WG14 Document: N1059

Date: 2004-03-05

Security TR Editor's Report

State of Document

N1055 is a mixture of specific edits requested by the committee at the last meeting, edits discussed in principle at the last meeting, and new edits not previously discussed.

All new edits will be explicitly called to the reader's attention by this editor's report.

In general, changes to the document are marked with change bars in the margin. However, the change bars are not perfect due to limitations of the tools used to produce the document (or the workman using them). Sometimes the last line of a changed multiline change will not be marked. Sometimes an extra change bar will appear on an unchanged line above or below a changed line. Some new footnotes do not have change bars.

The following changes are not in this draft:

The description of the rand_s function has not been updated with the requirements making it suitable for cryptography.
The Annex listing secure functions that should be used in preference to insecure functions is missing.
The Rationale is missing.

All subclause numbers in this report refer to N1055.

Major Changes

This section summarizes changes that potentially effect anyone attempting to implement a secure library based on the last draft.

__GOT_SECURE_LIB__

A conformance macro __GOT_SECURE_LIB__ was added. This macro is defined by the headers in the TR if __USE_SECURE_LIB__ is defined when the header is included. 3.1.1p2 defines the semantics of __GOT_SECURE_LIB__. The introductory subclause for each header defines it.

errno_t

The typedef errno_t with type int was added. errno_t is used whenever a function return type or parameter deals with error codes from errno.

This typedef is defined by errno.h and any header that needs it (if __USE_SECURE_LIB__ is defined.).

Function prototypes were changed to use errno_t as needed.

gets_s

Change the type of parameter n from int to size_t. This change was not discussed at the last meeting, but was requested by two implementers in email after the meeting.

RAND_MAX_S

The macro giving range of the rand_s function changed its name from RAND_S_MAX to RAND_MAX_S. This change was not discussed at the last meeting.

getenv_s

Add new parameter needed, which the function uses to store the length of the string it wishes to return.

strlen_s, wcslen_s

Change the type of the maxsize argument from int to size_t.

Change the names of these functions to strnlen and wcsnlen. Reason: these functions are not really replacements for strlen and wcslen. There is no desire to tell programmers to replace all calls to strlen with calls to strlen_s. But, the _s suffix for these functions falsely give that impression. In contrast, the "n" forms of the names give the right impression: these functions are to be used in specific situations where null-termination of input strings is problematic. (The secure library does not attempt to do away with null-terminated strings in favor of strings with a separate length.)

Renaming these functions was not discussed at the last meeting.

asctime_s

The sample asctime_s was rewritten to use snprintf and not use a local buffer for the string. A side-effect is that years with more than four digits will work if the user provides a larger buffer to store it.

scanf family

The scanf family functions (including the wide char versions) now assign a value to all objects that were to be read into when a matching failure or input failure occurs.

New functions

The following new functions were added:

strcpy_s
strcat_s
wcscpy_s
wcscat_s
gmtime_r
localtime_r

gmtime_r and localtime_r were not discussed at the previous meeting.

The _r functions came from UNIX (see next section). Should _s versions of the names also be added for regularity?

Unix Compatibility

Most of the functions in the TR do not overlap with UNIX. However, there are a few functions that do. I'll compare those functions in the TR with functions in the Single UNIX Specification.

A searchable version of the Open Group's Single Unix Specification is available at:

http://www.unix-systems.org/single_unix_specification/

You may be asked to register (it's free) before you can load that page.

The hyperlinks on function names in this section takes you to the Single UNIX Specification man page for that function.

UNIX has a rand_r function. However, it does not appear to have the same goals as our rand_s. It merely removes the static state of the random number generator's seed.

UNIX has a strtok_r function that is completely compatible with our strtok_r function.

UNIX has a strerror_r function that is very close to our strerror_r function. The differences are:

The arguments are in a different order.
The specification fails to define the state of the output buffer if there is not enough room for the error message.

UNIX has a asctime_r function similar to our asctime_s function. The differences are:

The arguments are in a different order, and UNIX lacks the maxsize argument.
The UNIX function returns a pointer to the string, not an errno_t.
The UNIX function returns a 26 char string. Our function can return different-sized string depending upon the number of digits in the year.

UNIX has a ctime_r function similar to our ctime_s function. the differences are:

The arguments are in a different order, and UNIX lacks the maxsize argument.
The UNIX function returns a pointer to the string, not an errno_t.
The UNIX function returns a 26 char string. Our function can return different-sized string depending upon the number of digits in the year.

UNIX has a gmtime_r function that is completely compatible with our gmtime_r function.

UNIX has a localtime_r function that is completely compatible with our localtime_r function.

Non-standard functions

It appears that OpenBSD has two functions, strlcpy and strlcat, that are similar to our strcpy_s and strcat_s. However, the BSD functions return a length, not an error code, and truncate if there is too little space. See: http://www.courtesan.com/todd/papers/strlcpy.html

Change Log

The remainder of this document is a per-subclause list of all changes to N1055 since N1031.

2. Normative references

Para 2, the reference to TC1, was added.

3.1.1 Standard Headers

Para 1, extra "only" deleted.

