-
Notifications
You must be signed in to change notification settings - Fork 461
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reconsider the default mode for LTC_ARGCHK #458
Comments
IIUC you're not using a system-provided ltc, right? why don't you then simply define |
Yes, the trick with The thing is that the It might happen that you have for example a nonce of invalid length (in a really mean scenario it may be a user input) which you pass to some libtomcrypt function ... and ... it will abort the whole program due to LTC_ARGCHK fail. |
Then these cases shouldn't use the macro anymore!? |
I've heard arguments of a similar vein over in OpenSSL space, and there are basically two camps opposing each other:
I'm personally ambivalent... there are cases where an abort makes it much much easier to find a bug 2, but on the other hand, aborting is quite harsh. The method chosen with OpenSSL is that a debug build will do harsh aborts, while a release build just returns with an error indication. This is essentially ARGTYPE=1 and ARGTYPE=4 combined. Footnotes |
Currently by default the LTC_ARGCK calls
abort()
when the check in question fails.Isn't it too strict to literally die (core-dump) when you for example "only" pass an IV of invalid length?
You can probably imagine what does it mean for example when LTC_ARGCHK fails somewhere deep inside my perl bindings (it will cause the whole perl interpreter to crash).
I would prefer to only
return CRYPT_INVALID_ARG
by default (which means using currentARGTYPE == 4
as a default).The text was updated successfully, but these errors were encountered: