.gitignore

@@ -1,3 +1,5 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+# Copyright © 2019 Ariadne Devos
 *.o
 .deps
 .dirstamp
@@ -12,6 +14,9 @@ configure
 Makefile.in
 Makefile
 
+/doctrees
+/html
+
 compile
 depcomp
 install-sh

CFLAGS

@@ -1,21 +1,9 @@
-# s2 -- warnings for GCC 6.3.0
-# Copyright (C) 2018 Ariadne Devos
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+// SPDX-License-Identifier: GPL-3.0-or-later
+// Copyright © 2018-2019 Ariadne Devos
+// sHT -- recommended extensive warnings and errror flags for GCC 6.3.0
 
 # First, a lot of unsorted warnings. Later, some have been categorised.
-# > ./configure CFLAGS="$(sed '/^[*/#]/d' CFLAGS)"
+# > ./configure CFLAGS="$(sed '/^[*/#]/d' CFLAGS | tr \\n \ )"
 
 -Wformat=2 -Wignored-attributes -Wno-unused-parameter
 -Wstrict-aliasing=1 -Wstrict-overflow=5

Makefile.am

@@ -1,22 +1,10 @@
-# shttpd - build system -- list of dependencies
-# Copyright (C) 2018 Ariadne Devos
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+# SPDX-License-Identifier: GPL-3.0-or-later
+# Copyright © 2018-2019 Ariadne Devos
+# sHT -- build system -- list of dependencies
 AUTOMAKE_OPTIONS = subdir-objects foreign no-dist \
  -Wobsolete -Woverride -Wunsupported -Werror
 
-AM_CPPFLAGS = -D_GNU_SOURCE
+AM_CPPFLAGS = -D_GNU_SOURCE "-I$(srcdir)/arch/$(CONFIG_ARCH)" -Og -g2
 
 bin_PROGRAMS = shttpd
 shtsources = \
@@ -48,7 +36,14 @@ tests/%$(EXEEXT): tests/%.o $(shttpd_OBJECTS) $(shttpd_DEPENDENCIES) $(EXTRA_sht
 	@rm -f shttpd$(EXEEXT)
 	$(AM_V_CCLD)$(LINK) $< $(shttpd_OBJECTS) $(shttpd_LDADD) $(LIBS)
 
-tests = tests/append tests/lex tests/memeq tests/inc-saturated
+tests = \
+	tests/append \
+	tests/cmp \
+	tests/lex \
+	tests/memeq \
+	tests/inc-saturated \
+	tests/index-nospec
+
 testresult = tests/append
 %.result: %
 	./$< > "$@" 2>&1; \
@@ -78,3 +73,18 @@ shttpdsources = \
   http/stream.c
 
 shttpd_SOURCES = $(shtsources) $(shttpdsources)
+
+# Build the documentation with Sphinx.
+# It is configured in $(srcdir)/doc/conf.py.
+# <http://sphinx-doc.org/stable/>.
+#
+# -n: warn about all missing references
+# -q: only output warning
+# -W: turn warnings into errors
+# -d: cache directory
+# sourcedir, outdir
+html-local:
+	sphinx-build -b html -n -q -d $(builddir)/doctrees $(srcdir)/doc $(builddir)/html
+mostlyclean-local:
+	-rm -rf $(builddir)/html $(builddir)/doctrees
+# TODO: install the documentation

README

@@ -1,3 +1,6 @@
+.. SPDX-License-Identifier: GPL-3.0-or-later
+.. Copyright © 2018-2019 Ariadne Devos
+
 # s^2 Web Stuff
 
 s^2 is -- so far -- a personal project to write secure and sandboxed software
@@ -48,17 +51,6 @@ general discussion are welcome.
 
 ## Legal stuff
 
-Copyright (C) 2018-2019 Ariadne Devos
-
-This program is free software: you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation, either version 3 of the License, or
-(at your option) any later version.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU General Public License for more details.
-
-You should have received a copy of the GNU General Public License
-along with this program.  If not, see <http://www.gnu.org/licenses/>. */
+The license text is in `COPYING` (the GNU General Public License,
+version 3 or later (at your choice). See `doc/license-copyright.rst`
+for more information on copyright and licensing.

