In message <[EMAIL PROTECTED]> on Tue, 30 Jul 2002 10:56:29 EDT, Jeffrey Altman <[EMAIL PROTECTED]> said:
jaltman> jaltman> > OK, I don't understand why it needs to be exported - isn't it internal jaltman> > to the library? But assuming it does, I prefer the original suggestions jaltman> > (i.e. move the declaration of OpenSSLDie()). jaltman> jaltman> It needs to be exported because the function is defined in jaltman> libeay32.dll and used in ssleay32.dll on Windows. jaltman> jaltman> Now the choices as I see it are: jaltman> jaltman> . export the function. which I have done in order to get the jaltman> code to compile and link on Windows, or jaltman> jaltman> . remove the call entirely and instead simply have OpenSSL return jaltman> an error to the application as is done with other length checks jaltman> jaltman> For example, in ssl_sess.c ssl_get_new_session() the error jaltman> SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH is returned if tmp > jaltman> ss->session_id_length. I don't see why we need to call abort() (via jaltman> die()) if s->sid_ctx_length > sizeof ss->sid_ctx. I believe it was done this way because time was too short to explore what cases one should die at and what cases one should not, including the ramifications of returning an error instead of using the biggest canon available. The possible threasts are serious, and at least in a hopefully short amount of time, we will look at those die() statements and deal with them in any way that seems appropriate. At this moment, it was more important to kill the possible holes quickly and swiftly rather than spend time being kind to the applications. My 2 cents, others may have a different opinion. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]