test: Import explicit_bzero and strtonum test cases from OpenBSD

- Remove trailing spaces.
- Declare file-scope functions and variables static.
- Declare functions with a proper prototype.
- Do not mix declarations and code for C90 conformance.
- Do not compare size_t and ssize_t variables.

COPYING

@@ -383,6 +383,8 @@ Files:
  src/recallocarray.c
  src/strlcat.c
  src/strlcpy.c
+ test/explicit_bzero.c
+ test/strtonum.c
 Copyright:
  Copyright © 2004 Ted Unangst and Todd Miller
  All rights reserved.
@@ -391,6 +393,7 @@ Copyright:
  Copyright © 1998, 2000-2002, 2004-2005, 2007, 2010, 2012-2015
      Todd C. Miller <Todd.Miller@courtesan.com>
  Copyright © 2004 Ted Unangst
+ Copyright © 2004 Otto Moerbeek <otto@drijf.net>
  Copyright © 2008 Damien Miller <djm@openbsd.org>
  Copyright © 2008, 2010-2011, 2016-2017 Otto Moerbeek <otto@drijf.net>
  Copyright © 2013 Markus Friedl <markus@openbsd.org>
@@ -398,6 +401,7 @@ Copyright:
  Copyright © 2014 Brent Cook <bcook@openbsd.org>
  Copyright © 2014 Pawel Jakub Dawidek <pjd@FreeBSD.org>
  Copyright © 2014 Theo de Raadt <deraadt@openbsd.org>
+ Copyright © 2014 Google Inc.
  Copyright © 2015 Michael Felt <aixtools@gmail.com>
  Copyright © 2015 Guillem Jover <guillem@hadrons.org>
 License: ISC

test/.gitignore

@@ -2,6 +2,7 @@ arc4random
 bzero
 closefrom
 endian
+explicit_bzero
 fgetln
 fparseln
 fpurge
@@ -20,5 +21,6 @@ setmode
 strl
 strmode
 strnstr
+strtonum
 vis
 vis-openbsd

test/Makefile.am

@@ -34,6 +34,7 @@ check_PROGRAMS = \
 	bzero \
 	closefrom \
 	endian \
+	explicit_bzero \
 	humanize \
 	fgetln \
 	funopen \
@@ -48,6 +49,7 @@ check_PROGRAMS = \
 	strl \
 	strmode \
 	strnstr \
+	strtonum \
 	vis \
 	vis-openbsd \
 	$(nil)

