Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: GnuPG: gcrypt

Is invoking exit(2) in a library the right thing to do?

  

 
GnuPG gcrypt RSS feed   Index | Next | Previous | View Threaded


ametzler at downhill

Mar 3, 2007, 2:10 AM

Post #1 of 7 (2545 views)
Permalink
Is invoking exit(2) in a library the right thing to do?
Hej,

currently log_fatal() ends up invoking exit(2). Is this really the
right thing to do? It does not give applications using libgcrypt any
chance to sanely handle fatal errors afaiui, for example by falling
back on non-tls mode.

http://bugs.debian.org/412328

thanks, cu andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel


Moritz.Schulte at ruhr-uni-bochum

Mar 3, 2007, 2:22 AM

Post #2 of 7 (2437 views)
Permalink
Re: Is invoking exit(2) in a library the right thing to do? [In reply to]
> currently log_fatal() ends up invoking exit(2). Is this really the
> right thing to do? It does not give applications using libgcrypt any
> chance to sanely handle fatal errors afaiui, for example by falling
> back on non-tls mode.

Hmm. The reason for exit is probably that log_fatal should be NEVER
called unless something is REALLY fucked up. Especially in crypto
applications it might be the best thing to do, since a serious bug in
the library (or in the program) should not treated like "oh, well, that
crypto feature is currently not available", but rather like "STOP!".

My guess.

Moritz



_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel


wk at gnupg

Mar 4, 2007, 12:57 PM

Post #3 of 7 (2440 views)
Permalink
Re: Is invoking exit(2) in a library the right thing to do? [In reply to]
On Sat, 3 Mar 2007 11:10, ametzler [at] downhill said:

> currently log_fatal() ends up invoking exit(2). Is this really the
> right thing to do? It does not give applications using libgcrypt any

Yes. It allows application to run an atexit handler. Libgcrypt even
allows to register a dedicated handler: gcry_set_fatalerror_handler.

In any case the process needs to terminate as their is a fatal error
and something is going really wrong. Allow a process to continue is
not a good idea because it allows bugs to lurk around for years
without fixing. Such a bug is an indicator that something more severe
might have gone wrong.


Shalom-Salam,

Werner


_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel


ametzler at downhill

Mar 5, 2007, 10:40 AM

Post #4 of 7 (2444 views)
Permalink
Re: Is invoking exit(2) in a library the right thing to do? [In reply to]
On 2007-03-04 Werner Koch <wk [at] gnupg> wrote:
> On Sat, 3 Mar 2007 11:10, ametzler [at] downhill said:

> > currently log_fatal() ends up invoking exit(2). Is this really the
> > right thing to do? It does not give applications using libgcrypt any

> Yes. It allows application to run an atexit handler. Libgcrypt even
> allows to register a dedicated handler: gcry_set_fatalerror_handler.

> In any case the process needs to terminate as their is a fatal error
> and something is going really wrong. Allow a process to continue is
> not a good idea because it allows bugs to lurk around for years
> without fixing. Such a bug is an indicator that something more severe
> might have gone wrong.


Hmm,

in this specific case (libnns-ldap failing due to missing
/dev/(u)random devices in early boot when connecting to the ldap
server using a ssl protected session.) the only thing actually using
gcrypt directly is gnutls.

Should gnutls have setup an error handler using
gcry_set_fatalerror_handler?

cu andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel


wk at gnupg

Nov 5, 2007, 6:54 AM

Post #5 of 7 (1703 views)
Permalink
Re: Is invoking exit(2) in a library the right thing to do? [In reply to]
On Mon, 5 Nov 2007 13:37, md [at] Linux said:

> I still do not consider calling exit(2) in a library acceptable under
> any condition.

So you want abort () instead? I consider this a bad option in this case
because exit handlers would not be run.

Given the reluctance of many programmers to properly check error codes
and act accordingly, there is no choice in critical situation than to
terminate the process. It was a design decision of the linux kernel to
always provide a /dev/random and it is a design decision of libgcrypt
not to return bad random number - in any case.

BTW, glibc also calls abort if it detects an internal inconsistency.


Salam-Shalom,

Werner


--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel


md at Linux

Nov 5, 2007, 7:00 AM

Post #6 of 7 (1702 views)
Permalink
Re: Is invoking exit(2) in a library the right thing to do? [In reply to]
On Nov 05, Werner Koch <wk [at] gnupg> wrote:

> > I still do not consider calling exit(2) in a library acceptable under
> > any condition.
> So you want abort () instead? I consider this a bad option in this case
> because exit handlers would not be run.
I the function to fail with something like an error code.

> Given the reluctance of many programmers to properly check error codes
> and act accordingly, there is no choice in critical situation than to
> terminate the process.
I still disagree.

--
ciao,
Marco
Attachments: signature.asc (0.18 KB)


trs80 at ucc

Nov 15, 2007, 1:55 AM

Post #7 of 7 (1654 views)
Permalink
Re: Is invoking exit(2) in a library the right thing to do? [In reply to]
On Mon, 5 Nov 2007, Marco d'Itri wrote:
> On Nov 05, Werner Koch <wk [at] gnupg> wrote:
>>> I still do not consider calling exit(2) in a library acceptable under
>>> any condition.
>> So you want abort () instead? I consider this a bad option in this case
>> because exit handlers would not be run.
> I the function to fail with something like an error code.
>
>> Given the reluctance of many programmers to properly check error codes
>> and act accordingly, there is no choice in critical situation than to
>> terminate the process.
> I still disagree.

The only way forward I can see from here is to refer the issue to the
Technical Committee. If nobody objects or wants to do it themselves I'll
write up a summary when I have some free time.

--
# TRS-80 trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \
# UCC Wheel Member http://trs80.ucc.asn.au/ #| what squirrels do best |
[ "There's nobody getting rich writing ]| -- Collect and hide your |
[ software that I know of" -- Bill Gates, 1980 ]\ nuts." -- Acid Reflux #231 /


_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel

GnuPG gcrypt RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.