|
List Info Thread: GnuTLS (libgrypt really) and Postfix
[1]
|
||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||
GnuTLS (libgrypt really) and Postfix |
|
List Info Thread: GnuTLS (libgrypt really) and Postfix
[1]
|
||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||
Then what
was EINVAL invented for?
[ Then for what was assert invented for? ]
> Really it's never ok for anything, not even games,
and any program that
> fails to check error return values is simply not
properly coded, full stop.
I agree. But the reality is not that of the text books.
> But abort()-ing in a library is also a big problem,
because it
> takes control away from the main executable. That can
be a massive
> security vulnerability on Windows. If you can get a
SYSTEM-level
> service that
Huh? According to ISO C and POSIX abort raises SIGABRT and
the default
action is abnormal *process termination* - if your view is
that
process termination takes away control from the main
executable I
wonder how a file can control a process (unless the kernels
plays
nasty games with on demand paging).
To my limited Windows experience abort() does terminate the
process. I
have ported quite some Unix applications nativly to Windows
and never
got in semantic problems you describe. Anyway, Windows is
strange
(atexit lists per DLL and such) but Libgcrypt is not really
supported
there.
> ... receive request from client
> ... fail to service it because libgcrypt returns
errors..
> .... return error to caller
> ... rather than for it to abort.
Being in an insane state libgcrypt can't assure that this
main loop
will continue to run - the stack might already be corrupted.
We don't
know and thus assert(!"fubar").
> I'm afraid I consider it instead a weakness in your
API design that you
> have no way to indicate an error return from a function
that may fail.
By design there can't be any error. If there is an error
something
really strange has occured, like improper chrooting.
> Perhaps libgcrypt could call abort in debug builds
and return error codes
> in production builds?
Your joking right? I am usually quite sure that no attacker
has made
it to one of the machines used for debugging. Outside in the
Internet
wilderness I should then switch off all protection? That is
like
wearing a hard hat in bed and take it off at the
construction site.
Salam-Shalom,
Werner
------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomo
metzdowd.com