API didn't change, only docs. So it could be updated without API bump.
See the ChangeLog and documentation at https://rurban.github.io/safeclib/doc/safec-3.1/
b0eba8cb320b2ab4348107cc60f1bba3a3e35cb3 libsafec-09102017.0-g9db9fd.tar.bz2
9aa720f5fba003da50601fde3e3e0dd65f0148f5 libsafec-09102017.0-g9db9fd.tar.gz
safeclib-3.0 v04102017 released
The first fully C11 compliant release.
Many additions, compilation and test fixes.
See the ChangeLog and documentation at https://rurban.github.io/safeclib/doc/safec-3.0/
0ce782070d0aa4e801d5bd4849a6e115c901e4e4 libsafec-04102017.0-gab130d.tar.bz2
c8785f5afa534648e2ddfb1646320a25b8cb40da libsafec-04102017.0-gab130d.tar.gz
safeclib-2.1.1 v30082017 released
Added vsprintf_s, vsnprintf_s. They are C11.
Many compilation and test fixes.
See the ChangeLog.
12df8c809a7a6f380aa000c7ef3026c824f8a373 libsafec-30082017.0-g85d10b.tar.bz2
0bbe4df602036e8a94a2ced25361b7e5f58146eb libsafec-30082017.0-g85d10b.tar.gz
safeclib-2.1 v25082017 released
See the ChangeLog.
- Bumped to 2.1
- Fixed many tests. They were not enabled at all. See #10.
sprintf_s, snprintf_s, memcpy16_s, memcpy32_s,
memmove_s, memmove16_s, memmove32_s, memset_s,
strcpyfldout_s, strljustify_s, - Changed some errors: Throw ESLEMAX when smax exceeds max,
before it errored with the smax>dmax check (ESNOSPC):
memcpy_s, memcpy16_s, memcpy32_s, memcmp_s, memcmp16_s,
memcmp32_s, memmove_s, memmove16_s, memmov32_s. - Reverted a strljustify_s change by me.
- Document that memset_s on C11 allows n = ZERO, and
ESNULLP will be EINVAL - --enable-debug on Darwin disables shared
- add snprintf_s, the unsafe variant of sprintf_s
safeclib-2.0 v24082017 released
See the ChangeLog.
- Added man (3) pages and proper documentation.
See https://rurban.github.io/safeclib/ - Added a safe_config.h for some new configure options:
strmax, memmax, nullstack and STRTOK_DELIM_MAX_LEN