This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [MTASCsft PATCH 06/??] MT-, AS- and AC-Safety docs: manual/crypt.texi

From: "Carlos O'Donell" <carlos at redhat dot com>
To: Alexandre Oliva <aoliva at redhat dot com>, codonell at redhat dot com
Cc: libc-alpha at sourceware dot org
Date: Wed, 29 Jan 2014 01:09:10 -0500
Subject: Re: [MTASCsft PATCH 06/??] MT-, AS- and AC-Safety docs: manual/crypt.texi
Authentication-results: sourceware.org; auth=none
References: <ortxelb5zd dot fsf at livre dot home> <or4n4uoncj dot fsf at livre dot home> <oreh3yn31q dot fsf_-_ at livre dot home>

On 01/23/2014 10:14 AM, Alexandre Oliva wrote:
> The oddity here is that setkey_r and encrypt_r are documented together,
> with @deftypefun and @deftypefunx, and introducing a @safety note
> between them broke something (I don't recall exactly what; it could be
> just my report script, but I could cause some formatting problems).
> This is the only case in which two significantly different functions are
> documented together, but fortunately their safety properties were the
> same, so I just commented out the first @safety line.  How's that?
 
That's fine. They should really be two entries there, but that's another bug.

OK to checkin.
 
> for ChangeLog
> 
> 	* manual/crypt.texi: Document MTASC-safety properties.
> ---
>  manual/crypt.texi |   30 ++++++++++++++++++++++++++++++
>  1 file changed, 30 insertions(+)
> 
> diff --git a/manual/crypt.texi b/manual/crypt.texi
> index 9c65b95..fd007cf 100644
> --- a/manual/crypt.texi
> +++ b/manual/crypt.texi
> @@ -99,6 +99,13 @@ in a convenient way.
>  @comment unistd.h
>  @comment BSD
>  @deftypefun {char *} getpass (const char *@var{prompt})
> +@safety{@prelim{}@mtunsafe{@mtasuterm{}}@asunsafe{@ascuheap{} @asulock{} @asucorrupt{}}@acunsafe{@acuterm{} @aculock{} @acucorrupt{}}}
> +@c This function will attempt to create a stream for terminal I/O, but
> +@c will fallback to stdio/stderr.  It attempts to change the terminal
> +@c mode in a thread-unsafe way, write out the prompt, read the password,
> +@c then restore the terminal mode.  It has a cleanup to close the stream
> +@c in case of (synchronous) cancellation, but not to restore the
> +@c terminal mode.
>  
>  @code{getpass} outputs @var{prompt}, then reads a string in from the
>  terminal without echoing it.  It tries to connect to the real terminal,
> @@ -134,6 +141,13 @@ The substitute takes the same parameters as @code{getline}
>  @comment crypt.h
>  @comment BSD, SVID
>  @deftypefun {char *} crypt (const char *@var{key}, const char *@var{salt})
> +@safety{@prelim{}@mtunsafe{@mtasurace{:crypt}}@asunsafe{@asucorrupt{} @asulock{} @ascuheap{} @ascudlopen{}}@acunsafe{@aculock{} @acsmem{}}}
> +@c Besides the obvious problem of returning a pointer into static
> +@c storage, the DES initializer takes an internal lock with the usual
> +@c set of problems for AS- and AC-Safety.  The FIPS mode checker and the
> +@c NSS implementations of may leak file descriptors if canceled.  The
> +@c The MD5, SHA256 and SHA512 implementations will malloc on long keys,
> +@c and NSS relies on dlopening, which brings about another can of worms.
>  
>  The @code{crypt} function takes a password, @var{key}, as a string, and
>  a @var{salt} character array which is described below, and returns a
> @@ -195,6 +209,9 @@ for a password and prints ``Access granted.'' if the user types
>  @comment crypt.h
>  @comment GNU
>  @deftypefun {char *} crypt_r (const char *@var{key}, const char *@var{salt}, {struct crypt_data *} @var{data})
> +@safety{@prelim{}@mtsafe{}@asunsafe{@asucorrupt{} @asulock{} @ascuheap{} @ascudlopen{}}@acunsafe{@aculock{} @acsmem{}}}
> +@c Compared with crypt, this function fixes the @mtasurace:crypt