arch/arm/sHT/spectre.h

@@ -0,0 +1,41 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+// Copyright © 2018-2019 Ariadne Devos
+
+/* (Extracted and transcluded from <sHT/nospec.h> */
+
+/* (Translated from the x86 implementation; "sbb" has been
+  translated to "sbc". Apparently Linux does the same.)
+
+  The operand order has been found by brute force.
+
+  Linux does "sbc %0, zrx, zrx
+
+  One would expect "sbc %0, %0, %0" to let the test pass,
+  being %0 <- %0 - %0 - !carry, but it doesn't somehow.
+  Instead, reuse %1 or %2 (length, pos), as Linux does.
+
+  Alternatively, one could do "sbc %0, %0, #0" and before
+  that, set %0 to 0, but that's one instruction longer.
+
+  TODO: Linux uses xzr as last two registers on arm64,
+  perhaps do the same. */
+#define _sHT_index_mask(maskp, pos, length) \
+	__asm__("cmp %2, %1\n\tsbc %0, %1, %1" : "=&r" (*(maskp)) : "r" ((length)), "rI" ((pos)) : "cc")
+
+/* ARM recommends "csdb", but their explanation suggests it isn't a
+  full speculation barrier. ARM allows "isb;dsb sy", and that's what
+  GCC does as well.
+
+  "isb" flushes the instruction pipeline.
+
+  TODO: what's "dsb" for? It is for data, not control flow. I hope no
+  processor ever will do value speculation -- disastruous for crypto.
+  Suppose that ARM does exactly that -- then, the situation is already
+  broken beyond repair, so don't do "dsb". ARM is too fuzzy on details.
+
+  https://patchwork.ozlabs.org/patch/941448 (2018) lets GCC emit
+  "isb;dsb sy".
+
+  volatile "memory" is for paranoia, to avoid reordering. */
+#define _sHT_speculation_barrier() \
+		__asm__ volatile("isb" : : : "memory");

arch/x86/sHT/minmax-arch.h

@@ -0,0 +1,42 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+// Copyright © 2019 Ariadne Devos
+
+/* TODO: apparently, cmov was introduced in i686
+  -- portable tissues */
+
+/* Side-channel considerations: all passed values are not secret. */
+
+/*  Operational semantics: If %0 > %1, do %0 <- %1.
+  Functional semantics:
+
+  In case \old(%0) >(*) \old(%1) (branch taken),
+  - \old(%1) = min(\old(%0), \old(%1)) (case analysis)
+  - \new(%0) = \old(%1) = min(\old(%0), \old(%1)) (assignment, previous lemma)
+  Otherwise, the negation holds: \old(%0) <= \old(%1),
+  - \old(%0) = min(\old(%0), \old(%1)) (case analysis)
+  - \new(%0) = \old(%0) = min(\old(%0), \old(%1)) (no assignment, previous lemma)
+
+  (*) '>=' also suffices.
+
+  Therefore, \new(%0) = min(\old(%0), \old(%1)) (consider both branches)
+
+  -- Assembly sequence
+
+  The Intel / AT&T syntax differences in operand order are
+  very confusing. Testing:
+
+  Try "mov $0, %0". It compiles, so the first operand is the source,
+  and the latter the destination. That proofs the second operand of
+  "cmov??" is correct: it is %0, `*x_set_p` that must be updated.
+
+  Another source of confusion is Intel's distinction between greater / less
+  and above / below. The former is signed, the latter unsigned.
+
+  To test: 2 (operand order of cmp) * 2 (above / below).
+  Pass: %0,%1,below; %1,%0,above.
+  (These two are equivalent: %0 < %1 <-> %1 > 0.
+  Sanity check succeeds.)
+
+  cc: condition code is changed by 'cmp'. */
+#define _sHT_min(x_set_p, y) \
+	__asm__("cmp %1,%0;cmova %1,%0" : "+r" (*(x_set_p)) : "r" (y) : "cc")

arch/x86/sHT/spectre.h

@@ -0,0 +1,25 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+// Copyright © 2018-2019 Ariadne Devos
+
+/* (Extracted and transcluded from <sHT/nospec.h> */
+
+/* "cmp %1,%2; sbb %0,%0": mask <- (mask - mask) - (pos < length).
+  (unsigned, so pos, length > SSIZE_MAX is allowed).
+
+  Alternatively, one could do a compare, setcc, and decrement, but
+  that's an instruction longer. */
+#define _sHT_index_mask(maskp, pos, length) \
+	__asm__("cmp %1,%2; sbb %0,%0" : "=&r" (*(maskp)) : "rm" (length), "r" (pos) : "cc")
+
+/* This sequence is what Intel tells us to do, and what
+  Linux can do. It also has some effect upon memory ordering.
+
+  TODO: check its correctness. Linux sometimes does "mfence"
+  instead, why? Something to do with AMD / Intel differences.
+
+  volatile "memory" is for paranoia, to avoid reordering or
+  or elimination (Linux does this). Although in my tests (GCC 6.3.0,
+  GCC 8.3.0, Clang 6.0), even without any of these nothing happens
+  ... */
+#define _sHT_speculation_barrier() \
+	__asm__ volatile("lfence" : : : "memory")

