User: Password:
|
|
Subscribe / Log in / New account

A longstanding GnuTLS certificate validation botch

A longstanding GnuTLS certificate validation botch

Posted Mar 6, 2014 18:02 UTC (Thu) by pizza (subscriber, #46)
In reply to: A longstanding GnuTLS certificate validation botch by zorro
Parent article: A longstanding GnuTLS certificate validation botch

>> This is not remotely simple stuff. It's probably far harder than writing secure code.

> And yet, here we are discussing two critical bugs in supposedly secure C code, both related to error handling and resource cleanup.

Those two statements are not in contradiction. If gnutls was written in C++ the situation would have likely been far worse with many more (and even more difficult to test) problems lurking under the hood.


(Log in to post comments)

A longstanding GnuTLS certificate validation botch

Posted Mar 7, 2014 8:38 UTC (Fri) by zorro (subscriber, #45643) [Link]

That's pure speculation. How can you claim there would be many more problems lurking under the hood if gnutls were written in C++? Do you know how many problems there are lurking under the hood now?

A longstanding GnuTLS certificate validation botch

Posted Mar 7, 2014 10:20 UTC (Fri) by smurf (subscriber, #17840) [Link]

No, but we do know that C++ code, particularly when it's older, has failure modes which Mr. Stroustrup was unable to even conceive of when he first designed the thing and which C is completely incapable of.

A longstanding GnuTLS certificate validation botch

Posted Mar 7, 2014 10:51 UTC (Fri) by hummassa (subscriber, #307) [Link]

> No, but we do know that C++ code, particularly when it's older, has failure modes which Mr. Stroustrup was unable to even conceive of when he first designed the thing and which C is completely incapable of.

Now it seems that you're trolling. Which failure modes are those? The only failure modes I see in C++ are the C-related ones (null pointer dereferencing, buffer overflows, integer overflows and underflows).

A longstanding GnuTLS certificate validation botch

Posted Mar 7, 2014 12:22 UTC (Fri) by nix (subscriber, #2304) [Link]

Exception throws from unexpected places, leaving the code in an inconsistent state. (Yes, when properly written the code won't have any such bugs. When properly written, code has no bugs at all...)

A longstanding GnuTLS certificate validation botch

Posted Mar 7, 2014 19:34 UTC (Fri) by hummassa (subscriber, #307) [Link]

As someone else commented, the 90's are over for quite some time now.

> Exception throws from unexpected places

those, nowadays, call unexpected() instead of "leaving the program in an inconsistent state". unexpected(), left to its own devices, will abort the program.

A longstanding GnuTLS certificate validation botch

Posted Mar 7, 2014 20:37 UTC (Fri) by cesarb (subscriber, #6266) [Link]

That's only if you are using exception specifications, which is AFAIK not recommended (except for C++0x's nothrow).

I think what nix meant is: if you are not very careful, you can write code which is not exception-safe. An exception thrown in the middle of that code will lead to inconsistent state. RAII helps a lot, but not everything can easily be expressed in RAII style.

And even if you are very careful, code can have bugs. Exception-safety bugs can be quite hard to see by just reading the code: you have to consider that every line of code within a function could throw an exception. Even apparently innocent code like "a = b + c;" can throw an exception, courtesy of operator overloading.

Contrast this with C, where only function calls can do nonlocal exits, and even then only in the presence of longjmp(). Most functions will not call longjmp() (and if you use it from a signal handler, you deserve to lose). In C, the code flow is much simpler: it's all explicit, and visible by looking at the function's body. Even gcc's cleanup extension does not change that.

A longstanding GnuTLS certificate validation botch

Posted Mar 8, 2014 23:15 UTC (Sat) by nix (subscriber, #2304) [Link]

Quite. I'm not saying it's impossible to make it work, obviously it isn't. It's just not at all easy, and it's not obvious when you got it wrong.

I like exceptions, but I'm wary of them in much the same way as I would be of a gun that has a habit of firing spontaneously and exploding when fired. :)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds