This is a major rewrite of the description of 'crypt', 'getentropy',
and 'getrandom'.
A few highlights of the content changes:
- Throughout the manual, public headers, and user-visible messages,
I replaced the term "password" with "passphrase", the term
"password database" with "user database", and the term
"encrypt(ion)" with "(one-way) hashing" whenever it was applied to
passphrases. I didn't bother making this change in internal code
or tests. The use of the term "password" in ruserpass.c survives,
because that refers to a keyword in netrc files, but it is adjusted
to make this clearer.
There is a note in crypt.texi explaining that they were
traditionally called passwords but single words are not good enough
anymore, and a note in users.texi explaining that actual passphrase
hashes are found in a "shadow" database nowadays.
- There is a new short introduction to the "Cryptographic Functions"
section, explaining how we do not intend to be a general-purpose
cryptography library, and cautioning that there _are_, or have
been, legal restrictions on the use of cryptography in many
countries, without getting into any kind of detail that we can't
promise to keep up to date.
- I added more detail about what a "one-way function" is, and why
they are used to obscure passphrases for storage. I removed the
paragraph saying that systems not connected to a network need no
user authentication, because that's a pretty rare situation
nowadays. (It still says "sometimes it is necessary" to
authenticate the user, though.)
- I added documentation for all of the hash functions that glibc
actually supports, but not for the additional hash functions
supported by libxcrypt. If we're going to keep this manual section
around after the transition is more advanced, it would probably
make sense to add them then.
- There is much more detailed discussion of how to generate a salt,
and the failure behavior for crypt is documented. (Returning an
invalid hash on failure is what libxcrypt does; Solar Designer's
notes say that this was done "for compatibility with old programs
that assume crypt can never fail".)
- As far as I can tell, the header 'crypt.h' is entirely a GNU
invention, and never existed on any other Unix lineage. The
function 'crypt', however, was in Issue 1 of the SVID and is now
in the XSI component of POSIX. I tried to make all of the
@standards annotations consistent with this, but I'm not sure I got
them perfectly right.
- The genpass.c example has been improved to use getentropy instead
of the current time to generate the salt, and to use a SHA-256 hash
instead of MD5. It uses more random bytes than is strictly
necessary because I didn't want to complicate the code with proper
base64 encoding.
- The testpass.c example has three hardwired hashes now, to
demonstrate that different one-way functions produce different
hashes for the same input. It also demonstrates how DES hashing
only pays attention to the first eight characters of the input.
- There is new text explaining in more detail how a CSPRNG differs
from a regular random number generator, and how
getentropy/getrandom are not exactly a CSPRNG. I tried not to make
specific falsifiable claims here. I also tried to make the
blocking/cancellation/error behavior of both getentropy and
getrandom clearer.
The functions encrypt, setkey, encrypt_r, setkey_r, cbc_crypt,
ecb_crypt, and des_setparity should not be used in new programs,
because they use the DES block cipher, which is unacceptably weak by
modern standards. Demote all of them to compatibility symbols, and
remove their prototypes from installed headers. cbc_crypt, ecb_crypt,
and des_setparity were already compat symbols when glibc was
configured with --disable-obsolete-rpc.
POSIX requires encrypt and setkey to be available when _XOPEN_CRYPT
is defined, so this change also removes the definition of X_OPEN_CRYPT
from <unistd.h>.
The entire "DES Encryption" section is dropped from the manual, as is
the mention of AUTH_DES and FIPS 140-2 in the introduction to
crypt.texi. The documentation of 'memfrob' cross-referenced the DES
Encryption section, which is replaced by a hyperlink to libgcrypt, and
while I was in there I spruced up the actual documentation of
'memfrob' and 'strfry' a little. It's still fairly jokey, because
those functions _are_ jokes, but they do also have real use cases, so
people trying to use them for real should have all the information
they need.
DES-based authentication for Sun RPC is also insecure and should be
deprecated or even removed, but maybe that can be left as TI-RPC's
problem.