> +@c problem, but nothing else.
>  
>  The @code{crypt_r} function does the same thing as @code{crypt}, but
>  takes an extra parameter which includes space for its result (among
> @@ -241,6 +258,11 @@ specifies the unused bits.
>  @comment crypt.h
>  @comment BSD, SVID
>  @deftypefun void setkey (const char *@var{key})
> +@safety{@prelim{}@mtunsafe{@mtasurace{:crypt}}@asunsafe{@asucorrupt{} @asulock{}}@acunsafe{@aculock{}}}
> +@c The static buffer stores the key, making it fundamentally
> +@c thread-unsafe.  The locking issues are only in the initialization
> +@c path; cancelling the initialization will leave the lock held, it
> +@c would otherwise repeat the initialization on the next call.
>  
>  The @code{setkey} function sets an internal data structure to be an
>  expanded form of @var{key}.  @var{key} is specified as an array of 64
> @@ -252,6 +274,8 @@ parity.
>  @comment crypt.h
>  @comment BSD, SVID
>  @deftypefun void encrypt (char *@var{block}, int @var{edflag})
> +@safety{@prelim{}@mtunsafe{@mtasurace{:crypt}}@asunsafe{@asucorrupt{} @asulock{}}@acunsafe{@aculock{}}}
> +@c Same issues as setkey.
>  
>  The @code{encrypt} function encrypts @var{block} if
>  @var{edflag} is 0, otherwise it decrypts @var{block}, using a key
> @@ -265,9 +289,11 @@ stored in a @code{char}, but there are no parity bits in @var{block}.
>  @comment crypt.h
>  @comment GNU
>  @deftypefun void setkey_r (const char *@var{key}, {struct crypt_data *} @var{data})
> +@c @safety{@prelim{}@mtsafe{}@asunsafe{@asucorrupt{} @asulock{}}@acunsafe{@aculock{}}}
>  @comment crypt.h
>  @comment GNU
>  @deftypefunx void encrypt_r (char *@var{block}, int @var{edflag}, {struct crypt_data *} @var{data})
> +@safety{@prelim{}@mtsafe{}@asunsafe{@asucorrupt{} @asulock{}}@acunsafe{@aculock{}}}
>  
>  These are reentrant versions of @code{setkey} and @code{encrypt}.  The
>  only difference is the extra parameter, which stores the expanded
> @@ -282,6 +308,7 @@ defined in @file{crypt.h}.
>  @comment rpc/des_crypt.h
>  @comment SUNRPC
>  @deftypefun int ecb_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode})
> +@safety{@prelim{}@mtsafe{}@assafe{}@acsafe{}}
>  
>  The function @code{ecb_crypt} encrypts or decrypts one or more blocks
>  using DES.  Each block is encrypted independently.
> @@ -356,6 +383,7 @@ is not a multiple of 8 or @var{len} is larger than @code{DES_MAXDATA}.
>  @comment rpc/des_crypt.h
>  @comment SUNRPC
>  @deftypefun int DES_FAILED (int @var{err})
> +@safety{@prelim{}@mtsafe{}@assafe{}@acsafe{}}
>  This macro returns 1 if @var{err} is a `success' result code from
>  @code{ecb_crypt} or @code{cbc_crypt}, and 0 otherwise.
>  @end deftypefun
> @@ -363,6 +391,7 @@ This macro returns 1 if @var{err} is a `success' result code from
>  @comment rpc/des_crypt.h
>  @comment SUNRPC
>  @deftypefun int cbc_crypt (char *@var{key}, char *@var{blocks}, unsigned @var{len}, unsigned @var{mode}, char *@var{ivec})
> +@safety{@prelim{}@mtsafe{}@assafe{}@acsafe{}}
>  
>  The function @code{cbc_crypt} encrypts or decrypts one or more blocks
>  using DES in Cipher Block Chaining mode.
> @@ -389,6 +418,7 @@ Otherwise, all the parameters are similar to those for @code{ecb_crypt}.
>  @comment rpc/des_crypt.h
>  @comment SUNRPC
>  @deftypefun void des_setparity (char *@var{key})
> +@safety{@prelim{}@mtsafe{}@assafe{}@acsafe{}}
>  
>  The function @code{des_setparity} changes the 64-bit @var{key}, stored
>  packed in 8-bit bytes, to have odd parity by altering the low bits of
> 
>

References:
- [MTASCsft PATCH 01/??] MT-, AS- and AC-Safety docs
  - From: Alexandre Oliva
- [MTASCsft PATCH 06/??] MT-, AS- and AC-Safety docs: manual/crypt.texi
  - From: Alexandre Oliva

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]