Re: [openssl.org #170] OpenSSLDie not exported in Win32

Tue, 30 Jul 2002 08:22:33 -0700 

In message <[EMAIL PROTECTED]> on Tue, 30 Jul 2002 
10:56:29 EDT, Jeffrey Altman <[EMAIL PROTECTED]> said:

jaltman> 
jaltman> > OK, I don't understand why it needs to be exported - isn't it internal 
jaltman> > to the library? But assuming it does, I prefer the original suggestions 
jaltman> > (i.e. move the declaration of OpenSSLDie()).
jaltman> 
jaltman> It needs to be exported because the function is defined in
jaltman> libeay32.dll and used in ssleay32.dll on Windows.
jaltman> 
jaltman> Now the choices as I see it are:
jaltman> 
jaltman>  . export the function.  which I have done in order to get the
jaltman>    code to compile and link on Windows, or
jaltman> 
jaltman>  . remove the call entirely and instead simply have OpenSSL return
jaltman>    an error to the application as is done with other length checks
jaltman> 
jaltman> For example, in ssl_sess.c ssl_get_new_session() the error
jaltman> SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH is returned if tmp >
jaltman> ss->session_id_length.  I don't see why we need to call abort() (via
jaltman> die()) if s->sid_ctx_length > sizeof ss->sid_ctx.

I believe it was done this way because time was too short to explore
what cases one should die at and what cases one should not, including
the ramifications of returning an error instead of using the biggest
canon available.

The possible threasts are serious, and at least in a hopefully short
amount of time, we will look at those die() statements and deal with
them in any way that seems appropriate.  At this moment, it was more
important to kill the possible holes quickly and swiftly rather than 
spend time being kind to the applications.

My 2 cents, others may have a different opinion.

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
                    \      SWEDEN       \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis                -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to