__need_getopt is misnamed; what it really means is "we want only the
getopt features specified in POSIX, not the GNU extensions". Because
this code is shared with gnulib, it winds up being cleanest to split
getopt.h into *four* headers. getopt_core.h and getopt_ext.h will
be shared with gnulib, getopt_posix.h will be just for glibc, and
each project will have its own copy of getopt.h.
* posix/bits/getopt_core.h, posix/bits/getopt_ext.h:
New files, intended to be shared with gnulib.
* posix/bits/getopt_posix.h:
New file, not intended to be shared with gnulib.
* posix/getopt.h: Now just includes features.h,
bits/getopt_core.h, and bits/getopt_ext.h. Will
no longer be shared with gnulib.
* include/bits/getopt_core.h, include/bits/getopt_ext.h
* include/bits/getopt_posix.h: New wrappers.
* posix/Makefile: Install new headers.
* posix/unistd.h, libio/stdio.h:
Include bits/getopt_posix.h instead of getopt.h.
For many years, the only effect of these macros has been to make
unistd.h declare getlogin_r. _POSIX_C_SOURCE >= 199506L also causes
this function to be declared. However, people who don't carefully
read all the headers might be confused into thinking they need to
define _REENTRANT for any threaded code (as was indeed the case a long
time ago).
Therefore, remove __USE_REENTRANT, and make _REENTRANT and _THREAD_SAFE
into synonyms for _POSIX_C_SOURCE=199506L. This will only affect
programs that don't select a higher conformance level some other way.
For instance, -std=c89 -D_REENTRANT will see a change in visible
declarations, but -std=c99 -D_POSIX_C_SOURCE=200809L -D_REENTRANT won't,
and -D_REENTRANT all by itself also won't, because _DEFAULT_SOURCE
implies _POSIX_C_SOURCE > 199506.
* include/features.h: Remove __USE_REENTRANT. Treat _REENTRANT
and _THREAD_SAFE the same as _POSIX_C_SOURCE=199506L, if a higher
POSIX conformance level has not been selected by other macros.
* NEWS, manual/creature.texi: Document this change.
* posix/unistd.h, posix/bits/unistd.h: Don't check __USE_REENTRANT.
* include/libc-symbols.h: Don't define _REENTRANT.
* scripts/check-installed-headers.sh: Don't undefine _REENTRANT.
UNIX98 and XPG4 have ttyslot in <stdlib.h>. glibc, however, has it in
<unistd.h>, for __USE_MISC || (__USE_XOPEN_EXTENDED && !__USE_UNIX98),
but no supported standard has it in <unistd.h>.
This patch adds a properly conditioned declaration to <stdlib.h> (only
enabled for the relevant standards, not for __USE_MISC or __USE_GNU).
The <unistd.h> declaration is restricted to __USE_MISC. Some relevant
XFAILs are removed.
Tested for x86_64 and x86 (testsuite, and that installed stripped
shared libraries are unchanged by the patch).
[BZ #20051]
* posix/unistd.h [__USE_XOPEN_EXTENDED && !__USE_UNIX98]
(ttyslot): Do not declare.
* stdlib/stdlib.h [__USE_XOPEN_EXTENDED && !__USE_XOPEN2K]
(ttyslot): New prototype.
* conform/Makefile (test-xfail-XPG4/unistd.h/conform): Remove
variable.
(test-xfail-UNIX98/stdlib.h/conform): Likewise.
unistd.h declares gethostname for __USE_UNIX98 || __USE_XOPEN2K. But
it's also in XPG4 (XNS volume - C438 - not the main definitions of
system interfaces and headers in C435). This patch corrects the
condition.
Tested for x86_64 and x86 (testsuite, and that installed stripped
shared libraries are unchanged by the patch).
[BZ #20054]
* posix/unistd.h (gethostname): Declare if [__USE_XOPEN_EXTENDED],
not [__USE_UNIX98].
* conform/data/unistd.h-data (gethostname): Do not expect for
[XPG3].
For UNIX98 (only), unistd.h should declare pthread_atfork, but that
declaration is missing. This patch adds it.
