GnuTLS (libgrypt really) and Postfix

Werner Koch wk at gnupg.org
Mon Feb 13 13:43:31 EST 2006 

On Sun, 12 Feb 2006 23:57:42 -0000, Dave Korn said:

>   :-) Then what was EINVAL invented for?

[ Then for what was assert invented for? ]

>   Really it's never ok for anything, not even games, and any program that 
> fails to check error return values is simply not properly coded, full stop.

I agree. But the reality is not that of the text books.

>   But abort()-ing in a library is also a big problem, because it
> takes control away from the main executable.  That can be a massive
> security vulnerability on Windows.  If you can get a SYSTEM-level
> service that

Huh? According to ISO C and POSIX abort raises SIGABRT and the default
action is abnormal *process termination* - if your view is that
process termination takes away control from the main executable I
wonder how a file can control a process (unless the kernels plays
nasty games with on demand paging).

To my limited Windows experience abort() does terminate the process. I
have ported quite some Unix applications nativly to Windows and never
got in semantic problems you describe.  Anyway, Windows is strange
(atexit lists per DLL and such) but Libgcrypt is not really supported
there.

> ... receive request from client
> ... fail to service it because libgcrypt returns errors..
> .... return error to caller

> ... rather than for it to abort.

Being in an insane state libgcrypt can't assure that this main loop
will continue to run - the stack might already be corrupted.  We don't
know and thus assert(!"fubar").

>   I'm afraid I consider it instead a weakness in your API design that you 
> have no way to indicate an error return from a function that may fail.

By design there can't be any error.  If there is an error something
really strange has occured, like improper chrooting.

>   Perhaps libgcrypt could call abort in debug builds and return error codes 
> in production builds?

Your joking right? I am usually quite sure that no attacker has made
it to one of the machines used for debugging. Outside in the Internet
wilderness I should then switch off all protection?  That is like
wearing a hard hat in bed and take it off at the construction site.


Salam-Shalom,

   Werner


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list