sHT/test-arch.h

@@ -1,22 +1,8 @@
-/* s2 - compare values, considering some Spectre issues
-   Copyright (C) 2018, 2019 Ariadne Devos
+// SPDX-License-Identifier: GPL-3.0-or-later
+// Copyright © 2018-2019 Ariadne Devos
+/* sHT -- (x86) compare values without misinforming the compiler */
 
-   This program is free software: you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation, either version 3 of the License, or
-   (at your option) any later version.
-
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-
-   You should have received a copy of the GNU General Public License
-   along with this program.  If not, see <http://www.gnu.org/licenses/>. */
-
-/* This is transcluded from <sHT/test.h> */
-
-#if defined(__x86_64__) || defined(__i386__)
+/* This is transcluded from <sHT/test.h>. */
 
 /* Operand order: first the source, then the destination.
   E.g., cmp $3,%rdx.
@@ -29,31 +15,27 @@
   When reading AMD and probably Intel documentation:
   'greater' is for signed integers, 'above' for unsigned integers. */
 
-# define _sHT_ge(a, b, correct) \
+#define _sHT_ge(a, b, correct) \
 	__asm__ goto ("cmp %1,%0;jae %l[" #correct "]" : : "r,m" (a), "rmi,ri" (b) : "cc" : correct)
-# define _sHT_eq(a, b, correct) \
+#define _sHT_eq(a, b, correct) \
 	__asm__ goto ("cmp %1,%0;je %l[" #correct "]" : : "r,m" (a), "rmi,ri" (b) : "cc" : correct)
-# define _sHT_neq(a, b, correct) \
+#define _sHT_neq(a, b, correct) \
 	__asm__ goto ("cmp %1,%0;jne %l[" #correct "]" : : "r,m" (a), "rmi,ri" (b) : "cc" : correct)
-# define _sHT_eq_bool(a, b, c) \
+#define _sHT_eq_bool(a, b, c) \
 	__asm__ ("cmp %2,%1;sete %0" : "=r,r" (c) : "r,m" (a), "rmi,ri" (b) : )
 
-
-# define _sHT_gt(a, b, correct) \
+#define _sHT_gt(a, b, correct) \
 	__asm__ goto ("cmp %1,%0;ja %l[" #correct "]" : : "r,m" (a), "rmi,ri" (b) : "cc" : correct)
 
 /* testl is supposedlu smaller than cmp */
-# define _sHT_zero_p(a, correct) \
+#define _sHT_zero_p(a, correct) \
 	__asm__ goto ("test %0,%0;je %l[" #correct "]" : : "r" (a) : "cc" : correct)
-# define _sHT_nonzero_p(a, correct) \
+#define _sHT_nonzero_p(a, correct) \
 	__asm__ goto ("test %0,%0;jnz %l[" #correct "]" : : "r" (a) : "cc" : correct)
-# define _sHT_lt0(a, correct) \
+/* cmp %0,%0 does not work! Try tests/cmp. */
+#define _sHT_lt0(a, correct) \
 	__asm__ goto ("test %0,%0;js %l[" #correct "]" : : "r" (a) : "cc" : correct)
 #define _sHT_and_any_p(a, b, correct) \
 	__asm__ goto ("test %1,%0;jnz %l[" #correct "]" : : "r,m" (a), "rmi,ri" (b) : "cc" : correct)
 #define _sHT_and_none_p(a, b, correct) \
 	__asm__ goto ("test %1,%0;je %l[" #correct "]" : : "r,m" (a), "rmi,ri" (b) : "cc" : correct)
-
-#else
-# error unsupported architecture, should be easy
-#endif

buffer/append.c

@@ -1,18 +1,6 @@
-/* sHT -- append and iterate a suffix
-   Copyright (C) 2019 Ariadne Devos
-
-   This program is free software: you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation, either version 3 of the License, or
-   (at your option) any later version.
-
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-
-   You should have received a copy of the GNU General Public License
-   along with this program.  If not, see <http://www.gnu.org/licenses/>. */
+// SPDX-License-Identifier: GPL-3.0-or-later
+// Copyright © 2019 Ariadne Devos
+/* sHT -- append and iterate a suffix */
 
 #include <stddef.h>
 #include <sHT/index.h>