Tested for x86_64 and x86 (testsuite, and that installed stripped
shared libraries are unchanged by the patch).
[BZ #20044]
* posix/unistd.h [__USE_UNIX98 && !__USE_XOPEN2K]
(pthread_atfork): New prototype.
* conform/Makefile (test-xfail-UNIX98/unistd.h/conform): Remove
variable.
For UNIX98 and older X/Open standards, unistd.h should have a
declaration of the legacy cuserid function, but such a declaration is
missing. This patch adds that missing declaration.
Tested for x86_64 and x86 (testsuite, and that installed stripped
shared libraries are unchanged by the patch).
[BZ #20043]
* posix/unistd.h [__USE_XOPEN && !__USE_XOPEN2K] (cuserid): New
prototype.
My review of conformtest expectations for POSIX showed up that the
_POSIX2_C_VERSION macro, required by POSIX and XPG standards before
2001, was missing in unistd.h, having been removed on 2003-04-03
despite those standards still being supported. This patch adds it
back. As it's in the implementation namespace, there's no need for it
to be conditional, and other such macros aren't conditional in this
header either.
Tested for x86_64 and x86 (testsuite). Note that this *does* change
the installed libraries, because it affects the sysconf support
(present all along) for _SC_2_C_VERSION.
[BZ #438]
* posix/unistd.h (_POSIX2_C_VERSION): New macro.
* conform/Makefile (test-xfail-POSIX/unistd.h/conform): Remove
variable.
For XPG3/XPG4 (defined __USE_XOPEN && !defined __USE_UNIX98), unistd.h
declares many functions that should only be declared for __USE_MISC
(none of them are in XPG3/XPG4): sethostname sethostid getdomainname
setdomainname vhangup revoke profil acct getusershell endusershell
setusershell daemon. The whole block with the [__USE_MISC ||
(__USE_XOPEN && !__USE_UNIX98)] conditional contains only functions
that are not in XPG3/XPG4, so this patch simply changes the
conditional.
Tested for x86_64 (testsuite, and that installed stripped shared
libraries are unchanged by this patch).
[BZ #17665]
* posix/unistd.h [__USE_MISC || (__USE_XOPEN && !__USE_UNIX98)]:
Change conditional to [__USE_MISC].
This patch cleans up cases of __USE_MISC that are trivially redundant
after the recent substitution of __USE_MISC for __USE_BSD and
__USE_SVID: either in constructs such as "defined __USE_MISC ||
defined __USE_MISC", or else (in the bits/mman.h case) a conditional
on __USE_MISC nested inside another __USE_MISC conditional. (The
cleanups remaining after this patch are still quite large, but it
seems a reasonable piece to separate out.)
Tested x86_64.
* bits/mman.h [__USE_MISC]: Remove redundant conditionals.
* ctype/ctype.h [__USE_MISC]: Likewise.
* dirent/dirent.h [__USE_MISC]: Likewise.
* grp/grp.h [__USE_MISC]: Likewise.
* io/fcntl.h [__USE_MISC]: Likewise.
* io/sys/stat.h [__USE_MISC]: Likewise.
* libio/stdio.h [__USE_MISC]: Likewise.
* posix/unistd.h [__USE_MISC]: Likewise.
* pwd/pwd.h [__USE_MISC]: Likewise.
* stdlib.h [__USE_MISC]: Likewise.
* string/bits/string2.h [__USE_MISC]: Likewise.
* string/string.h [__USE_MISC]: Likewise.
* time/time.h [__USE_MISC]: Likewise.
As detailed in PR11157, the use of '__block' is known to interfere
with keywords in some environments, such as the Clang -fblocks extension.
Recently a similar issue was raised concerning the use of '__unused'
and a '__glibc' prefix was proposed to create a glibc implementation
namespace for these sorts of issues [1]. This patches takes that
approach.