test/explicit_bzero.c

@@ -0,0 +1,214 @@
+/*	$OpenBSD: explicit_bzero.c,v 1.7 2021/03/27 11:17:58 bcook Exp $	*/
+/*
+ * Copyright (c) 2014 Google Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <assert.h>
+#include <errno.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define ASSERT_EQ(a, b) assert((a) == (b))
+#define ASSERT_NE(a, b) assert((a) != (b))
+#define ASSERT_GE(a, b) assert((a) >= (b))
+
+/* 128 bits of random data. */
+static const char secret[16] = {
+	0xa0, 0x6c, 0x0c, 0x81, 0xba, 0xd8, 0x5b, 0x0c,
+	0xb0, 0xd6, 0xd4, 0xe3, 0xeb, 0x52, 0x5f, 0x96,
+};
+
+enum {
+	SECRETCOUNT = 64,
+	SECRETBYTES = SECRETCOUNT * sizeof(secret)
+};
+
+/*
+ * As of glibc 2.34, when _GNU_SOURCE is defined, SIGSTKSZ is no longer
+ * constant on Linux. SIGSTKSZ is redefined to sysconf (_SC_SIGSTKSZ).
+ */
+static char *altstack;
+#define ALTSTACK_SIZE (SIGSTKSZ + SECRETBYTES)
+
+static void
+setup_stack(void)
+{
+	const stack_t sigstk = {
+		.ss_sp = altstack = calloc(1, ALTSTACK_SIZE),
+		.ss_size = ALTSTACK_SIZE
+	};
+
+	ASSERT_NE(NULL, altstack);
+	ASSERT_EQ(0, sigaltstack(&sigstk, NULL));
+}
+
+static void
+cleanup_stack(void)
+{
+	free(altstack);
+}
+
+static void
+assert_on_stack(void)
+{
+	stack_t cursigstk;
+	ASSERT_EQ(0, sigaltstack(NULL, &cursigstk));
+	ASSERT_EQ(SS_ONSTACK, cursigstk.ss_flags & (SS_DISABLE|SS_ONSTACK));
+}
+
+static void
+call_on_stack(void (*fn)(int))
+{
+	/*
+	 * This is a bit more complicated than strictly necessary, but
+	 * it ensures we don't have any flaky test failures due to
+	 * inherited signal masks/actions/etc.
+	 *
+	 * On systems where SA_ONSTACK is not supported, this could
+	 * alternatively be implemented using makecontext() or
+	 * pthread_attr_setstack().
+	 */
+
+	const struct sigaction sigact = {
+		.sa_handler = fn,
+		.sa_flags = SA_ONSTACK,
+	};
+	struct sigaction oldsigact;
+	sigset_t sigset, oldsigset;
+
+	/* First, block all signals. */
+	ASSERT_EQ(0, sigemptyset(&sigset));
+	ASSERT_EQ(0, sigfillset(&sigset));
+	ASSERT_EQ(0, sigprocmask(SIG_BLOCK, &sigset, &oldsigset));
+
+	/* Next setup the signal handler for SIGUSR1. */
+	ASSERT_EQ(0, sigaction(SIGUSR1, &sigact, &oldsigact));
+
+	/* Raise SIGUSR1 and momentarily unblock it to run the handler. */
+	ASSERT_EQ(0, raise(SIGUSR1));
+	ASSERT_EQ(0, sigdelset(&sigset, SIGUSR1));
+	ASSERT_EQ(-1, sigsuspend(&sigset));
+	ASSERT_EQ(EINTR, errno);
+
+	/* Restore the original signal action, stack, and mask. */
+	ASSERT_EQ(0, sigaction(SIGUSR1, &oldsigact, NULL));
+	ASSERT_EQ(0, sigprocmask(SIG_SETMASK, &oldsigset, NULL));
+}
+
+static void
+populate_secret(char *buf, ssize_t len)
+{
+	int i, fds[2];
+	ASSERT_EQ(0, pipe(fds));
+
+	for (i = 0; i < SECRETCOUNT; i++)
+		ASSERT_EQ(sizeof(secret), write(fds[1], secret, sizeof(secret)));
+	ASSERT_EQ(0, close(fds[1]));
+
+	ASSERT_EQ(len, read(fds[0], buf, len));
+	ASSERT_EQ(0, close(fds[0]));
+}
+
+static int
+count_secrets(const char *buf)
+{
+	int res = 0;
+	size_t i;
+	for (i = 0; i < SECRETCOUNT; i++) {
+		if (memcmp(buf + i * sizeof(secret), secret,
+		    sizeof(secret)) == 0)
+			res += 1;
+	}
+	return (res);
+}
+
+static char *
+test_without_bzero(void)
+{
+	char buf[SECRETBYTES];
+	char *res;
+	assert_on_stack();
+	populate_secret(buf, sizeof(buf));
+	res = memmem(altstack, ALTSTACK_SIZE, buf, sizeof(buf));
+	ASSERT_NE(NULL, res);
+	return (res);
+}
+
+static char *
+test_with_bzero(void)
+{
+	char buf[SECRETBYTES];
+	char *res;
+	assert_on_stack();
+	populate_secret(buf, sizeof(buf));
+	res = memmem(altstack, ALTSTACK_SIZE, buf, sizeof(buf));
+	ASSERT_NE(NULL, res);
+	explicit_bzero(buf, sizeof(buf));
+	return (res);
+}
+
+static void
+do_test_without_bzero(int signo)
+{
+	char *buf = test_without_bzero();
+	ASSERT_GE(count_secrets(buf), 1);
+}
+
+static void
+do_test_with_bzero(int signo)
+{
+	char *buf = test_with_bzero();
+	ASSERT_EQ(count_secrets(buf), 0);
+}
+
+int
+main(int argc, char **argv)
+{
+	setup_stack();
+
+	/*
+	 * Solaris and OS X clobber the signal stack after returning to the
+	 * normal stack, so we need to inspect altstack while we're still
+	 * running on it.  Unfortunately, this means we risk clobbering the
+	 * buffer ourselves.
+	 *
+	 * To minimize this risk, test_with{,out}_bzero() are responsible for
+	 * locating the offset of their buf variable within altstack, and
+	 * and returning that address.  Then we can simply memcmp() repeatedly
+	 * to count how many instances of secret we found.
+	 */
+
+	/*
+	 * First, test that if we *don't* call explicit_bzero, that we
+	 * *are* able to find at least one instance of the secret data still
+	 * on the stack.  This sanity checks that call_on_stack() and
+	 * populate_secret() work as intended.
+	 */
+	memset(altstack, 0, ALTSTACK_SIZE);
+	call_on_stack(do_test_without_bzero);
+
+	/*
+	 * Now test with a call to explicit_bzero() and check that we
+	 * *don't* find any instances of the secret data.
+	 */
+	memset(altstack, 0, ALTSTACK_SIZE);
+	call_on_stack(do_test_with_bzero);
+
+	cleanup_stack();
+
+	return (0);
+}

test/strtonum.c

@@ -0,0 +1,64 @@
+/*	$OpenBSD: strtonumtest.c,v 1.1 2004/08/03 20:38:36 otto Exp $	*/
+/*
+ * Copyright (c) 2004 Otto Moerbeek <otto@drijf.net>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+static int fail;
+
+static void
+test(const char *p, long long lb, long long ub, int ok)
+{
+	long long val;
+	const char *q;
+
+	val = strtonum(p, lb, ub, &q);
+	if (ok && q != NULL) {
+		fprintf(stderr, "%s [%lld-%lld] ", p, lb, ub);
+		fprintf(stderr, "NUMBER NOT ACCEPTED %s\n", q);
+		fail = 1;
+	} else if (!ok && q == NULL) {
+		fprintf(stderr, "%s [%lld-%lld] %lld ", p, lb, ub, val);
+		fprintf(stderr, "NUMBER ACCEPTED\n");
+		fail = 1;
+	}
+}
+
+int main(int argc, char *argv[])
+{
+	test("1", 0, 10, 1);
+	test("0", -2, 5, 1);
+	test("0", 2, 5, 0);
+	test("0", 2, LLONG_MAX, 0);
+	test("-2", 0, LLONG_MAX, 0);
+	test("0", -5, LLONG_MAX, 1);
+	test("-3", -3, LLONG_MAX, 1);
+	test("-9223372036854775808", LLONG_MIN, LLONG_MAX, 1);
+	test("9223372036854775807", LLONG_MIN, LLONG_MAX, 1);
+	test("-9223372036854775809", LLONG_MIN, LLONG_MAX, 0);
+	test("9223372036854775808", LLONG_MIN, LLONG_MAX, 0);
+	test("1000000000000000000000000", LLONG_MIN, LLONG_MAX, 0);
+	test("-1000000000000000000000000", LLONG_MIN, LLONG_MAX, 0);
+	test("-2", 10, -1, 0);
+	test("-2", -10, -1, 1);
+	test("-20", -10, -1, 0);
+	test("20", -10, -1, 0);
+
+	return (fail);
+}
+