Para 2, __GOT_SECURE_LIB__ was added.

3.2 errno.h

New subclause because of errno_t. This header was not in the last draft.

3.3 stdio.h

Para 2, define __GOT_SECURE_LIB__.

Para 3, define errno_t.

3.3.1.1 The tmpnam_s function

Use errno_t in prototype.

Footnote 2. Add discussion of race condition and interprogram conflicts. Are there other issues needing discussion?

Para 4, Footnote 3. Allow tmpnam to call tmpnam_s.

3.3.2.1 The fscanf_s function

Para 2, Para 4, Footnote 5. Require a failing fscanf_s to assign a value to all objects that were to be read into.

3.3.3.1 The gets_s function

Change the type of parameter n from int to size_t. This change was not discussed at the last meeting.

Para 2, Para 4, Para 5. Define the behavior if n is zero.

3.4 stdlib.h

Para 2. Define __GOT_SECURE_LIB__. Change name of RAND_S_MAX to RAND_MAX_S.

Para 3. Define errno_t.

3.4.1.1 The rand_s function

Para 2, 5. Change name of RAND_S_MAX to RAND_MAX_S.

3.4.2.1 The getenv_s function

Add new parameter needed, which the function uses to store the length of the string it wishes to return.

Para 2-4. Describe use of needed.

Issue: Should there be an errno value to distinguish a missing environment variable as opposed to output buffer was not big enough?

3.4.3 Searching and sorting utilities

Para 3. "shall not alter the contents of the array." becomes "shall not alter the contents of either the array or search key."

Para 3. Add "but shall not otherwise alter the contents of any individual element."

Footnote 7, "are always nonzero" becomes "are always valid and nonzero".

Issue: Microsoft has found lots of code that sorts or searches zero-length arrays (sometimes pointed to by a null pointer). An implementation is free to permit this as an extension, but should searching/sorting zero-length arrays added to this TR?

3.4.3.1 The bsearch_s function

Footnote 8. "is sorted" becomes "has been sorted".

3.4.3.2 The qsort_s function

Para 4. "their order" becomes "their relative order"

3.5 string.h

Para 1-3. Define __GOT_SECURE_LIB__ and errno_t.

3.5.1.1 The memcpy_s function

Use errno_t for return type.

3.5.1.2 The memmove_s function

Use errno_t for return type.

3.5.1.3 The strcpy_s function

New function.

3.5.1.4 The strncpy_s function

Use errno_t for return type.

Para 2. Don't mention return value here.

Para 4. Add "successive"

3.5.2.1 The strcat_s function

New function.

3.5.2.2 The strncat_s function

Use errno_t for return type.

Various paragraphs. Typeset m in italic.

Para 3. Don't mention return value here.

Para 5. Add "successive"

Para 9. Use the phrase "will contain the sequence" (used elsewhere in the Standard).

3.5.4.1 The strerror_s function

Use errno_t for return type and for type of parameter errnum.

Para 3. Add word "desired".

3.5.4.2 The strnlen function

Change the name of the function from strlen_s.

Change the type of the maxsize argument from int to size_t.

Para 3. Add last sentence.

3.6 time.h

Para 1-3. Define __GOT_SECURE_LIB__ and errno_t.

3.6.1 Components of time

Para 1. Define normalized. Note that the Standard defines the "normal ranges" for struct tm members.

3.6.2 Time conversion functions

Para 1. Remove extra comma.

3.6.2.1 The asctime_s function

Use errno_t for return type.

Para 2. Add word "normalized".

The sample asctime_s was rewritten to use snprintf.

Para 3. Rewrite since the result is not tied to a 26 char buffer.

Add footnote 20.

3.6.2.2 The ctime_s function

Use errno_t for return type.

Para 3. Rewrite since the result is not tied to a 26 char buffer.

Add footnote 21.

3.6.2.3 The gmtime_r function

New function.

3.6.2.4 The localtime_r function

New function.

3.7 wchar.h

Para 1-3. Define __GOT_SECURE_LIB__ and errno_t.

3.7.1.1 The fwscanf_s function

Para 2, Para 4, Footnote 23. Require a failing fwscanf_s to assign a value to all objects that were to be read into.

3.7.2.1.1 The wcscpy_s function

New function.

3.7.2.1.2 The wcsncpy_s function

Use errno_t for return type.

Para 2. Don't mention return value here.

Para 4. Add "successive"

3.7.2.1.3 The wmemcpy_s function

Use errno_t for return type.

Para 2. Add "successive"

3.7.2.1.4 The wmemmove_s function

Use errno_t for return type.

Para 2. Add "successive"

3.7.2.2.1 The wcscat_s function

New function.

3.7.2.2.2 The wcsncat_s function

Use errno_t for return type.

Various paragraphs. Typeset m in italic.

Para 3. Don't mention return value here.

Para 5. Add "successive"

Para 8. Use the phrase "will contain the sequence" (used elsewhere in the Standard).

3.7.2.3.1 The wcsnlen function

Change the name of the function from wcslen_s.

Change the type of the maxsize argument from int to size_t.

Para 3. Add last sentence.