[1] https://sourceware.org/ml/libc-alpha/2012-02/msg00047.html
[2] http://lists.debian.org/debian-glibc/2013/11/msg00020.html
_POSIX2_C_DEV, _POSIX2_SW_DEV, _POSIX2_LOCALEDEF): Define to
200809L instead of 200112L.
(_XOPEN_VERSION): For __USE_XOPEN2K8 define to 700.
* posix/tst-sysconf.c (STDVER): Define to 200809L instead of 200112L.
2009-03-10 Jakub Jelinek <jakub@redhat.com>
* wcsmbs/wchar.h: mbsnrtowcs, open_wmemstream, wcpcpy, wcpncpy,
wcscasecmp, wcsdup, wcsncasecmp, wcsnlen, wcsnrtombs,
wcscasecmp_l, wcsncasecmp_l, wcscoll_l, and wcsxfrm_l.
* sysdeps/mach/hurd/bits/posix_opt.h: Reset value of macros from
200112L to 200809L.
* sysdeps/unix/sysv/linux/bits/posix_opt.h: Likewise.
* posix/getconf.c (vars): Add _SC_THREAD_ROBUST_PRIO_INHERIT and
_SC_THREAD_ROBUST_PRIO_PROTECT entries.
* bits/confname.h: Add _SC_THREAD_ROBUST_PRIO_INHERIT and
_SC_THREAD_ROBUST_PRIO_PROTECT.
* posix/unistd.h: fexecve is in POSIX 2008.
* time/time.h: strftime_l is in POSIX 2008.
* io/sys/stat.h: futimens is in POSIX 2008.
* string/strings.h: strcasecmp_l and strncasecmp_l are in POSIX 2008.
* string/string.h: stpcpy, stpncpy, strndup, strnlen, strsignal,
strcoll_l, strerror_l, and strxfrm_l are in POSIX 2008.
* stdlib/stdlib.h: mkdtemp is in POSIX 2008.
* misc/bits/syslog.h (syslog): When __va_arg_pack is defined,
implement as __extern_always_inline function.
(vsyslog): Define as __extern_always_inline function unconditionally.
* libio/bits/stdio2.h (sprintf, snprintf, printf, fprintf):
When __va_arg_pack is defined, implement as __extern_always_inline
functions.
(vsprintf, vsnprintf, vprintf, vfprintf): Define as
__extern_always_inline functions unconditionally.
* libio/bits/stdio.h (vprintf): Ifdef out the inline when
bits/stdio2.h will be included.
* wcsmbs/bits/wchar2.h (__swprintf_alias): New redirect.
(swprintf, wprintf, fwprintf): When __va_arg_pack is defined,
implement as __extern_always_inline functions.
(vswprintf, vwprintf, vfwprintf): Define as
__extern_always_inline functions unconditionally.
* debug/tst-chk1.c (do_test): Enable remaining tests for C++.
2007-09-03 Jakub Jelinek <jakub@redhat.com>
* misc/sys/cdefs.h (__extern_inline, __extern_always_inline): Only
define in C++ for GCC 4.3+, in C++ always use __gnu_inline__
attribute.
* include/features.h (__USE_EXTERN_INLINES): Define only when
__extern_inline is defined.
* stdlib/stdlib.h: Include bits/stdlib.h when __extern_always_inline
is defined instead of when not __cplusplus.
* misc/sys/syslog.h: Include bits/syslog.h when __extern_always_inline
is defined instead of when not __cplusplus.
* socket/sys/socket.h: Include bits/socket2.h when
__extern_always_inline is defined instead of when not __cplusplus.
* libio/stdio.h: Include bits/stdio2.h when __extern_always_inline
is defined instead of when not __cplusplus.
* posix/unistd.h: Include bits/unistd.h when __extern_always_inline
is defined instead of when not __cplusplus.
* string/string.h: Include bits/string3.h when __extern_always_inline
is defined instead of when not __cplusplus.
* wcsmbs/wchar.h: Include bits/wchar2.h when __extern_always_inline
is defined instead of when not __cplusplus.
(btowc, wctob): Don't guard the inlines with ifndef __cplusplus.
* io/fcntl.h: Don't include bits/fcntl2.h if __extern_always_inline
is not defined.
* misc/bits/syslog-ldbl.h: Guard *_chk stuff with
defined __extern_always_inline instead of !defined __cplusplus.
* libio/bits/stdio-ldbl.h: Likewise.
* wcsmbs/bits/wchar-ldbl.h: Likewise.
* misc/bits/syslog.h (syslog): Don't define for C++.
(vsyslog): Use __extern_always_inline function for C++ instead of
a macro.
* libio/bits/stdio.h (__STDIO_INLINE): Define to __extern_inline
whenever that macro is defined.
(vprintf): Don't provide the inline for C++.
(fread_unlocked, fwrite_unlocked): Don't define the macros for C++.
* libio/bits/stdio2.h (sprintf, snprintf, printf, fprintf): Don't
define the macros for C++.
(vsprintf, vsnprintf, vprintf, vfprintf): Define as
__extern_always_inline functions for C++.
* io/sys/stat.h (stat, lstat, fstat, fstatat, mknod, mknodat,
stat64, lstat64, fstat64, fstatat64): Don't define if not
__USE_EXTERN_INLINES.
* wcsmbs/bits/wchar2.h: Fix #error message.
(swprintf, wprintf, fwprintf): Don't define the macros for C++.
(vswprintf, vwprintf, vfwprintf): Define using
__extern_always_inline functions for C++.
* string/bits/string3.h: Don't #undef macros if __cplusplus.
(memcpy, memmove, mempcpy, memset, bcopy, bzero, strcpy, stpcpy,
strncpy, strcat, strncat): Define as __extern_always_inline
functions instead of macros for C++.
* math/bits/cmathcalls.h: Guard __extern_inline routines with
defined __extern_inline.
* sysdeps/alpha/fpu/bits/mathinline.h (__MATH_INLINE): Define
to __extern_inline whenever that macro is defined.
* sysdeps/ia64/fpu/bits/mathinline.h (__MATH_INLINE): Likewise.
* sysdeps/i386/fpu/bits/mathinline.h (__MATH_INLINE): Likewise.
* sysdeps/i386/i486/bits/string.h (__STRING_INLINE): Likewise.
* sysdeps/s390/bits/string.h (__STRING_INLINE): Likewise.
* sysdeps/s390/fpu/bits/mathinline.h (__MATH_INLINE): Likewise.
* sysdeps/powerpc/fpu/bits/mathinline.h (__MATH_INLINE): Likewise.
* sysdeps/x86_64/fpu/bits/mathinline.h (__MATH_INLINE): Likewise.
* sysdeps/sparc/fpu/bits/mathinline.h (__MATH_INLINE): Likewise.
* sysdeps/unix/sysv/linux/sys/sysmacros.h (gnu_dev_major,
gnu_dev_minor, gnu_dev_makedev): Remove __extern_inline from
prototypes. Only provide __extern_inline routines if
__USE_EXTERN_INLINES.
* debug/Makefile: Add rules to build and run tst-{,lfs}chk{4,5,6}
tests.
* debug/tst-chk1.c (do_prepare, do_test): Allow compilation as C++.
For now avoid some *printf tests in C++. Skip all testing
if __USE_FORTIFY_LEVEL is defined, but __extern_always_inline macro
is not.
* debug/tst-chk4.cc: New file.
* debug/tst-chk5.cc: New file.
* debug/tst-chk6.cc: New file.
* debug/tst-lfschk4.cc: New file.
* debug/tst-lfschk5.cc: New file.
* debug/tst-lfschk6.cc: New file.
* include/wchar.h (__vfwprintf_chk, __vswprintf_chk): Avoid
prototypes in C++.
* include/stdio.h (__sprintf_chk, __snprintf_chk, __vsprintf_chk,
__vsnprintf_chk, __printf_chk, __fprintf_chk, __vprintf_chk,
__vfprintf_chk, __fgets_unlocked_chk, __fgets_chk): Likewise.